TUESDAY OCTOBER 25, 2016

EXPERT COMMENTARY

Responding to Russian Cyber-Provocations OCTOBER 23, 2016 | ETHAN S. BURGER AND DONALD M. JENSEN

ETHAN S. BURGER

KVIESTINIS PROFESSORIUS, FULBRIGHT FOUNDATION GRANTEE, VILNIUS UNIVERSITY

DONALD N. JENSEN

SENIOR FELLOW, CENTER FOR TRANSATLANTIC RELATIONS, JOHNS HOPKINS SAIS

Most political leaders understand that governments that fail to respond to public

provocations by foreign states do so at their own risk. In recent years, the U.S. and some

of its allies (such as Australia, Estonia, Germany, Lithuania, and the U.K.) have

been subjected to repeated, sophisticated, and costly cyber-attacks, emanating from

Russia, China, Iran, and North Korea. These waves of attacks have become the “new

normal.”

It is difficult, if not impossible, to determine reliably the lines separating the actions of a

state, its proxies, organized criminal groups, and its business sector. Cyber-attackers can,

to some degree, engage in aggressive cyber-behavior while remaining anonymous. For

example, Russian President Vladimir Putin and his coterie may engage multiple

intermediaries so that the numerous degrees of separation between the Kremlin and the

direct attackers cannot be traced.

Earlier this month, the Obama Administration announced that it was confident that the

Russian government directed the recent theft of emails from the Democratic National

Committee, which were later published on anti-secrecy website WikiLeaks.

President Barack Obama is now considering a range of retaliatory diplomatic,

informational, military, and economic options. The White House has indicated that the

U.S. response would be proportional and may not be announced publicly. Unfortunately,

the U.S. Government will not always be able to attribute particular cyber-attacks to

specific states or criminal groups.

This problem of attribution allows states to act through proxies so that they can have

‘plausible’ deniability and thus avoid significant retaliation. A further complicating factor

is that covert actions and intelligence do not qualify as the “unlawful” use of force under

international law. Furthermore, limited “counterattacks” against Russia’s cyber-forces

would neither reduce the threat of its further offensive operations against the U.S., nor is

likely to have a deterrent effect.

Massive cyber-retaliation could lead to further escalation, including even the use of

nuclear weapons and thus represents an unjustifiable risk. This situation seemingly

encourages aggressors, especially those who are not overly concerned about domestic and

international political opinion or the cost in human life of thermonuclear war.

The existence of cyber conflict short of war has not nullified the Cold War’s doctrine of

Mutually Assured Destruction. MAD was the basis for genuine nuclear deterrence, since

the horrific alternative was well-understood to be unacceptable in both the Kremlin and

the White House. Had either superpower been tempted to unleash a nuclear strike on the

other, there could be no doubt as to the identity of the aggressor.

By design, both countries nuclear weapons command and control systems have

centralized launch authority in the hands of their political leadership. In contrast,

offensive cyber-capabilities are highly diffuse. Today, cyber-attacks can be undertaken

by rogue “individuals” working within a state structure, or even by third-parties who are

not subordinate in any respect to governmental authority.

Those states responsible for a nuclear attack would be held “accountable,” since it is

inconceivable that one state could detonate nuclear weapons on an adversary’s territory

without being detected. Each sides’ confidence in its ability to determine who attacked

them represented MAD’s informational foundation. The equivalent is not the case in the

cyber sphere. Cyber-attacks can be unleashed from anywhere, including from within

one’s own borders.

International law does not explicitly authorize the use of force against states that permit

their territory to be used against other states. This norm does not seem appropriate given

the characteristics of cyber-aggression and crime. A new international legal framework is

needed where states are required to endeavor to prevent cyber-attacks from emanating

against other states from within their borders, and cooperate fully with others states or

international organizations in the investigation and prosecution of transnational financial

crimes having a nexus to their territory or their nationals.

