2016 October -- Responding to Russian Cybersecurity Provocations -- Cipher Brief
Click here to load reader
-
Upload
ethan-s-burger -
Category
Documents
-
view
122 -
download
0
Transcript of 2016 October -- Responding to Russian Cybersecurity Provocations -- Cipher Brief
TUESDAY OCTOBER 25, 2016
EXPERT COMMENTARY
Responding to Russian Cyber-Provocations OCTOBER 23, 2016 | ETHAN S. BURGER AND DONALD M. JENSEN
ETHAN S. BURGER
KVIESTINIS PROFESSORIUS, FULBRIGHT FOUNDATION GRANTEE, VILNIUS UNIVERSITY
DONALD N. JENSEN
SENIOR FELLOW, CENTER FOR TRANSATLANTIC RELATIONS, JOHNS HOPKINS SAIS
Most political leaders understand that governments that fail to respond to public
provocations by foreign states do so at their own risk. In recent years, the U.S. and some
of its allies (such as Australia, Estonia, Germany, Lithuania, and the U.K.) have
been subjected to repeated, sophisticated, and costly cyber-attacks, emanating from
Russia, China, Iran, and North Korea. These waves of attacks have become the “new
normal.”
It is difficult, if not impossible, to determine reliably the lines separating the actions of a
state, its proxies, organized criminal groups, and its business sector. Cyber-attackers can,
to some degree, engage in aggressive cyber-behavior while remaining anonymous. For
example, Russian President Vladimir Putin and his coterie may engage multiple
intermediaries so that the numerous degrees of separation between the Kremlin and the
direct attackers cannot be traced.
Earlier this month, the Obama Administration announced that it was confident that the
Russian government directed the recent theft of emails from the Democratic National
Committee, which were later published on anti-secrecy website WikiLeaks.
President Barack Obama is now considering a range of retaliatory diplomatic,
informational, military, and economic options. The White House has indicated that the
U.S. response would be proportional and may not be announced publicly. Unfortunately,
the U.S. Government will not always be able to attribute particular cyber-attacks to
specific states or criminal groups.
This problem of attribution allows states to act through proxies so that they can have
‘plausible’ deniability and thus avoid significant retaliation. A further complicating factor
is that covert actions and intelligence do not qualify as the “unlawful” use of force under
international law. Furthermore, limited “counterattacks” against Russia’s cyber-forces
would neither reduce the threat of its further offensive operations against the U.S., nor is
likely to have a deterrent effect.
Massive cyber-retaliation could lead to further escalation, including even the use of
nuclear weapons and thus represents an unjustifiable risk. This situation seemingly
encourages aggressors, especially those who are not overly concerned about domestic and
international political opinion or the cost in human life of thermonuclear war.
The existence of cyber conflict short of war has not nullified the Cold War’s doctrine of
Mutually Assured Destruction. MAD was the basis for genuine nuclear deterrence, since
the horrific alternative was well-understood to be unacceptable in both the Kremlin and
the White House. Had either superpower been tempted to unleash a nuclear strike on the
other, there could be no doubt as to the identity of the aggressor.
By design, both countries nuclear weapons command and control systems have
centralized launch authority in the hands of their political leadership. In contrast,
offensive cyber-capabilities are highly diffuse. Today, cyber-attacks can be undertaken
by rogue “individuals” working within a state structure, or even by third-parties who are
not subordinate in any respect to governmental authority.
Those states responsible for a nuclear attack would be held “accountable,” since it is
inconceivable that one state could detonate nuclear weapons on an adversary’s territory
without being detected. Each sides’ confidence in its ability to determine who attacked
them represented MAD’s informational foundation. The equivalent is not the case in the
cyber sphere. Cyber-attacks can be unleashed from anywhere, including from within
one’s own borders.
International law does not explicitly authorize the use of force against states that permit
their territory to be used against other states. This norm does not seem appropriate given
the characteristics of cyber-aggression and crime. A new international legal framework is
needed where states are required to endeavor to prevent cyber-attacks from emanating
against other states from within their borders, and cooperate fully with others states or
international organizations in the investigation and prosecution of transnational financial
crimes having a nexus to their territory or their nationals.
