Computer screen with code.

A Strategic Response to the Russian Hacking Affair

December 22, 2016
Rolf Mowatt-Larssen

The correct starting point in responding to the alleged Russian cyber intrusion now dominating American headlines is not to call it "a cyber 9/11.” Such hyperbole will only incite confrontation between Russia and the U.S. at a time cooler heads should prevail. This is not to say the Russian cyber activity, if it took place the way intelligence officials believe, is not significant. Russian hacking constitutes a serious meddling in our internal affairs, but equating it with existential threats does not help matters. The World War II generation must be shaking their heads: They saved the world from a true existential threat, one that required U.S.-Russian cooperation to achieve victory. Current cyber challenges call for a well-crafted, multi-pronged, long-term response, not a hasty, emotionally charged escalation that will provoke a U.S.-Russian tit-for-tat that benefits neither side. Paradoxically, the whole affair may have a silver lining if it provides an opening to devise some rules of the game that have been painfully missing from the cyber realm—an outcome possible only if we keep a realistic view of Russia’s perspective. 

Despite rising U.S.-Russian tensions, there is breathing room for de-escalation that both sides should pursue. The Russians have consistently expressed interest in addressing the void in international protocols and agreements governing the use of offensive cyber operations, if for no other reason than they recognize that they are also very vulnerable to such attacks. They express this interest, as they have historically, through their actions and in their comments to U.S. officials. The latest hacking affair has been a stark reminder of the lack of “rules of the game” that govern other forms of espionage—unwritten rules that have been set by precedents over decades of intelligence confrontation between U.S. and Russian spy agencies. 

These implicit understandings ensure intelligence matters do not impact negatively on broader U.S.-Russian relations. For example, there are historical precedents that have determined how the U.S. and Russia choose ways of handling the arrest of spies, ways of handling defectors and the standards of evidence that can serve as a basis for determining reciprocal action, which can be summed up with a phrase from the Russian espionage vernacular, “catching a spy red-handed.” This standard of evidence of unacceptable activity should include the presentation of unambiguous, concrete proof of the alleged activity. Similar rules need to be adopted for determining what is “acceptable behavior” and what is not in the cyber domain, which has emerged as a new battleground between spies. 

The U.S. does not come to this table empty-handed. For years, the U.S. has proclaimed its own "cyber dominance.” Its mastery in the cyber domain was confirmed by Edward Snowden’s defection and the revelations he presumably carried with him to Moscow. Like all major spies in the storied annals of espionage, Snowden has undoubtedly shaken the Russians to the core regarding the potential damage and reach of U.S. cyber capabilities. In short, Washington can discuss rules of the cyber game from a position of strength.

Bearing our mutual vulnerabilities in mind, the U.S. policy-level response to the hacks of the Democrats’ computer systems should focus on developing a cyber strategy with deterrence as its centerpiece, not on resorting to the traditional U.S. retaliation of firing cruise missiles into a baby-milk factory, so to speak. In taking this longer view, the U.S. should resist the temptation to pursue ad hoc retaliation that will lead to further retaliation on the Russians’ part, as it historically has in such cases. The U.S. needs to stand up to Russian aggression not by threatening Russia, or by pronouncing that our republic has been compromised. Exaggerating the impact of this activity only plays into Vladimir Putin's hands by increasing the negative impact of the hacking activity on the target (the U.S.), and by setting a bad precedent in encouraging future offensive cyber operations by state and non-state actors. 

 In many ways, cyber means are no different than other forms of state-to-state competition and warfare, such as nuclear weapons, conventional weapons and espionage. However, in terms of their use in intelligence, they are generally more subtle than other tools of the covert influence trade. Cyber means are also largely untested and far from certain in terms of efficacy. Collateral damage is an issue, as are unforeseen consequences. The specific characteristics of the cyber world introduce elements into policy decision-making that are more difficult to control and predict than when using traditional physical levers of power.  

In the case of the alleged Russian hacking of the Democrats, there appear to be crucial aspects of the activity that were not entirely under Russian control. For example, there has been no evidence that Julian Assange and Wikileaks are controlled by Moscow. Without having direct control over the dissemination of the hacked information, how is it possible for the Russians to know if and how Wikileaks will use the information at their disposal, and for what purpose? Moreover, Russian intelligence cannot know if they were the only hackers of this information or if other parties gained access to it; neither can they know what other actors might do with it, now or in the future. Such uncertainties introduce the possibility that any actor can stage “false flag” operations to attribute a cyber intrusion to another party, perhaps in an effort to discredit one adversary with another. For myriad reasons, the burden of proof is problematic in the cyber domain. The bar is high in assessing the evidence of hacking activity. Attribution of an intrusion event has many facets: technical forensics, policy implications, political motivations. All must be examined independently and brought together in making final judgments.

Drawing on agreements that have successfully navigated U.S.-Russian relations for decades through the shark-infested waters of the Cold War, the U.S. should examine and address the broad implications of this attack and draft a comprehensive response for protecting U.S. interests domestically and abroad. In so doing, the U.S. should establish rules of the cyber game along three tracks: espionage rules of the game, using established liaison channels of communication; national cyber policy, with homeland-security defense of domestic interests and intelligence-community defense of U.S. national security interests abroad; and assessing proper forms and venues for initiating a process of negotiating cyber confidence-building measures and ultimately cyber constraints on an international basis.    

