Professor and Senior Fellow, Center for National Security Law, University of Virginia School of Law
Former Ambassador of Finland to Russia (2000-2004)
Nonresident Senior Fellow, Atlantic Council; Former Deputy Assistant Secretary of Defense for Russia, Ukraine, and Eurasia, U.S. Department of Defense (2012-2015)
This is the third session of the Hacked Elections, Online Influence Operations, and the Threat to Democracy symposium.
This panel examines what foreign policy responses are at the United States’ disposal to respond to Russia’s interference in the 2016 U.S. election, and how it could learn from countries that have faced a similar threat.
This symposium convenes policymakers, business executives, and other opinion leaders for a candid analysis of the cybersecurity threat to democracies, particularly to the election systems themselves and the subsequent attempts to shape the public debate through disinformation and online commentary.
FARKAS: OK. Good morning. Good late morning, everyone. This is—I’m going to venture to be bold and say this is going to be the most exciting panel of the day—(laughter)—because we’re all about solving the problems that you guys have been hearing about this morning.
And I’m very happy to have an international panel. Unfortunately, it’s shrunk by one individual because Professor Angela Stent is ill, so she couldn’t join us. I will try to channel her as best I can, with my own personal twist. But we, again, have an international panel that I’m very excited about because they have thought long and hard about how to counter disinformation, especially in the context of dealing with Russia.
So, to my right, to my immediate right, I have Ambassador René Nyberg. He is a very distinguished former Finnish ambassador to Russia, which is of course relevant here, and former chief executive of East Consulting. He’s also served as Finland’s ambassador to Germany—for four years, actually, from 2004 to 2008. He also was head of Finland’s delegation to the OSCE, which obviously also deals a lot with these types of issues, misinformation and ethnic conflict, peace operations, et cetera. He was—and then he was, of course, also Finland’s ambassador to Austria. He has a long, distinguished career. I won’t list all of the other things that he’s done and all of the other accolades he’s received, but he is well-poised to help us think about how we in the United States and other countries can deal with the Russian challenge in particular.
To his right, we have Dr. Ashley—Professor Ashley Deeks. She has a long career now working in the legal area with regard to cybersecurity and other issues. She’s a professor of law and a senior fellow at the University of Virginia’s Law School at their Center for National Security Law, and that’s—that is her area of emphasis. She’s focused on international law, national security, intelligence, and laws of war. She also served as an academic fellow at the Columbia Law School for two years. She’s served in the government—so she has the academic and the government expertise—in the Department of State, in the Office of (the) Legal Adviser for a year, 2007 to 2008. And, of course, she’s also a CFR alum. She was an international affairs fellow in—let’s see, in—
DEEKS: That was 2007-2008.
FARKAS: 2007—OK, so she did the State Department work there. She’s extensively published, again, in the area of international legal security.
So what I would like to do is essentially ask the panelists to give us a little bit of prescription. We heard a lot this morning about the threats that we face. You both know very well from firsthand experience and from research what the threats are. Can you—I would like to hear from each of you what your prescriptions are, what you think we should do, what the United States should do as a matter of foreign policy. And then I will try to add to the discussion by talking a little bit about how I think the Russian government might respond to your prescriptions.
I will start by saying my perspective on the Russian foreign policy—I’ll lay it out a little bit just so that there’s a framework through which you can—or a lens through which you might listen to their prescriptions. From my perspective, the Russian government is not likely to respond to a soft request for negotiation on the legal front. They are not likely to respond to anything except for a real strong, firm policy. And so I think that it’s important to note that, from the Russian perspective, if they think that what they’re doing is bringing them success, they will continue doing what they’re doing until essentially we force them—and I don’t mean by force, but we essentially have to force them to recognize that the price is too high for their existing information operations against the United States and our allies, and that they need to change course somehow.
And, obviously, there are a number of ways we can do that. We’ll hear about at least two of them from the panel here. And then, obviously, we welcome your input with regard to other ideas you might have. But I think I wanted to just lay that out as a foundation, that from the—from the perspective of dealing with Russia it’s really important to raise the price for them, whether it’s economic, political, or otherwise. To raise the price is, I think, what we’re aiming to achieve.
So, if I could, Ambassador, start with you, please give us your best advice.
NYBERG: Well, thank you very much.
I’m a little bit reluctant to come with advice concerning the United States and American policy. But I can talk politics, and I can talk—I can talk Russia. I can—I can reflect on what is going on and what they’re doing, how they’re doing that.
But let me start with a—with a political comment, which is—which doesn’t have anything to do with cyber. And that is that, if you think about the presidential elections in the United States a year ago, there were three people who were stunned by the outcome. The first one was Donald Trump. He didn’t expect to win. The second one who was stunned was Hillary Clinton, who expected to win. And the third one was Vladimir Putin, who was absolutely sure that the devil he knows would win—that is, Hillary. So I think this is the—I mean, this is really basic, and then cyber comes after that. And so it’s not all—it’s not a technical issue. There’s a lot of politics there.
Now, I’m reluctant to speak about the Americans, I mean, what you should do. But if I’m looking at and listening to the last—the panel before us, I very much agree that it’s a question of resilience. It is a question of education. It is a question of understanding what all of this is about.