During the Cold War, MAD’s existence did not eliminate all forms of competition
between the two superpowers. Rather, they adopted both formal and informal rules of
conduct concerning the forms that such activity took, and the location in which it
occurred. Russia, along with China, purports to have an interest in the adoption of certain
constraints on offensive cyber activities. In fact, at the United Nations, they have even
proposed having a voluntary, cyber “Code of Conduct.”
The U.S. and its principal allies are parties to the Council of Europe’s Convention against
Cybercrime (the Budapest Convention). The Convention requires its signatories to
harmonize their national legislation on cybercrime, more vigorously investigate alleged
cybercrimes, and increase their cooperation in the prosecution and enforcement of the
relevant laws. The U.S. should encourage Russia, China, and Iran to adhere to the
Convention or face carefully-designed retaliatory measures if they do not.
A state’s non-compliance with the Convention’s requirements may be regarded as a sign
that it is involved in the conduct of cybercrime or found to have provided legal sanctuary
to criminals. In either case, they could be subjected to new economic sanctions and other
measures. That is, the U.S. should offer foreign states and their leaders a mechanism
under which they could exonerate themselves formally of wrongdoing, or accept the
situation where their non-cooperation would be deemed evidence that they were
accessories after the fact for transnational cybercrimes. Of course, there would be the risk
of retaliation, but the most probable form is unlikely to vary significantly from the attacks
already occurring.
It is improbable that Russia will acknowledge that it provides sanctuary to certain
criminals, or that it is using them as proxies to conduct cyber operations, and will
therefore not be eager to help foreign law enforcement authorities combat transnational
crime. If this is the case, the Kremlin cannot rightfully expect or complain when other
states act in a similar fashion. During the Cold War, the U.S. and its allies used
international broadcasting in an effort to undermine hostile regimes by seeking to
influence elite public opinion in the Soviet Union and other countries. This approach
should be pursued again with a contemporary twist.
So long as Russia and other countries engage in or facilitate cybercrime, we could
develop appropriate programs for operating open and clandestine blogs, emails (both
targeted and spam), social networking tools (Facebook, Twitter, YouTube), and various
websites in support of our policy goals. The U.S. might even take a chapter from Russia’s
playbook by crowdsourcing Americans to release an unprecedented volley of targeted
emails to Russia’s governmental and “private sector” decision-makers.
These emails would need to be in sufficient volume to ensure their recipients spend a
significant amount of time sorting through their inbox; their “payload” could contain
information on their officials’ financial crimes and corruption. If done properly, these
messages should be able to penetrate in sufficient number these regimes’ information and
communications filters and jeopardize their efforts to monopolize information available
to the people living within their borders.
Under the best of circumstances, the result of this scenario might make Russia more
sensitive to being a good global cyber citizen.
THE AUTHOR IS ETHAN S. BURGER
Ethan S. Burger is a Washington-based international lawyer and academic who specializes in
cybersecurity, transnational financial crime, and Russian legal matters. He has worked on projects
for the Australian Federal Police and the U.S. Department of Justice. He is an Adjunct Professor at
Washington College of Law, and currently teaching about cybersecurity at Vilnius University on a grant from the Fulbright Foundation.
THE COAUTHOR IS DONALD N. JENSEN
Donald N. Jensen is a Senior Fellow at the Center for Transatlantic Relations, Johns
Hopkins School of Advanced International Studies and Adjunct Senior Fellow, Center for
European Policy Analysis, where he editor of the CEPA Information Warfare
Initiative. A former US diplomat, Jensen provided technical support for the START,
INF, and SDI negotiations and was a member of the first ten-man US inspection team to
inspect Soviet missiles under the INF Treaty in1988. He was a foreign policy advisor to
the presidential campaign of Governor John Kasich.
Jensen writes extensively on the domestic, foreign and security policies of Russia,
Ukraine, and the other post-Soviet states, including for The American Interest, US News,
Newsweek, the Voice of America and the Institute of Modern Russia. He is a regular
commentator on CNBC, Fox News, and RFE/RL. He has lectured at a variety of
universities, including Johns Hopkins, Harvard, Oxford and George Washington
University. He received his PhD and MA from Harvard and BA from Columbia.