Matthew Olsen served as director of the National Counterterrorism Center during the Obama administration and is an adjunct senior fellow at the Center for a New American Security. Edward Fishman served as a member of the secretary of state’s policy planning staff during the Obama administration and is a fellow at the Atlantic Council.
The West can breathe a sigh of relief. Emmanuel Macron has won the French presidential election, despite yet another Russian intervention in support of a candidate (Marine Le Pen) whose views are decidedly illiberal and pro-Kremlin.
But just because Russia came up short this time doesn’t mean that we can relax. On the contrary, the French election — months after a U.S. election marred by Russian meddling — demonstrates that cyber-subversion has become a central feature of Moscow’s statecraft.
Russia will continue to use hacking as a tool of subversion until it meets resistance. So far, Moscow has incurred minimal costs for its mischief-making. It’s time for this to change. The West must urgently adopt a strategy to stop this onslaught against democracy.
It’s easy to see why Russia has come to favor cyber-subversion. The West is poorly postured to defend against Moscow’s tactics. As open democratic societies, the United States and Europe cannot easily prevent Russia from spreading fake news and stolen information in public. “If they did not have press freedom,” a Soviet intelligence officer once said, “we would have to invent it for them.”
Additionally, our policies and processes on cybersecurity remain immature. This is not unusual for a rapidly evolving domain such as cyber-subversion, but it provides Russia with ample gray areas to exploit. The West has neither drawn explicit red lines on cyber-subversion nor designed a strong toolkit with which to respond, and the United States and our NATO allies do not yet enjoy as close cooperation on cyber-subversion as we possess on traditional military matters.
All of these vulnerabilities make cyber-subversion an appealing investment for Moscow. There’s no more efficient way to weaken the West than to undermine our democracies from within.
To counter Russia’s online operations, we should adopt a strategy that focuses on two pillars: deterrence and resilience. It’s essential both to discourage Russia from launching attacks and to harden our defenses for the next salvo.
Successful deterrence combines clear intentions and demonstrated capabilities. Put simply, we must articulate which Russian cyber-actions will trigger a response, and we must prove that our response will be very costly to the Kremlin.
The West can solve the first half of this equation by issuing a joint NATO-European Union declaration affirming that using cyber-subversion to undermine the democratic process of any member state will be treated as an attack against all. That way, the Russians will understand that the West intends to respond collectively and forcefully should their meddling persist.
The West can address the second half of the equation by agreeing to impose broad economic sanctions against Russia if its red lines are crossed. As a closed society, Russia is less vulnerable to political intervention than is the West. But Russia’s economy — feeble and dependent on the West — is an appropriate target.
The United States and Europe should go beyond the Obama administration’s approach, which directed cyber-sanctions at the actual perpetrators of digital malfeasance, and plan to hit Russia where it hurts most: in its financial, energy and technology sectors.
The United States and the E.U. should broadcast that continued cyberattacks will lead to sanctions against Russian firms in those sectors — and they should agree on measures in advance so that sanctions can be enacted swiftly when needed. If Moscow knows that electoral interference will cause one of its largest banks to be blacklisted by the West — a move far more severe than any taken thus far on Russia sanctions — it will think twice before launching its next attack.
Meanwhile, the West must make itself more resilient to Russian attacks. The Homeland Security Department was right to declare electoral systems “critical infrastructure” in January. But Congress must take it a step further. This begins with supporting an independent investigation of Russian cyber-interference in the 2016 election. The fact is that Russia tried to penetrate our election systems and influence the outcome. This is not a partisan issue. It is a threat to our national security that demands a thorough investigation.
Additionally, the White House should make it a priority for the government to share cyberthreat intelligence with the private sector. Many institutions that are critical to the functioning of our democracy, from media outlets to telecommunications firms, make tempting targets for Russia’s cyber-operators. They should not be expected to defend themselves against a nation-state foe such as Russia without proactive assistance from the U.S. government.
Social media companies such as Facebook and Twitter must also do more to prevent Russia from using their platforms as accessories of subversion. Facebook’s recent paper on information operations, which proposes ways to stem the spread of fake news, is a good start. The U.S. government should encourage these efforts, collaborating with social media firms to identify disinformation campaigns and to weed out fake news planted by foreign intelligence services.
With Le Pen’s defeat on Sunday, the West dodged a bullet. But if we proceed without a comprehensive strategy to counter Russia’s subversion, we may not be so lucky next time. The United States and Europe must act now to defend themselves against Moscow’s digital threat to democracy.