The US-Russia cyber rivalry: Between the virtual and the real,
US-Russia relations – never smooth at the best of times – have been especially fraught since Russia’s annexation of Crimea and military intervention in eastern Ukraine. As tempers flare and sanctions fly, relations have been particularly strained in the arena of cyber security. Despite the US’s world-leading capabilities, Russia’s alleged episodes of cyber aggression in 2016 succeeded in their efforts to make the US look confused and caught off-guard. In 2017, the US will formulate its response.
Much has been made of the US’s allegedly weak pushback against Russia’s headline-grabbing hackers. The asymmetry is concerning, but only partly warranted. First, the US has the capability to push back on Russian cyber incursions. However, there are diplomatic and political brakes on retaliation that restrict the use of these capabilities. Despite these apparent constraints, the US’s offensive cyber capabilities remain unmatched. Its previous cyber attacks, such as Stuxnet, and espionage campaigns, such as the Equation Group and Project Sauron, have pushed the bounds of possibility, meaning it likely retains an ace up its sleeve.
The US has defended itself in the past – just ask the Chinese. Prior to Russia’s more recent cyber hostility, the US was busy deterring Chinese cyber espionage, naming and shaming the parties it believed were behind incursions into sensitive commercial information.
The US’s defence arsenal against China was broad and potent, including the May 2014 indictment of five suspected People’s Liberation Army personnel, threats of financial sanctions and joint cooperation and agreements. Notable among the latter was the September 2015 agreement in which the US and China agreed to stop for-profit cyber espionage operations (while keeping the option for security-related operations firmly on the table).
Russia is a different kind of cyber player. Where China wants confidential economic data, Russia is playing on the field of politics. Look at where the US suspects that Russia has taken aim: the US Democratic National Committee and the machinery of the US democratic process. Where China likes to work under the radar, Russia has enriched our hacking vocabulary: Guccifer 2.0, Fancy Bears and the Shadow Brokers are all now famous for their suspected efforts for, of from inside, the Russian government. At once, these groups appear to have accomplished two goals – making Russian hacking activity high-profile and newsworthy, and blurring the line between state and non-state actors in cyber-conflict.
The US intelligence community has officially blamed senior Russian government officials for ordering interference in its recent Presidential election via the breach of sensitive emails via the Democratic National Committee (DNC). Although we ultimately think the responsibility lies with the Kremlin, Russian officials have been empowered by the US’s decision not to support private US cyber security companies' efforts at forensic attribution with potentially more authoritative versions, rubbishing Washington’s allegations. If the US cannot conclusively prove who stands behind Fancy Bears, for example, how sure can we be that it really is the Kremlin?
Therein lies part of the potency of achieving plausible deniability: how do you respond to a cyber attack when you don’t really know who to respond to? Even if the victims of such attacks knew exactly who they were up against, Western military and security strategies don’t really include mere cyber mischief. Nor, really, are they all that good at it. Moreover, the risk of escalation always looms.
So what options does this leave the US to respond to Russian cyber aggression in 2017?
These are unlikely to be intensified. The US imposed wide-ranging sanctions on Russia in 2014 in connection with its military intervention in Ukraine, and in late 2016 both the EU and US discussed the potential addition of further sanctions in connection with Russia’s military campaign in Syria. Although the direct damage they cause to Russia’s economy is difficult to gauge, the sanctions are an irritant for Russia because they have cut off access to potentially lucrative financial markets in the US. That said, Donald Trump’s administration is unlikely to have much appetite for intensifying existing sanctions. Given his talks of an improved bilateral relationship with Russia and his expected transactional approach to diplomacy, he is more likely to push for an easing of these sanctions in the coming year as a way of promoting US trade interests.
The US successfully deployed a legal attack against China’s cyber-aggression with the 2014 indictment against the PLA. This worked because China is keen to be seen as playing by the rules of international engagement – upholding the rule of law and adhering to international norms.
Russia’s different interpretation of the rules of international engagement dulls the legal threat. When the US blamed Russia for hacking the DNC, Putin blithely responded: ‘Does it even matter who hacked this data?’ Legal responses to other incidents that have also been attributed to the Russian government – such as the downing of flight MH17 and the murder of Alexander Litvinenko – have also failed to produce tangible results.
Even though the US intelligence community is likely to have the capability to trace the actions of the Russian cyber espionage unit APT 28 – the reported source of the DNC breach – to specific individuals, exposing them would be unlikely to produce the same sort of results as the indictment of the PLA officers. What’s more, indications from the campaign trail suggest Trump is likely to rely less on formal legal mechanisms and multilateral organisations when dealing with other states than President Barack Obama, preferring instead more direct means of diplomacy.
A more targeted response intended to embarrass Putin and his inner circle, such as stealing and releasing sensitive documents, remains an option for the US. But the US lacks the experience and the network of plausibly deniable activist puppet groups for such an operation. An example of this was a Ukrainian activist group called ‘Cyber Hunta’, which in October 2016 claimed to have hacked emails belonging to one of Putin’s most senior advisers that they published online. The group claimed the emails provided proof of Russia’s political, military and financial support of the rebels in eastern Ukraine, but there is little credible evidence to give weight to Cyber Hunta’s authenticity and Russian authorities easily deflected the claim as false. Although the US could feasibly use such regional proxies, this approach would clash with the president-elect’s apparent willingness to tolerate and avoid interference in Russian spheres of influence.
In any case, the Putin administration so far seems to be immune even to more ‘authoritative’ leaks. The exposure of the so-called ‘Panama Papers’ brought down the government of Iceland, but failed to carry the same clout against prominent Russians mentioned in the exposé, undermining their authority in the process. Trump’s experience from the campaign trail of the potential impact of such leaks and the potential for a response in kind targeting his own reputation is likely to dampen his enthusiasm for this option.
US capability to cause disruption to hostile states was demonstrated by the Stuxnet worm, which targeted Iran’s nuclear enrichment efforts, and the broader Operation Olympic Games, prepared to target Iranian critical national infrastructure in the event of the breakdown of negotiations over Tehran’s nuclear programme. But Iran’s threat to the US – and to stability in the Middle East – is more important to the US foreign policy establishment than Russian cyber aggression. From a foreign policy perspective, Russia’s uranium enrichment programme does not pose the same threat as that of Iran, and Russia is, of course, a long-standing nuclear power. Physical disruption would be disproportionate here.
Even if the US decided to clandestinely attack, say, Russia’s military intelligence (the GRU) or its foreign intelligence apparatus (the SVR, soon to be blended into a newly vigorous Federal Security Service), the risk of escalation looms large. Russia harbours a long-standing strategic tendency toward symmetry. This risks a long-running series of retaliations that could put the US intelligence community – to say nothing of its critical national infrastructure – in the crosshairs. It would therefore represent an unlikely option for Trump if he is looking to restore good relations with Moscow.
Recognition of the issues with the above options and Trump’s stated desire to normalise relations with Moscow may instead prompt a more conciliatory stance. The two states have set aside their differences before in the interests of avoiding cyber escalation, when in April 2016 they held bilateral talks to reduce the risk of disruptive attacks. Rather than the largely tit-for-tat measures considered above, such an approach appears the most likely, and could still offer the best strategic outcome for the US in 2017.