Now, I had dinner the other night with a New York Times correspondent, and I surprised him by telling him that a couple of days back quite a famous German prize called Marion Dönhoff Prize—she’s a famous—a famous German journalist, already dead 10 years ago—her prize was awarded to The New York Times. I’ve never, ever heard that the—that a German foundation, which usually awards prizes to individual journalists, awards it to a—to a newspaper like The New York Times. And this actually reflects the interest in countering everything which we don’t—everything which is false, that you have a—you have serious newspapers, you have serious news sources.
And it is a fact that the Europeans do read more newspapers. There are—the public education in this sense is more geared to be—to be kind of a—kind of a—more immune, but not totally—more immune to false and fake news. And actually, an EU study about superstition and the level of superstition in different countries, and it turned out that my country, Finland, turned out to be—had the lowest level of people who are superstitious. (Laughter.)
FARKAS: OK. That’s it?
NYBERG: Yeah. (Laughter.)
NYBERG: For a beginning.
FARKAS: OK, all right. That’s great.
Well, I think—but I think that’s wonderful, and I think resistance and resilience is the most important thing, and we’ll get back to that a little bit in the Q&A. Thank you very much, Ambassador.
DEEKS: Great. So thanks very much.
I’m going to take a different tack. As a lawyer, I’m going to be sort of technical here and offer a number of buckets of tools, I think, that the—that the United States and its allies have to take little bites at this problem. I think the panel—the last panel was relatively pessimistic about the success on this. I’m not going to be much more wildly optimistic than they were, but I will just put on the table what I think the tools are that the U.S. government and its allies, especially its NATO allies, have.
So the first bucket would be, are there legal tools that we can employ? And I think the answer there is yes, there might be two different kinds of legal tools. One is international law and the other is domestic law.
So let me just say a little bit about international law. There have been lots of discussions going on for the past five or six years at the U.N. in something called the Group of Government(al) Experts that’s asking not just cyber questions related to elections or election interference, but broader cyber questions about how can we think about what’s appropriate behavior as between countries in cyberspace. And they were making some good success, some good progress up until 2017. And by that I mean there was at least a general consensus that the basic principles of international law embodied in things like the U.N. Charter were relevant to cyberspace. So, that is, if something happened in cyberspace that produced the equivalent of an armed attack, well, then the state—the victim had a right of self-defense. That’s sort of a basic principle of international law dealing with security.
What happened in 2017 was this basic sort of consensus that the well-understood norms of international law applied to cyber broke down. The Cubans were the sort of most vocal cause of the breakdown, but I think it’s well-understood that the Russians and the Chinese also diverted this consensus for entirely political reasons, so that there is not now even a kind of formal international consensus that some of these basic norms apply.
OK. So what, then, is left for international law to do? One thing might be to try to engage the Russians very directly in a kind of bilateral discussion about certain kinds of behavior that takes place in cyberspace. And I think our moderator, Evelyn, has suggested that is going to be quite challenging. Maybe we could talk a little bit more about whether that could ever happen. But there is a model for that, and that model is between the U.S. and the Chinese government related to economic espionage, most of which was occurring in cyberspace. So it was a real problem, it was something we were skeptical that the Chinese would agree to, and yet we got into a position where there was a bilateral MOU with an adversary, basically, agreeing that a particular norm should attach to our behavior, especially as it applied to cyberspace. So that might be one potential model.
There’s another model, which is can we as likeminded states—that is, sitting down with our NATO allies, for instance—try to articulate in some level of detail what norms we think are acceptable? There was some discussion on the last panel about values. What do we stand for? What are our values? We could come together as NATO countries and identify what our values are as reflected in behavior in cyberspace. So that would be another possibility.
There is a domestic law angle, too, and we’ve already seen some of this happen. And what I’m talking about here is indictments of people overseas, including foreign officials, for activities they’ve engaged in in cyberspace, including hacking. There have been indictments of people from the People’s Liberation Army. That might have been the thing that motivated the Chinese to enter into an MOU with us. There have been indictments of Iranian officials. And there may well be indictments of—there have been news stories that at least six Russian officials who were involved in the election hacking are being investigated and potentially going to be indicted by the United States. Is it likely that these officials are going to show up at JFK Airport so that we can arrest them and prosecute them? Not likely. On the other hand, it definitely cabins travel for people. It has proven very—it complicates their lives, I think, in important ways. And so I would say watch that space for whether the Justice Department decides to indict named Russian officials, six, probably more, for activities like this.
A couple of other buckets just to mention quickly. One is sanctions. We have seen sanctions imposed by the Obama administration. It’s something Congress has been very interested in, and it has enacted laws related to sanctions imposed on individuals associated with the election interference. That is another way to make people feel pain in their pocketbooks, through their business opportunities, and so on.
A fourth category, intelligence sharing. We and our NATO allies—Germany, Italy, the Brits, lots of these countries, Montenegro—have experienced election interference. So there are, I think, important ways in which we can share with our allies and they can share with us what are we seeing, what tools are being used, what are sort of the new iterations of tools we’ve seen before, and come together and think a little bit more coherently about how we can respond, both in cyber and in information operations. I understand that NATO has created a Center of Excellence related to counterpropaganda. So that is another kind of positive place where we can put our heads together and figure out how to manage this.
