In the Wake of SolarWinds: Making and Breaking a Rules-Based Global Cyber Order

Actually trying to rig U.S. elections by tampering with the count online would be completely different and vastly more serious. It would be cyber sabotage but more dangerous even than the sabotage of infrastructure because it would undermine the credibility and legitimacy of the entire U.S. democratic process. Any such operation should certainly be regarded as an “attack” and should prompt strong U.S. retaliation.

Russia has certainly engaged in influence operations—though as calmer heads have pointed out, their impact appears tiny in proportion both to the immense mass of domestic U.S. political information and disinformation on the web and to the impact of revelations such as those of Edward Snowden. Russian intelligence did not however attempt to tamper with the vote itself. As the report of the U.S. Senate Committee charged with investigating Russian interference in the 2016 elections states in its findings, “The Committee has seen no evidence that any votes were changed or any voting machines were manipulated.” It is also worth pointing out that in this report, as in many cases, the actual words of U.S. intelligence services were more tentative than the way they were reproduced by the media and politicians: “Dr. Samuel Liles, Acting Director of the Cyber Analysis Division within DHS’s [Department of Homeland Security’s] Office of Intelligence and Analysis (I&A), testified to the Committee on June 21, 2017, that ‘by late September, we determined that internet-connected election-related networks in 21 states were potentially targeted by Russian government cyber actors’” [italics mine].

This leads me to my final point: that to be effective in constraining behavior, limiting disputes and maintaining peace, international conventions do have to be, to a reasonable extent, held and shared in common—and that applies to the U.S. as well as its rivals. Few things have been more damaging to U.S. and European hopes of a “rules-based global order” than the perception that the U.S. both makes the rules and breaks them whenever it sees fit, including in cyberspace.

U.S. audiences have a tendency to accept this, because of an instinctive belief that the defense and spread of democracy gives the U.S. rights that are denied to other states; but, of course, neither international traditions nor common sense allow any such assumption. States that see the U.S. behaving in a certain way—especially toward them—will most certainly behave in the same way themselves.

This applies in the first instance to actual cyber sabotage by states. By far the most effective use of this to date has been the Stuxnet cyber operation, attributed to but denied by the U.S. and Israel, to damage Iran’s nuclear program. In the Iranian mind, this has been linked—not unreasonably—with the Israeli campaign (whether or not aided by U.S. intelligence we do not know) to assassinate Iranian nuclear scientists. According to the New York Times, the U.S. has also planted “malware” in Russia’s energy grid in a way that appears to exceed what Russia has yet done against the U.S.: “Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid. But now the American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before. It is intended partly as a warning, and partly to be poised to conduct cyberstrikes if a major conflict broke out between Washington and Moscow.”

As a “deterrent” against genuine Russian attacks on the U.S., this may perhaps make sense. But this is precisely why we must be very clear indeed about what really constitutes an attack, and avoid loose and hysterical language on the subject. If the U.S. released such malware in response to a mere Russian cyber espionage operation, Russia would have every justification to turn to sabotage in its turn, creating a truly disastrous cycle of escalation.

A degree of balance and objectivity is also required in the area of political operations on the net. The U.S. maintains an overt international propaganda apparatus that vastly exceeds in scope and effectiveness anything that Russia or China can manage. The U.S. calls it “public diplomacy” and sees this machine as dedicated to propagating freedom and democracy. While this is true in certain parts of the world, my Arab students here in Qatar are extremely cynical on this subject—understandably enough, given the past and present U.S. record of supporting ruthless dictatorships in the Middle East. Like Soviet intelligence, the FBI and CIA in the 1960s and 70s also used “black propaganda”—the planting of misinformation to damage rival states and hostile political forces—on a large scale. (See the congressional report on the FBI’s COINTELPRO operation and this account of the CIA’s covert propaganda in the Cold War.)

Though it is not clear how active U.S. intelligence is in this area today, the past has obviously left a legacy of suspicion. In an ideal world, all states would eschew these tactics. In the real world, they will have to live with each other’s behavior—irritated no doubt, but without overreacting. Cyberspace increases the opportunities for influence operations of all kind—but it does not change the basic equations involved.