As a basis for initiating a dialogue between the U.S. and Russia, recent high-level Russian statements on the hacking affair offer a declaratory policy, of sorts, that touch on four key elements of a potential joint negotiation on cyber rules of the game:

  • The centerpiece of their emerging cyber doctrine is to not confirm or deny the use of cyber “weapons” in an offensive capacity. This studied ambiguity constitutes a Russian deterrence policy, of sorts.  
  • The second principle is to deny any Russian government intention to interfere in the domestic affairs of other countries. (Russia clearly perceives the U.S. not just as a cyber superpower but as one that has repeatedly harmed Russia’s interests and interfered in other countries’ internal affairs to the detriment of those interests. This does not mean Vladimir Putin is unwilling to negotiate mutual constraints, but the emphasis must lie on the word “mutual.”) 
  • A third element Putin and Russian Foreign Minister Sergei Lavrov have introduced in the media is the standard of evidence that should be applied to cyber espionage and/or intelligence influence, e.g., covert action or active measures. The burden of proof, as Putin and Lavrov have asserted, is on the U.S.; Russia is not obligated to defend itself against unproven allegations. 
  • A fourth doctrinal observation relates to what constitutes a proportional response in the Russian view and what does not. The Russian Embassy in Washington issued a statement on Twitter saying that “unbiased investigation of #DNChack would be a proportional (and logical) response to it. Threats or attacks against other countries are not.” (Lavrov, meanwhile, has projected calm in the face of White House promises to carry out a "proportional” response: “If they decide to do something, let them do it,” he said on CNN.)

It is worth noting Vladimir Putin’s response to the question everyone is asking in Washington: “Why did the Russians do it and what do they hope to achieve?” Back in October he said: “Everyone is saying, ‘Who did it?’ But does it matter that much? It’s what’s inside the information that matters. Hysteria started over the [allegation] that this is in the interests of Russia… Nothing in it is in the interests of Russia… Somebody needs to divert the attention of the American people from the essence of what was exposed by the hackers.”  

Putin is implying that the hacking and leaks did not have the impact on the election that the U.S. has ascribed to Russia—a point on which plenty of American analysts agree. He is also saying that the information itself is what damaged Hillary Clinton. The information was not planted or doctored by Russia. The truth is mightier than the sword, as the old Chekists might have said in conducting their famous “Trust” intelligence operation to crush political dissent after the Russian Revolution. 

But it is a serious question, and part of the response lies in analyzing U.S.-Soviet propaganda machinations during the Cold War. Even propaganda wars were guided by unwritten rules of the game. In this case, Russian hackers did not determine the influence the information had on voters. There had to be an independent actor with his own agenda, who would make his own impact: Julian Assange. The Russians assessed his vulnerabilities—presumably ego, persecution complex, worldview, etc. Wikileaks had its own motivation to act independently to make the information available to the public. Assange made the decision to leak the information; the Russians merely enabled him to achieve his own objectives. Each reader (voter) made a determination of its import. Russian intelligence operates on the principle of identifying vulnerabilities in its target and exploiting them. The Russians do not create the vulnerability itself; they simply exploit existing weaknesses, for which only the target is responsible. That, at least, is how the Russians see the recent hacking affair, in the context of prosecuting intelligence opportunities.

In moving forward on devising a strategic response to this set of intrusions, the U.S. should bear in mind that the Democratic elite is surely but one target of multiple Russian strategic penetrations of the U.S. establishment. There are others to be sure: politicians and Congressional representatives of both parties, government agencies, major corporations, prestigious think tanks. The only limitations in targets are their number and the utility in pursuing each. The U.S. is not Russia’s “glavny protivnik” (main adversary) in strategy and doctrine for nostalgic, Cold War reasons: Finding and applying asymmetric equalizers has become an urgent priority for the Russian special services as threats to Russia have increased while its power has waned after the breakup of the Soviet Union.  

Putin did not restore Russian intelligence to its former glory because he had served in the KGB; he did so because he recognized that intelligence provided him with a decisive advantage over his adversaries, foreign and domestic. Former Russian President Mikhail Gorbachev acknowledged as much in his recent Associated Press interview, in which he accused the U.S. of short-sighted gloating over the USSR’s collapse. In grudgingly praising Putin’s strong leadership, Gorbachev cited the missed opportunity for the U.S. to help Russia get back on its feet in the difficult years after the USSR fell, implying that relations today might be better had the U.S. not exploited a weak and dazed Russia. For both sides, it was personal. It still is. 

Considering the gravity of the accusations made against Russia, assertions made in the media without unambiguous, rock solid information cannot be accepted. A circumstantial, analytical judgment of Putin’s thinking and decision-making based on assumptions is not a sufficient basis to assess the Russian leadership’s plans and intentions. If we head down this blind alley, politically speaking, we should bear in mind that even if U.S. intelligence can establish beyond a reasonable doubt that the Russian intention in its hacking activity was to elect Donald Trump, which seems doubtful, it remains unknowable to what extent, if any, the Russian effort influenced the final election tally. And if we assume the recent hacks of the Democrats were a Russian intelligence operation, they continue to produce beneficial results for Russia to the extent that the U.S. is politically wracked by an internal divide. If Russian intelligence conceived this cyberattack as an intelligence operation, it remains for the United States itself to determine what to do with this Trojan horse the Russians have sent us.


Rolf Mowatt-Larssen

Rolf Mowatt-Larssen is a senior fellow at Harvard's Belfer Center for Science and International Affairs. Previously he served for three years as the director of intelligence and counterintelligence at the U.S. Department of Energy and, prior to this, for 23 years as a CIA intelligence officer in various domestic and international posts.

The opinions expressed in this commentary are solely those of the author.