And then the fifth bucket is countermeasures. So what I’ve described is all sort of find and good and well-recognized, and at least public. Are there things that we can and should be doing less publicly? So, to take a non-Russia example, North Korea engaged in a hack against Sony. Reports suggest that the various media companies in North Korea were forced offline for some period of time. I have no internal knowledge about what happened, but you might speculate that the United States made it difficult for those media companies to get online for some period of time. So there’s this other bucket of activities, a toolkit that the U.S. government could and probably is thinking about using.
FARKAS: Well, thank you very much to both of you. I think there’s a lot in there for us to process.
I think I want to start with the United States and United States resilience. And it does relate to the legal realm, because in some—in some sense we need to be legally resilient as well as being resilient as a culture to false information and to cyber operations—and ready to also take action, but I’ll get to that in a second. But in terms of building resilience, one could argue, well, it’s easy in the Swedish context because it’s a small country, you all more or less can find some common ground on—
NYBERG: You mean the Finnish case? (Laughter.)
FARKAS: Sorry, what did I say?
FARKAS: I’m so sorry.
NYBERG: It’s almost the same. (Laughter.)
FARKAS: That was a terrible mistake. I’m so sorry. On the—on the Finnish case.
But when we’re talking about the United States today, we have a very divided political arena. We have, unfortunately, I would argue—although I haven’t seen any data on this, but I have seen reporting indicating that our civic—our civic literacy, if you will, is lower than it—certainly than it should be, and perhaps lower than it has been in the recent past. So you’re dealing with a landscape that is perhaps not similar enough to Finland’s landscape. Can you comment a little bit about what lessons you might draw from your country’s experience that could be relevant here? And what are the steps we need to take, even if some of them are more long term? Like, obviously, improving civic literacy, that would take—that would take action along the educational front, which would take some time if you’re starting with primary education.
NYBERG: I liked very much the comments of Clint Watts at the—at the second panel, where he made a couple of important principal points. The first is we don’t—I mean, the answer already in—during Soviet period was that we do not have a propaganda ministry. We don’t play—use the same playbook back. We don’t—we don’t act this way.
And it’s also important—and this is very much in our case, but also it’s also that this should not be anti-Russian. It is—it isn’t—it’s a larger problem. And we should also remember that—it was Thomas Rid who said that—this is, of course, pre-social media—even hacking or breaking codes, et cetera, stealing—reading other people’s mail, this is not a new phenomenon. It’s done on a—on a different scale and different methods today.
But I’m a Russia hand, and I’m actually reading a book now—transatlantic flights is good for big books—I’m reading Stephen Kotkin’s “Stalin: Waiting for Hitler.” I have 700 pages to go. (Laughter.) It’s a—and he has a wonderful example, which actually is worth quoting, and that was the famine which ravaged Ukraine and even more Kazakhstan in the 1930s. In 1932, the Russian media was not allowed to use the word “famine,” “golod peruski” (ph). But they did publish a thing about famine, saying that there is famine in Poland. The starvation in Poland, it’s not a crisis, it’s a catastrophe. In Czechoslovakia, the villages are dying. In China, hunger despite a good harvest. And the United States, bread lines and poverty. So this is—there is nothing new about this.
But the question is here that Soviet propaganda had a very low credibility. It’s effects in the West were actually very, very—at the end, there’s no effect at all. But Soviet propaganda failed also to convince its own population later, in the late period of the Soviet Union. The situation with Russian propaganda is different. They’re much more—smarter.
And this is—and this is, of course, the—this is, of course, the challenge. I’m not an expert on cyber, on the technical part, but there’s an interesting thing is there are hybrid operations where information operations come in. We had a case in—case which was quite exceptional or quite sensational in the fall of 2015. All of a sudden the Russians let third-country nationals, without documents, cross over to Norway. Five thousand people crossed over. After that, 1,000 crossed over to Finland. The just—the only—the only reference you can make about this, they just could not resist playing with a scare of the migration crisis in Europe.
FARKAS: I think your foreign minister at the time called it the same term that we had our military officials calling it, the weaponization of refugees, yeah.
NYBERG: Correct. It was absolutely that. And, but it was also accompanied by a media campaign. It died down. And one of the—maybe the only really effective argument we had with the Russians was asking them: Is this the view—the view you have about your border, that you allow criminal (schlepper ?) organizations operate on the Russian border? And this border is the best border. So we’re facing all kinds of very different things. And this is why—this is the reason why the Finnish government put up something, which was mentioned in the earlier panel, the European Center of Excellence for Countering Hybrid Threats. The government is also working with the university—Harvard University on this. So it is educating our people, informing the people, and also kind of trying to analyze what is going on, but not playing the playbook back.
FARKAS: That is an interesting example, which we don’t have time to get into in too much detail, but I do think it’s interesting to note at the same time that this was occurring—that these refugees were basically being told to go to the border and cross into these Scandinavian countries—we had the big refugee flows, which were already a problem for the Europeans, coming from Syria, and from Afghanistan, Africa, et cetera. So the Russian—the FSB was essentially, as you said, opportunistic. And I think that’s important to note, again, because they will be opportunistic.
However, in this case, it didn’t actually work. And in part it didn’t work—we don’t—many of you probably don’t even know about it. And in essence, that was also a failure for them, because had there be a greater hue and cry in your country, and then of course regionally and internationally, the Russians may well have succeeded in obtaining their objectives, which had nothing to do with the refugees, per se. It had more to do with having us fight one another, European countries fighting one another, fighting Russia, fighting across the Atlantic.
NYBERG: And passing the message that we can harm you.