During the Cold War, MAD’s existence did not eliminate all forms of competition

between the two superpowers. Rather, they adopted both formal and informal rules of

conduct concerning the forms that such activity took, and the location in which it

occurred. Russia, along with China, purports to have an interest in the adoption of certain

constraints on offensive cyber activities. In fact, at the United Nations, they have even

proposed having a voluntary, cyber “Code of Conduct.”

The U.S. and its principal allies are parties to the Council of Europe’s Convention against

Cybercrime (the Budapest Convention). The Convention requires its signatories to

harmonize their national legislation on cybercrime, more vigorously investigate alleged

cybercrimes, and increase their cooperation in the prosecution and enforcement of the

relevant laws. The U.S. should encourage Russia, China, and Iran to adhere to the

Convention or face carefully-designed retaliatory measures if they do not.

A state’s non-compliance with the Convention’s requirements may be regarded as a sign

that it is involved in the conduct of cybercrime or found to have provided legal sanctuary

to criminals. In either case, they could be subjected to new economic sanctions and other

measures. That is, the U.S. should offer foreign states and their leaders a mechanism

under which they could exonerate themselves formally of wrongdoing, or accept the

situation where their non-cooperation would be deemed evidence that they were

accessories after the fact for transnational cybercrimes. Of course, there would be the risk

of retaliation, but the most probable form is unlikely to vary significantly from the attacks

already occurring.

It is improbable that Russia will acknowledge that it provides sanctuary to certain

criminals, or that it is using them as proxies to conduct cyber operations, and will

therefore not be eager to help foreign law enforcement authorities combat transnational

crime. If this is the case, the Kremlin cannot rightfully expect or complain when other

states act in a similar fashion. During the Cold War, the U.S. and its allies used

international broadcasting in an effort to undermine hostile regimes by seeking to

influence elite public opinion in the Soviet Union and other countries. This approach

should be pursued again with a contemporary twist.

So long as Russia and other countries engage in or facilitate cybercrime, we could

develop appropriate programs for operating open and clandestine blogs, emails (both

targeted and spam), social networking tools (Facebook, Twitter, YouTube), and various

websites in support of our policy goals. The U.S. might even take a chapter from Russia’s

playbook by crowdsourcing Americans to release an unprecedented volley of targeted

emails to Russia’s governmental and “private sector” decision-makers.

These emails would need to be in sufficient volume to ensure their recipients spend a

significant amount of time sorting through their inbox; their “payload” could contain

information on their officials’ financial crimes and corruption. If done properly, these

messages should be able to penetrate in sufficient number these regimes’ information and

communications filters and jeopardize their efforts to monopolize information available

to the people living within their borders.

Under the best of circumstances, the result of this scenario might make Russia more

sensitive to being a good global cyber citizen.

THE AUTHOR IS ETHAN S. BURGER

Ethan S. Burger is a Washington-based international lawyer and academic who specializes in

cybersecurity, transnational financial crime, and Russian legal matters. He has worked on projects

for the Australian Federal Police and the U.S. Department of Justice. He is an Adjunct Professor at

Washington College of Law, and currently teaching about cybersecurity at Vilnius University on a grant from the Fulbright Foundation.

THE COAUTHOR IS DONALD N. JENSEN

Donald N. Jensen is a Senior Fellow at the Center for Transatlantic Relations, Johns

Hopkins School of Advanced International Studies and Adjunct Senior Fellow, Center for

European Policy Analysis, where he editor of the CEPA Information Warfare

Initiative. A former US diplomat, Jensen provided technical support for the START,

INF, and SDI negotiations and was a member of the first ten-man US inspection team to

inspect Soviet missiles under the INF Treaty in1988. He was a foreign policy advisor to

the presidential campaign of Governor John Kasich.

Jensen writes extensively on the domestic, foreign and security policies of Russia,

Ukraine, and the other post-Soviet states, including for The American Interest, US News,

Newsweek, the Voice of America and the Institute of Modern Russia. He is a regular

commentator on CNBC, Fox News, and RFE/RL. He has lectured at a variety of

universities, including Johns Hopkins, Harvard, Oxford and George Washington

University. He received his PhD and MA from Harvard and BA from Columbia.