Russia Joint Chiefs of Staff hack: Deterrence doesn’t work with cyberattacks.

Deterrence Doesn’t Work When It Comes to Cyberattacks

Deterrence Doesn’t Work When It Comes to Cyberattacks

The citizen’s guide to the future.
Aug. 13 2015 9:00 AM
FROM SLATE, NEW AMERICA, AND ASU

The New Cold War Is Going Digital

And that’s a problem, because deterrence doesn’t work when it comes to cyberattacks.

Vladimir Putin the President of Russia.
Playing a dangerous game: Russian President Vladimir Putin watches the opening ceremonies of the Sochi 2014 Paralympic Winter Games on March 7, 2014.

Photo illustration by Juliana Jiménez. Photo by Ronald Martinez/Getty Images

Sometimes we forget about the 40-odd–year Cold War between the former Soviet Union and the West. We forget about the espionage, sabotage (on both sides), the covert and proxy wars, and even the overt arms race. Since 1991 a sort of public indifference to Russia’s antics has developed, despite its nuclear saber rattling, its annexation of Crimea, and its ongoing provocative posture. Sure, the United States and the European Union sanction Russia for its actions in Ukraine, but there is little public outcry. Sure, the incoming chairman of the Joint Chiefs of Staff tells Congress that Russia is the “greatest” threat to the U.S., but no one really seems to believe it.

Now Russia has (allegedly) hacked the unclassified email system of the Joint Chiefs and its roughly 2,500 supporting employees. The rather limited news we have is that Russia is the “prime suspect,” and that the attack was highly “sophisticated” and looks to be the work of a state or state-sponsored group. We really only have three pieces of information to date: There was a sophisticated spear phishing attack; the breach affected only the Joint Chiefs’ unclassified system; and it was “traced” to Russia. Taken in isolation this attack seems pretty inconsequential. But it’s just the latest in a string of incidents, like the other Russian hack on the Defense Department a mere four months ago, as well as the hacks last year at the White House and State Department. Overall, there’s been an uptick in cyber-escapades emanating from Russia since the beginning of the current sanctions regime. Indeed, it looks to be part and parcel of a wider strategy toward a New Cold War. The only difference is that the old “deterrence” strategy won’t work, especially against cyberattacks.

Advertisement

If we want to put the Joint Chiefs hack into context, we ought to do so within a wider explanation and strategic perspective. First, Russia’s position within the international system is one of a waning power. On most metrics, such as population growth, economic strength, and military capacity, Russia has steadily declined since the collapse of the Soviet Union. Such a reversal of prominence places Russia in what some might call a “domain of losses”—a point at which a leader sees herself in a crisis and becomes more risk-acceptant to try to regain her former prominent position. Contrarily, if she were in a “domain of gains,” she might be more risk-averse. It’s a bit like cashing in one’s chips at the poker table. Russia is in the position of trying to win back what she once had and so is more likely to engage in risky and escalatory behavior.

Second, we must remember that Russian President Vladimir Putin’s perspective and influence are extremely important. His history as a former KBG officer, and an officer who witnessed the fall of the Berlin Wall in East Germany in 1989, is formative to his identity and his belief structure. As historian and journalist Jerrold Schecter argues, “Putin’s character and his core beliefs, ingrained in his world view and behavior, stem from a conflicted mélange of Tsarist authoritarianism and Marxist-Leninism.” In short, he is a Bolshevik. A Bolshevik must use everything at his disposal to win, and that includes deception, attempts to falsify reality, weaken one’s opponent, and escalate conflicts to the extreme.

Putin rejects the post–Cold War balance of power, and this is no secret. His attempts to regain or punish lost satellite states, as well as to harass Western powers, are nothing new. Moreover, his explicit rejection of American dominance means that he will rarely compromise or utilize more pacific means to regain Russian power. He would rather modernize his arsenal, engage in destabilizing activities, and use escalatory rhetoric.

What then of the Joint Chiefs hack? This is one more weapon in his arsenal, and it is a relatively costless one. If Russia is truly engaging in “hybrid warfare”—in which it will utilize military and nonmilitary tools, such as cyber-operations—then the Joint Chiefs hack is only one battle amid a much larger campaign. The hack on the email system is just the most current and visible exploit in a series of cyber-salami tactics. The worry, however, is what the aims of this new campaign are. If Russia is beginning to wage a New Cold War, what is the U.S. willing to do in response?

Advertisement

The logic of Cold War deterrence and mutually assured destruction won’t work in this new domain. First, the so-called attribution problem makes any escalatory response dangerous. The level of uncertainty as to who is “really” behind a cyberattack drives just enough of a wedge to tamper any intensification in force.  For instance, there was enough dismay at Russia sending in unidentified “little green men” into Crimea with military uniforms but without official insignia. Russia denied its actions here, and in this instance had obvious state-owned military hardware for the world to see. In the case of a cyberattack, there is weaker circumstantial evidence linking the government of Russia to any particular attack. In the Crimea case, we can infer that Russia ordered the tanks there; with the hack, we are less certain whether there was an official order, or whether the attacks were loyalists acting of their own accord, or whether someone spoofed a Russian IP address. Moreover, if the U.S. engaged in a cyber–tit-for-tat, we risk losing the advantage the weapon once it is used. Cyber-“weapons” rely on an exploit, or weakness, in software, hardware, or networks. Once someone knows about the vulnerability, they can fix it and the “weapon” is no longer useful.  Thus, cyber-“weapons” are unlike normal munitions; you can’t “patch” an atomic weapon.

Second, deterrence—in the classic, Cold War sense—really only works when one side can prove that it will survive a terrible attack long enough to wipe out the other side. The hack on the Joint Chiefs is clearly not in the same ballpark as threatening nuclear war. Indeed, the most one can do is “name and shame,” though the White House is rather tightlipped at the moment.

What about nonlethal “deterrence,” in the sense of getting an actor to refrain from doing something because it would be too costly for him? Well, what might we threaten to make it too costly? Surely it can’t be a proportionate response, for the logic of deterrence works on it being disproportionate. Would sanctions do it? Doubtful, as we are already sanctioning Russia. What about a show of force? Even more doubtful, for why would we do something like that against a nuclear-armed adversary that has shown predilections of escalating? Especially for the “offense” of hacking an unclassified email system—clearly that isn’t an act of war.

The real question is how to ensure cybersecurity and resilience in the face of increasing cyber-insecurity. Russia will act like Russia, and it will look for any way to exploit its advantage and U.S. vulnerability. To be sure, we might stop and question the new sophistication of the phishing scheme, but it still took someone to click on it. Stronger encryption, better cyber-hygiene, and perhaps more malware filters may do more to deter future attacks than any actions seeking to further poke the bear.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

Heather M. Roff is a research scientist at Arizona State University and a cybersecurity fellow at New America.