FARKAS: Right. And in essence—in essence some—
NYBERG: It’s kind of—kind of flagging that this is—watch out, we can harm you. But there’s one point which is very important, and this is the borders. There’s no country that can control a border without a partner. Think about Russia and the Chinese border. And I won’t speak about the Mexican border.
FARKAS: Thank you. (Laughter.)
NYBERG: Think about the—there’s no way you can control a border without a partner. And violating this and playing with this is not something which is forgotten. So they didn’t achieve their aim. On the contrary—on the contrary, left a very bad taste.
FARKAS: Yeah. Yeah. So, Ashley, if you could comment on the first question, and then also, obviously, the legal—resilience from a legal perspective. And also, earlier in the—in the green room you mentioned sort of future threats we might face, like tampering with information. If you—if you could—I hope I’m not asking you to go too far forward, looking at what we might face in the future and how we can respond, from a legal perspective.
DEEKS: Sure. So on the—on the resilience point, I mean, I guess one way to think about a resort to NATO and sort of the likeminded democracies there, is a form of resilience, right? It’s a form of employing existing tools. And we understand each other very well. We know what each other’s capacities are. We have all sorts of fora that current exist. So, and we have—we’re all experiencing similar, though not identical, challenges. And so that might be seen as one form of resilience. You might also even cast the use of the existing tools, such as the ability to impose sanctions or the ability to indict for hacking, as a sort of form of, look, this might seem new, but we know how to deal with some of these challenges. And so we’re going to use what we have right now, maybe until—unless and until we can figure out a better way to do it.
We did talk a little bit. I was—I was in part stimulated by a question from the last panel, which is we’re thinking about the most recent past threat, challenge, the disruption to the elections, the information operations, the abuse of Twitter and so on. But what’s next? What else should we be worried about? And one thing that I’ve been thinking about some in my own scholarship is the misuse of things like fake videos, fake audio. Machine learning is making this increasingly realistic, easier to do. And I think it’s easy to imagine how a country like Russia, that wanted to stimulate a military action by the United States against another country, could use fake video to do it.
So, for example, it creates a fake video of Kim Jong-un saying, OK, time to move the missiles to the launch pad, and feeds that into a feed that our chairman of the Joint Chiefs receives. And the chairman says, oh my God. Here it goes. And you sort of send a country down to war against a country that is not actually about to attack you, because you have used these increasingly sophisticated tools, such as fake video to do it.
NYBERG: It’s been surprisingly successful, this source-checking things. Think about the organization called Bellingcat. People who are not providing information, but checking facts, and how they’ve been pinpointing, for example, the downing of the Malaysian aircraft over Ukraine. That is one of the most damaging examples of what has happened in Ukraine, which is a war of attrition, as we know. So they’ve been doing things where this kind of videos would be—can be very quickly identified as fakes, and using geo-positioning and all that—very sophisticated tools. And this is a NGO. It’s not government. It’s not a government job. I know there are a couple of Finns who are—Finnish nationals who are working there. But Bellingcat is really something. I mean, it’s one of those things where you realize that the—that the society can act on its own. Civil society is not—doesn’t take it.
FARKAS: Yeah, I was actually going to exactly make that point. I mean, I think there is a role here for civil society, for active and interested citizens who are doing what the Bellingcat folks are doing, which is essentially contributing to the investigations into the shootdown of the Malaysian airliner over Ukraine in 2014. And, interestingly, that’s another case where the law is being used—international law is being used, because the investigation has implicated Russian actors. And they will—intelligence officers, who will probably be facing some sort of retaliation legally, at least if you believe the Dutch government, which had the largest number of citizens who lost their lives in that—in that attack
If I could—we’re about to run out of time, but I do think it’s important to think about defense, retaliation you mentioned, you know, actions that we could take to retaliate. Clearly resilience is an important part of the equation. The only thing I worry about is when we’re talking about a country like Russia, unlike China which still has demonstrated that they believe in the international order, they are not acting counter to it, they’re not trying to remake the rules of the international order or to challenge the existing frameworks.
In the case of Russia, there’s a real danger that we can’t turn them back from their very disruptive activity and bring them into line with legal norms until, again, the cost gets sufficiently high. So until we threaten them, which brings with it some kind of danger for us. And what I mean by a threat is, you know, we threaten to take our their military cybernetworks, or something like that. Or we take them offline, you know, as a—similar to the example you gave, Ashley, of North Korea. So the danger with Russia is that we may have to bring the situation home to them in a way that makes it dangerous and increases the risk of escalation.
So, with that rather negative an alarming comment, I would like to open it for discussion. There are a couple ground rules. First of all, everything has been on the record—and I should have reminded you guys as well. But for the members, everything is on the record. We would love your questions. We ask you to raise your hand, and then when the microphone comes to you, and we need you to speak into it, give you name and affiliation.
Q: Larry Garber, Digital Mobilizations.
I’d like to pursue the international law piece, because that’s intrigued me. And how—I mean, do you think it’s possible, with the Russians, to be able to develop norms, particularly with respect to election intrusion, that would be comfortable both for us and for them? And particularly, isn’t—in a sense, that’s what Putin is looking for, which is norms that would prevent us from undermining his domestic politics? I mean, he doesn’t like us—you know, whatever we may think of it, he thinks of it as a—and his colleagues think of it as, you know, our seeking to undermine his elections and his presidency. So is there really a common ground that we can get to in terms of international norms, or would we be just playing into the Russian game. And in that regard, the alternative that you proposed of, you know, sort of likeminded countries getting together, a more productive approach.
