Rules of the cyber road for America and Russia
11 Mar 2019|

The United States responded weakly after Russian cyber operations disrupted the 2016 presidential election. US President Barack Obama had warned his Russian counterpart, Vladimir Putin, of repercussions, but an effective reply became entangled in the domestic politics of Donald Trump’s election. That could be about to change.

Recently, American officials anonymously acknowledged that US offensive cyber operations prevented a Kremlin troll farm from disrupting the 2018 congressional elections. Such offensive cyber operations are rarely discussed, but they suggest ways to deter disruption of the US presidential election in 2020. Attacking a troll farm will not be enough.

Deterrence by threat of retaliation remains a crucial but underused tactic for preventing cyberattacks. There has been no attack on US electrical systems, despite the reported presence of Chinese and Russians on the grid. Pentagon doctrine is to respond to damage with any weapon officials choose, and deterrence seems to be working at that level.

Presumably, it could also work in the grey zone of hybrid warfare, such as Russia’s disruption of democratic elections. Given that US intelligence agencies are reported to carry out espionage in Russian and Chinese networks, one can imagine that they discover embarrassing facts about foreign leaders’ hidden assets, which they could threaten to disclose or freeze. Similarly, the US could go further in applying economic and travel sanctions against authoritarians’ inner circles. The diplomatic expulsions and indictments since 2016, and the recent offensive actions, were only first steps towards strengthening America’s deterrent threat of retaliation.

But deterrence will not be enough. The US will also need diplomacy. Negotiating cyber arms-control treaties is problematic, but this does not make diplomacy impossible. In the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user. Thus, it will be difficult to prohibit the design, possession, or even implantation for espionage of particular programs. In that sense, cyber arms control cannot be like the nuclear arms control that developed during the Cold War. Verification of weapons stockpiles would be virtually impossible, and even if it were assured, stockpiles could quickly be recreated.

But if traditional arms-control treaties are unworkable, it may still be possible to set limits on certain types of civilian targets, and to negotiate rough rules of the road that minimise conflict. For example, the US and the Soviet Union negotiated an Incidents at Sea Agreement in 1972 to limit naval behaviour that might lead to escalation. The US and Russia might negotiate limits to their behaviour regarding each other’s domestic political processes. Even if there is no agreement on precise definitions, they could exchange unilateral statements about areas of self-restraint and establish a consultative process to contain conflict. Such a procedure could protect democratic non-governmental organisations’ right to criticise authoritarians while at the same time creating a framework that limits governmental escalation.

Sceptics object that such an arrangement is impossible, owing to the differences between American and Russian values. But even greater ideological differences didn’t prevent agreements related to prudence during the Cold War. Sceptics also say that Russia would have no incentive to agree, because elections are meaningless there. But this ignores the potential threat of retaliation: democratic openness means the US has more to lose in the current situation, which should encourage it not to hold back from pursuing its self-interest in developing a norm of restraint in this grey area.

Jack Goldsmith of Harvard Law School has argued that the US needs to draw a principled line and defend it. That defence would acknowledge that the US has itself interfered in elections, renounce such behaviour, and pledge not to engage in it again. The US should also acknowledge that it continues to engage in forms of computer network exploitation for purposes it deems legitimate. And officials should ‘state precisely the norm that the United States pledges to stand by and that the Russians have violated’.

This would not be unilateral disarmament on America’s part; rather, it would draw a line between the permitted soft power of open persuasion and the hard power of covert information warfare. Overt programs and broadcasts would continue to be allowed. The US would not object to the content of Russia’s open political speech, including the propagandistic RT television network. But it would object when Russia promotes its views through covert coordinated behaviour such as the 2016 manipulation of social media, or dumping hacked emails.

Non-state actors often act as state proxies in varying degrees, but the rules would require their open identification. And because the rules will never be perfect, they must be accompanied by a consultative process that establishes a framework for warning and negotiation. Such a process, together with stronger deterrent threats, is unlikely to fully stop Russian interference, but if it reduces the level, it could enhance America’s defence of its democracy.

Given the poor state of US–Russian relations, with Putin boasting about new nuclear weapons, the climate for an agreement is not promising, though there have been some hints of Russian interest. At the same time, the partisan divisions in US politics over the legitimacy of Trump’s relationship with Russia also make negotiations difficult. If both sides want to avoid dangerous escalation, perhaps the possibilities can be explored in the context of a professional or military-to-military dialogue. Or the idea may just have to wait until after the 2020 election.