According to a NBC News report, the United States has penetrated Russia’s electric grid, telecommunications networks, and command and control systems in order to be able to launch retaliatory cyberattacks if the Kremlin attacks critical infrastructure during the election. An unidentified senior official reportedly said that if Russia attacked critical infrastructure then Washington could shut down some Russian systems. Washington has called out China and Russia for "preparing the battlefield" by penetrating and surveilling networks in the past. Admiral Michael Rogers, head of U.S. Cyber Command and director of the National Security Agency, told the Senate Armed Services Committee in 2015, “We believe potential adversaries might be leaving cyber fingerprints on our critical infrastructure partly to convey a message that our homeland is at risk if tensions ever escalate toward military conflict.” The NBC report is confirmation (by leak) that the United States is, not surprisingly, doing the same.
This is clearly an effort to create a deterrent. President Obama also reportedly warned President Putin about interference in the election at their last meeting two months ago. Like Lawfare’s Jack Goldsmith, I am skeptical that deterrence by leak is an effective method. In previous leaks claiming the United States would respond with cyberattacks, there has been no visible follow through. While there may have been covert disruptions, there is little reason to think Moscow would take these new reports more seriously. Moreover, the Russians can easily remain below the threshold of an attack on critical infrastructure. The theft and public disclosure of the emails of the Democratic National Committee and Clinton campaign manager John Podesta have been more than effective in stirring up questions about the integrity and legitimacy of the electoral process. Russian hackers do not need to take down the power grid; brief distributed denial of service attacks on social media platforms on election day could do the trick.
The NBC story raises questions about the viability and efficacy of norms of behavior in cyberspace. In 2015, the United States, Russia, and eighteen other countries agreed to refrain from cyber activity during peacetime that "intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public." If the United States did penetrate Russian networks, these actions may not, as Paul Triolo and others note, have violated the norm since it prohibits damage and impairment, not access to networks. In other words, the norm prevents an action that states have no interest in pursuing, and does nothing to stop escalatory actions like mapping the battlefield.
The leaks, and Russian response, also cast doubts over U.S. cyber diplomacy. One of the more touted accomplishments in the bilateral relationship was a number of cooperative mechanisms announced in 2013, including the creation of a new working group, exchanges between computer emergency response teams, and the establishment of a White House-Kremlin direct communications line. This line, a secure voice communications line between the U.S. cybersecurity coordinator and the Russian deputy secretary of the Security Council, is to be used "should there be a need to directly manage a crisis situation arising from an ICT security incident." There is, however, no reporting that it has been used in this or any previous incident. Like the above mentioned norm, a confidence building measure has done little to stop cyber conflict from becoming more intense.
(UPDATE: A little over a week after this blog post first appeared, the Washington Post reported that the White House had in fact used the direct communications line to warn Russia about engaging in cyber operations that would further disrupt the U.S. elections.)
In the face of Russian efforts, many have noted that the next administration will have to rethink how to strengthen U.S. government defenses against cyberattacks, energize private sector cybersecurity efforts, and establish a credible deterrent in cyberspace. U.S. diplomatic efforts will have to be similarly reexamined. What is the utility of pursuing consensus on a set of cyber norms if they don’t cover escalatory activity at the core of U.S.-Russian tensions or establishing confidence building measures specifically designed to de-escalate the current situation if neither country is going to use them? Maybe the United States is better off working with its friends and allies to identify, deter, and counter Russian action instead of pursuing a norms-based strategy.