FARKAS: I’m going to channel Angela Stent, and take that prerogative, and then, if I could, turn it over to Ashley first for the legal and then if the ambassador has anything to add.
So I think the problem with Putin is—I agree with you—that he sees us as a threat to his government and to other governments, like the Assad regime. He sees us as meddling internally, all of the things that we do to fund Voice of America, Radio Free Europe, you know, across the board, he sees as internal, you know, meddling. And so therefore, he can justify what he did to our elections. I don’t agree with that perspective, but I understand it.
The problem is, while that might make you think that there’s room for negotiation, it’s very difficult with Putin because we’re at a point where he really doesn’t trust us, and I don’t know—and, again, I would love your thoughts on who he would trust, or which institution, or which constellation of actors he would trust. Because when it comes to the United States, if we’re in the lead that, to Putin, is not going to—it’s not going to deter him, and it’s not going to put him at ease, if you will. Ashley.
DEEKS: So it’s a good question. Obviously when you’re sitting at a table negotiating with somebody, you have to think not just about what you want from them, but what you’re willing to give up as well. And I don’t think this is true recently, but historically the U.S. did interfere with other countries’ elections. There’s a long history of that. So that would drive some of the skepticism that Evelyn just mentioned. I am—I am not a Sovietologist or Russian expert, but I would think that there could potentially be common ground about a very narrow and concrete norm that said, for example, we will not interfere with the operation of election machines to switch the votes as they actual—the actual hardware. We will not tamper with those things.
Would we be willing to agree to a norm that says we will not try to influence any other state’s election ever? No. Right? I mean, because that is a very broad norm that would include not funding NGOs that were trying to assist in democratic elections and so on. I think it would have to be a very narrow norm and it would have to be a specific norm. But if the norm were: We will not literally hack foreign election machines, I think we could get on board with it. And I don’t know, but it’s possible that the Russians might be willing to get on board.
If not, then how does the likeminded conversation go? Well, you could develop a slightly broader set of norms, I think, that people would agree with, that might include, for example, not interfering with narrowly defined critically infrastructure during peacetime. But then the question is, well, OK, that’s nice. You and NATO countries have all agreed on this norm. How does that impact the Russians? Will that affect their behavior at all.
And I guess what you have to—I think maybe you have to take a long-term view here, which is if we think that that is a proper norm to develop generally, then we should try to start developing it with our allies. And maybe at some point we have 100 countries signed onto it. And at some point on the margins that could affect Russian behavior. It could also affect how others react to Russians when they engage in that. But it is a much softer move.
Finally, I’d just say, in the bilateral context, there will be suspicions on both sides because questions of attribution are very hard in cyberspace, and questions about enforcement are hard. So that is another—those are two other things driving, I think, a difficulty in concluding a narrow bilateral agreement.
FARKAS: Yeah, sorry, that’s what I was interjecting to say, enforcement of course would be a problem. Yeah.
FARKAS: Mr. Ambassador.
NYBERG: Let me take this to another level, and say that for—we have a situation where—this all boils down to Ukraine. The relations between the United States and Russia, and the relations between the West—the European Union and Russia are at its low point since the Cold War. So it all boils down to the war in Ukraine. It’s not a crisis. It’s a war of attrition going on. It’s Crimea. It is the catastrophe of Donbass and all of that. And before you can—before you see any progress on that, I cannot imagine anything meaningful discussed on—look at arms control. Just look at the—we all know that it’s the INF and missile defense, and all of that. Nothing moves, and will not move, before these—before we have a new situation.
Then the question is, is this regime in Russia—is Mr. Putin, who will be reelected in March 2018, is he able to change his policy on Ukraine? This is—this is the biggest question I have, because it is definitely his biggest mistake that he went after Ukraine the way he went. And one of the effects is that he created a Ukrainian national identity. And what you have is a real country. Ukraine’s a real country. It’s in great difficult days, but it’s a real country. So I would—I would say that cool your heels. (Laughter.) There’s not much you can do before the real issue is solved. And the only way to solve it, is to start really negotiating.
FARKAS: Yeah. And I think that goes to the point that I was trying to make about it’s very difficult with this current government, given the fact that they really have an adversarial perspective on the United States and the West. And certainly, Ukraine is at the crux of our disagreement with Russia. I would say our arms control issues are separate, but if you can’t negotiate with them about Ukraine, and if we have this—if we’re at loggerheads with the Russian government, it’s hard to imagine negotiating cyber agreements.
However, I will say that the possibility exists, if you can get significant other actors involved. So, for example, China, India—China, in particular, is interesting, because for the Russians, who are more strategically minded, who can see beyond Putin, they recognize that the challenge for them will be managing their relationship with Russia. And so if they can eventually come together with the United States and Europe in deterring, you know, very bad cyber acts from the Chinese, that would be in their long-term strategic interest. We just have to get through these remaining Putin years—(laughs)—it seems.
OK, any other questions? From the front here, Ashley. I mean, Audrey. Sorry. (Laughs.)
Q: Hi. I’m Audrey Kurth Cronin from American University.
