The Obama administration responded to Russia’s cyber operations against Democratic National Committee officials last week. The punitive measures seek to deter Russia, and other adversaries, from cyber-related interference with U.S. elections. This strategy connects to the importance President Obama placed on deterrence in cybersecurity. His administration tried to strengthen cyber defenses (deterrence by denial), clarify international law’s application in cyberspace and develop international cyber norms (deterrence by norms), and threaten punishment for hostile cyber operations (deterrence by punishment). However, the election hacking episode highlights how the president’s efforts to achieve deterrence for cybersecurity have failed.
The astonishing lack of cybersecurity among the organizations and individuals targeted in the hacks reveals, again, problems with cyber defenses. This episode pairs with the infiltration of the Office of Personnel Management as embarrassing symbols of public and private failures to protect against cyber threats—years after improving cyber defenses became cybersecurity gospel.
In announcing punitive measures, President Obama stated the actions “are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior.” Russia was clearly not deterred by these norms, despite U.S. efforts to cooperate with Russia on cybersecurity and strengthen norms for responsible state behavior in cyberspace. Further, the Obama administration consistently distinguished binding international law from non-binding cyber norms. Its choice to rely on norms rather than international law in connection with the election hacks weakens the normative justification for its actions. This choice undermines arguments the election hacks violated international law by, for example, infringing U.S. sovereignty and constituting illegal intervention in U.S. domestic affairs.
Whether a norm against cyber inference with elections is established is also not clear. For example, Mike McFaul and Amy Zegart argued President Trump should make “thou shall not use stolen data to influence elections” part of a new U.S.-Russia agreement on cyber norms, suggesting that such a norm is not, in fact, established. Even domestically, President Obama had to amend an executive order because previous executive orders and U.S. law did not directly address what happened. To have what Russia did covered by neither international law nor an established norm reflects badly on an administration dedicated to advancing the internet’s importance to democracy and individual freedoms.
The Obama administration embraced deterrence by punishment, warning in 2011 it would “ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits.” This statement threatens adversaries with disproportionate punishment. However, in sanctioning Russia, the administration stressed how proportionate its measures are. This confusion connects to debates about whether the actions punish Russia enough to achieve deterrence.
Other features of last week’s measures raise additional questions. The administration’s actions against the election hacking formed part of a sanctions package that included responses to harassment of U.S. diplomats and Russian-based cyber thefts and intrusions against U.S. companies. This approach diluted the impact of acting against the election hacks. Press attention often focused on the expulsion of Russian diplomats, but whether this sanction was intended as punishment for the hacks was not clear. Mixing issues in this manner undermined the clarity deterrence by punishment needed for something as important as the election hacking.
The sanctions imposed also suffer because of positions Donald Trump has taken. The president-elect has challenged the U.S. intelligence community’s attribution of the hacks to Russia. His desire to improve relations with Russia erodes the credibility of the deterrence President Obama seeks to establish by punishing Russia. Putin’s decision not to counter-retaliate revealed how ephemeral he calculates the president’s actions are, including the threat of covert action only the Russians will know the United States conducted.
Trump’s willingness to “move on” from the election hacks neuters his own threats of “crippling cyber counter-attacks” to deter cyber attacks on “our critical resources.” He has turned his back on one of the most disturbing things to happen to democracy in the cyber age. Whatever purpose Trump’s approach to Russia might involve, strengthening deterrence in cybersecurity is not a priority. Tension between Trump and members of Congress on investigating the hacks reinforces the lack of credible commitment to cyber deterrence in Washington, D.C.
The Obama administration ends with its strongest response to harmful cyber operations by a foreign state riddled with doubts about its effectiveness, damaged by the president-elect, and dismissed by Putin as a trifling inconvenience. Whether the intelligence report President Obama has ordered and congressional investigations force Trump to change direction remain to be seen. Meanwhile, fears of Russian cyber interference in European elections grow with no possibility of transatlantic solidarity on deterring the threat. A strategy for better U.S. election cybersecurity faces dismal prospects under President Trump. It is hard to conclude from all this that deterrence by denial, norms, and punishment have become effective instruments of U.S. cybersecurity policy over the past eight years.