This panel is speaking very much in state-centric, nation security kind of language, which is what we do when we talk about cyber versus social media or internet. And yet, this is all part of the same problem. So how do you deal state to state when you’ve got a whole range of actors in gray areas—everything from Chinese so-called volunteers, to Russian private companies that are behaving as trolls, to individuals in social media, to this whole range of actors that the state either doesn’t completely control or doesn’t completely admit to control?
FARKAS: That’s a great question. And if I could sort of add onto that question for Ashley first, and then the ambassador, because what we see in the Twitter world is not only do you have bad Twitter actors—non-state and state actors—but then quite possibly states countering them. And so the issue of now whether it’s bad to have a fake bot gets polluted by the fact that a good state could have a good bot. So, Ashley, if you could address that from the legal perspective, and then the ambassador.
DEEKS: So I guess two thoughts. One is, obviously, the closer that these private actors are to the government, the more we’re thinking about them as just proxies for the government. You noted there are potentially some groups of private individuals who are coincidentally acting in the same way that their country might wish them to act if they weren’t actually a proxy.
FARKAS: Or terrorists. I think she had in mind the terrorists.
DEEKS: Yeah, oh. So I guess the way that I think the U.S. government has been thinking about it is, as evidenced both by, I think, its statements and its indictments is, it’s happy to indict both, right. It’s happy to indict state officials, it’s happy to indict private actors who are hacking. And I’ve seen some indictments where it seems like both are captured within the same indictment. So we have domestic criminal tools to punish things that cross the line into criminal acts.
So then I guess there’s this other complicated question about the United States itself as a source of bots, including bots that then go and operate in other countries. So if we say to another country we want you to stop bots emanating from your territory and affecting things here, they’d say, well, we’d like you to do the same thing in response. What would that require? Well, my understanding is that would basically require the National Security Agency to be inside all of our networks, monitoring what’s leaving our networks, which is incredibly problematic, and civil libertarians hate that idea.
So I think that’s maybe in part why we, as an interagency, have sort of gotten stalled out on thinking about how to manage that problem.
NYBERG: These privates are probably either proxies, they’re loonies, or they’re terrorists. This is the three categories that come to my mind at least. (Laughter.) You have to fight them differently. And one of the things is you have to fight anonymity. I very much agree on what was said in the panel before us about the (eggheads ?) and others.
So I don’t have much of—I don’t have any specific things. The idea of censorship is, of course, a touchy issue. And a government and a state has to protect itself and it has the right to defend itself. And this is—this is—these are the legal issues which are burdening and how do you do that.
For example, in Germany, there’s an open debate today about hack-backing. And Ashley referred to the Sony case as an example. But in Germany, the question is that, who has the right to hack back? Most of the—most of the Western governments and their agencies have the physical and technical means of doing that. But you also have privates who are quite powerful. So do you want—do you want a private actor to be the famous, be the big player, like Facebook or Google, to start its own private war by hacking back?
But in Germany, this is an issue which is now—which is now a question of, on what premises, who can allow, give the rights to hack back? It has to be—the thinking is very much states’ thinking, that it has to be the security services or the armed forces, which is almost the same thing as business.
FARKAS: Thank you.
Let’s go to the back. There’s a hand in the center there.
Q: Hi. Elmira Bayrasli from Foreign Policy Interrupted.
Just to dovetail on that last question—and the ambassador just mentioned, does Google have the right to hack back—Google, and moving away from, you know, Russia and hacking, the reality is Google and Facebook are taking essentially foreign policy decisions. If you take a look at what Facebook has done, whether it’s in Israel and Myanmar, with Free Basics in India or in Africa, I mean, they are taking foreign policy decisions, whether they know it or not. And I personally think that they’re not aware of it. Google, when they went into China in 2006, that was—that had foreign policy implications.
Ashley, I’d love for you to talk a little bit about, how is the U.S. government engaging with Facebook and Google, which are clearly recognizable actors, and how do we actually make these businesses realize that they are—they have foreign policies and that they need to be engaging on the policy spectrum?
DEEKS: So it’s a fantastic question and one I don’t have a good answer to. I’ve not been in government now for about five or six years, so I don’t have sort of great visibility into it. There was a lot of reporting at the tail end of the Obama administration about lots of trips from the National Security Council out to Silicon Valley to have conversations. I assume some of those conversations touched on this, although I think they were more focused on how do we suppress ISIS’ use of Twitter than about the foreign policy implications.
But it’s a great question. And a couple of years ago, I heard an individual who worked at Facebook describing the types of legal assistance requests they received from foreign governments. So he was using India, I think, as an example. And he said, well, we get these requests and we try to figure out if we should comply with them. And one of the things that we think about is, is the system, is India’s systems, consistent with the International Covenant on Civil and Political Rights? And I thought, what? That’s the assessment you’re making? So that is an assessment that we would expect U.S. government officials in the, you know, Democracy, Rights, and Labor or the Legal Adviser’s Office to be assessing; and yet, they are basically forced to make those kinds of analyses. And that’s a sort of international law analysis, not just a foreign policy analysis.
But I think the question really surfaces this really important point that actors—maybe 30 years ago, most of the international exchanges about foreign policy were government to government. And now, because of the size of these companies, the kinds of decisions they’re making on the foreign policy stage carry these very significant foreign policy implications, not just for the company and the receiving country, but also for all of us, for the U.S. foreign policy as well.
NYBERG: The only thing I can say is that foreign policy is mostly the privilege of the governments, but it’s not the monopoly anymore in the sense that you can’t do anything, and especially in our societies, our free societies, and civic societies. I mean—I mean, you’ll break rules if you start using—if you start using force. But otherwise, I mean, it’s very difficult to do.
I defer to what Ashley said. I can’t—I can’t imagine that the government could, I mean, could interfere with nongovernmental organizations, which can be very big and very powerful in this sense.
FARKAS: I think I would venture to say, just based on my conversations with executives from—I won’t name the companies—but anyway, with companies like Google, that they, for a long time, have had a—some of their executives for a long time have had a sense that they are operating in foreign policy waters, but it was beneficial to them to not discuss this publicly. Now they’re forced to discuss it more publicly, and they cannot act sort of on a case-by-case basis anymore.
And that’s the problem, because even, as we know, the U.S. government has trouble being consistent across the board when it comes to national security and other threats that we have to deal with. So you can only imagine what a corporation with just a few people inside the corporation who understand how the U.S. government would approach it are facing.
So I think that is an excellent question that you should let David Sanger and Senator Burr struggle with, because it really is at the crux of, how far does the government go now to regulate or partner with these big companies, which, in effect, we have allowed to accrue this amount of power?
We have time for a few more questions, so let’s take from the front row here.
Q: Dee Smith, Strategic Insight Group.
I would like to ask you what you think the strategic goals of Russia are in this whole area of information operations. Are they attempting to get specific policy things happening, to get specific people elected? Or are they simply attempting to sow social decohesion within countries and sow international decohesion in organizations like NATO in Western Europe?
FARKAS: OK. I will channel Angela Stent, but I will follow you, Mr. Ambassador. Or I’ll channel myself, too. (Laughter.)
NYBERG: Thank you very much. I think Russia is a siege fortress today. They’re isolated and they’re self-isolating themselves. And just think about the decision taken yesterday that Russia will not be able to participate in the Winter Olympics. I’m not questioning it or talking about why it has happened. But you can imagine what it means for how it is received in the population. It is something which people are—they will—they feel insulted.
So we’re talking about a country which is—which is—which is not as powerful as the Soviet Union used to be, but it’s a big one. And it is a country, the only which is—which is—is a nuclear superpower like the United States. So this is a—this is a country which feels itself—feels itself under attack, which is partly not—which is only partly correct.
So what they are using—they have a long tradition of—they have a very, very strong mathematical tradition. They’ve been breaking codes since czarist times. They were one of the best during World War I. They read in real time British cables during World War II. This is nothing new. They have one of the largest organizations on this.
But what they are—they feel—they’re directing their anger today towards the European Union, which they dislike as an organization, they dislike the idea that there is something like the EU. You can’t—there’s the famous Henry Kissinger question about what’s the telephone number of the European Union. And they dislike, of course, the United States, which is—which is—which is—which is historically it’s very strange because that was the model for Stalin. I’m referring to Stephen Kotkin’s wonderful magisterial biography of Stalin. That was the model for Stalin of reindustrializing the Soviet Union.
So it is—it is—I don’t think the motives are very strategic. There’s a lot of—a lot of defensive thinking and feeling, feeling insulted and not admitting that you’re the underdog, although, you know, you’re the underdog.
FARKAS: So I will add to that as well, though I’ll note that Stephen Kotkin just called and he said he’s going to offer you some of the royalties for sales from CFR members.
There are three things essentially that this Kremlin wants: One, to maintain its hold on power. Two, to remind the world that Russia’s great, to demonstrate that Russia’s great again. That’s now related to objective number one because Putin got into power on an economic platform; he’s staying in power based on making Russia great again, so nationalism. The third one is pushing back against the right to protect or the international community’s right to intervene in states to change their regime. That’s also related, obviously, to his desire and to his cronies’ desire to hold onto power.
How does that affect the United States? What does that have to do with the United States? It’s because the United States is the only power that can threaten those three objectives that Vladimir Putin and the Kremlin have.
So what would he like? He would like a weak United States that’s unwilling and unable to push back against Russia, to counter Russia’s revanchist, anti-status-quo international agenda.
Do you want to add anything to that, Ashley? OK.
On the aisle there.
Q: Hi. Joanne Young.
I would like to understand better how a country like North Korea, which is so backwards and so, you know, isolated—
FARKAS: I’m sorry, Joanne, your affiliation?
Q: —yeah, I’m sorry, Kirstein & Young—how that country can field the kind of hackers that are able to infiltrate a company like Sony. And when you talk about hack back, why is it that we can’t go back and literally seduce these hackers and deal with the threat that countries posing nuclear threat, through, I guess, hack-backing? Because it would seem to me that, I mean, first—I guess I’m asking two questions. How do they field that kind of sophistication in such an isolated regime? And why can’t we hack back and undermine that effort?
FARKAS: OK, I can answer a little bit of the North Korea question to get us started and give you guys a chance to collect your thoughts, because I did work on North Korea from the vantage point of my previous jobs I held in Congress and on the nonproliferation agenda, looking closely at North Korea.
And for them, it’s a matter of national priorities. So they’ve put their resources where they want them to be, which is in developing a cyber capabilities. Obviously, we know about their nuclear program as well. They have been able to partner with other countries, potentially also with other individuals from countries to help them.
In some part, the United States even has a role to play because we’ve provided some cyber education to North Koreans, obviously not intended to build their cyber offensive and military capability, but nevertheless, as part of our engagement with them. And civic organizations have done the same. So for North Korea, it’s essentially a priority. And so they’ve put their limited resources towards those priorities.
Ashley, maybe if you could start because there’s a lot in there for you.
DEEKS: So you asked a question about hacking back and why can’t we seduce those who have hacked in. So just to be clear about what hacking back is, generally the idea is—let’s say it’s a private company has had some of its intellectual property stolen and extracted from its system by a hacker and taken to another system. So hacking back would be tracing the hack that removed the intellectual property and retrieving it from a foreign computer, right? So it’s generally a sort of, at least at this point, conceived of as a sort of modest retrieval of property that you’ve taken from me, not necessarily a kind of propaganda or attempt to influence the loyalties of the person who is engaged in the hack.
Can we hack back? Well, I mean, I guess we’ll ask who the we is. Conceptually, the U.S. government has the capacity, often, to identify the hacker, to attribute and to trace it back. The hacking back we were talking about a little bit earlier was a question about whether the private company itself that has been hacked has the legal authority to go and retrieve its items?
So why don’t we—to the extent it’s something the U.S. government sees as its own problem, let’s take Sony, maybe it saw that as attacking critical infrastructure, produced real damage on the ground, and we had good attribution, significant enough that the U.S. government, say, wanted to sort of retaliate.
I think the government has been quite cautious about doing things destructive in the cyber sphere, both for legal reasons and for norm-setting reasons. Right? I think there is very much a—we haven’t seen major, major cyberattacks on each other, even against countries that are hostile in terms of producing physical damage. And I think the U.S. government probably thinks it has a strong interest in not crossing that Rubicon.
NYBERG: Just a general observation of resilience, which goes beyond North Korea, but back to Russia, is, of course, that the real divide here is countries which are ruled by law or countries which are ruled by man. And for those countries which are ruled by man, they usually consider ruled by law to be—to be something—to be a sign of weakness because it takes a lot of time before decisions are made and all kinds of people who are unnecessary, participating in making decisions. (Laughter.)
But actually, that is the strength. And this is—this is—this is the—this is the real problem. Russia has a long history. It has Westernized and modernized during the last three centuries. And every time there’s a new ruler, there’s been a new push to modernize, et cetera. But it has never attained the level of rule of law. It was close to that in the very early ’90s and it had one period after Alexander II in the 19th century where independent courts were created and all of that.
So this is—I think this is one of the—democracy is not the word. I mean, you can define democracy in many ways. You can have—and you have all kinds of democracies. This rule of law, which is the basic thing, this is the deep divide which we have in the world. And it’s not only the West and Russia, a couple of other countries, too.
FARKAS: We have time for two more questions. Do we have two more questions? There—oh, and what we’ll is we’ll bundle them. Oh, just one more. I’m terribly sorry, just one more. You can try to accost the speakers later.
Q: I’m Dave Cooper, I’m with a small business called Ivory.
My question is, it seems, going back to the Russian hacking of our election this year, come full circle, it seems this is very public now and acknowledged by our government. Did we miss an opportunity in norm-setting with the response we did? So did we do enough, or was it, in your view, a proportionate response? Or could we have done a lot more to help deter in the future?
FARKAS: OK. Let’s start with the ambassador and then Ashley and then I’ll close.
NYBERG: Well, I said in the beginning I don’t—there were three people who were surprised by the result of the elections. I have nothing to add to that. I don’t think the—the hacking was bad, but it didn’t sway the elections.
FARKAS: OK. Ashley, rather quickly. Because Marisa Shannon, who’s really in charge, is telling me our time is up.
DEEKS: Right. So President Obama was careful not to say that he thought it was an international law violation, that he thought it violated existing norms, but he didn’t say that it violated international law. And that actually seems right, at least the norms as they currently exist.
So maybe your question is more, should we have said more to try to announce that this should be a norm? I think then you have to think carefully about what kinds of things do we do in other countries to try to influence elections in ways that we think are legitimate, but might be seen through the eyes of others as not as dissimilar from what we saw in the Russia thing.
So I think he was trying, I think, to draw a line between what was unlawful versus what was problematic normatively.
FARKAS: And I think this is a perfect question for you to pose, David, for the session with Senator Burr. I think David Sanger is here listening, or he was anyway earlier, so he may have noted it himself.
There is—I want to just make one final comment before we close the panel and before I thank the panelists.
I think the real issue when it comes to tackling these problems is a need for international leadership. And this is where, whether it’s, you know, having the right response ahead of the time, after the fact, whether it’s getting—setting ourselves up so that we have no further cyber information operations exercised against the United States, we need a gang, if you will. And to get a gang, you know, to gang up against the bad guys, you need to have international leadership, you need to demonstrate leadership, you need to go out there and get all the good countries together and then figure out ways you can exercise leverage to get the ones that are grey, let’s say, like China, bad, like North Korea, bad, like Russia—I guess China, I don’t know, it depends on what the issue is, but never mind—just get everyone together. That takes international leadership.
So I will leave it on that note. Maybe Senator Burr will tell us how we can get that.
Thank you so much to the panelists. You stepped up the plate, filled the Angela Stent void.
And thank you to Marisa for organizing this.
And thank you all for participating. (Applause.)