Michael McFaul, director of the Freeman Spogli Institute for International Studies (FSI) at Stanford University, and Amy Zegart, co-director of the Center for International Security and Cooperation at FSI where she also runs the Cyber Policy and Security Program, are also senior fellows at the Hoover Institution, also at Stanford.
In his last news conference of the year (and maybe last ever as president) last week, President Obama squarely assigned blame to the Russian government for stealing data from the Democratic National Committee and John Podesta, Hillary Clinton’s former campaign chairman, with the intent of disrupting our electoral process and helping one candidate, President-elect Donald Trump. Obama also promised to respond but left out details about how and when.
With days left in office, Obama has few real options available. But as a country, we must begin to have a serious discussion about our short game and long game for addressing cyberthreats, both from Russia but also other actors, foreign and domestic. We must improve our capabilities to assign attribution, respond to attackers, resist future foes and deepen resilience for when we are assaulted again. In the long run, we also should to develop international norms for regulating cyber-activity.
In the short term, Obama and his administration must do all they can to build the public case regarding attribution. Our intelligence agencies agree that the Russian government stole and publicized data to influence our elections.
But many still doubt these intelligence assessments, including one important naysayer, the president-elect. Just as he did in September 2009 to expose the Iranian nuclear weapons program threat, Obama must declassify as much intel as he can safely, without compromising intelligence sources and methods. (President Kennedy did the same during the Cuban Missile Crisis.) Before leaving office, Obama also should sign into law the Protecting our Democracy Act, which establishes a bipartisan, independent commission, similar to the 9-11 Commission, to investigate foreign interference in the 2016 election. The goal should not be to relitigate the past but to prepare for the future.
In addition to quicker and more public attribution, the incoming Trump administration must articulate a new doctrine for response, applicable to Russia and other actors with serious cyber-capacity. U.S. intelligence agencies are paid to collect information about foreign leaders, including embarrassing and valuable information that they would prefer the world not know. U.S. policymakers need to start by making clear that we intend to identify what information foreign leaders value and hold its public release at risk if they cross cyber red lines. Individuals named publicly in response to a cyberattack should also be targeted for sanctions, including visa bans, asset freezes and blocking designated IP addresses from accessing all U.S.-based websites.
The last weapon in our arsenal is a cyber-counterattack, meaning the destruction of an opponent’s cyber-infrastructure or other assets. Ideally, we could communicate our tremendous capabilities in this domain to deter aggression against us, without using our incredible arsenal of cyber-weapons, much like we do with nuclear weapons now. However, some demonstrations of our capabilities may be necessary to make future deterrence credible.
These responses carry escalation risks into physical and economic conflict: What happens in cyberspace is unlikely to stay in cyberspace. Response policy needs to take these escalation dynamics seriously. But given the rising cyberthreats we face, doing nothing in the face of direct interference in a presidential election is looking riskier. Accepting bad behavior is the surest way to invite more bad behavior.
The third and fourth steps for the United States are cyber-resistance, as well as resilience. We need to work on making it harder and costlier for any cyber-adversary to succeed against us. Right now, our voting systems are a mess. Many states have online registries and voting systems that are exceptionally vulnerable to hackers. Fifteen states, including large battlegrounds such as Florida and Pennsylvania, lack paper voting audit trails in at least some locations. Our national voting system essentially leaves many doors wide open for bad actors to get in. This system needs to be upgraded, perhaps through federal subsidies. As for cyber-resilience, we need to put systems in place to recover more easily and quickly from all major breaches, including those involving elections. Paper ballot audit trails are a start. So, too, is public education so American voters no longer assume that anything leaked is accurate.
Eventually, President Trump might use his promised détente with Russian President Vladimir Putin to develop and strengthen international cyber norms. “Though shall not use stolen data to influence elections” could be the first paragraph of a new U.S.-Russia or international agreement on cyber norms and regulation.
Russia has developed some of the most sophisticated cyber-capabilities in the world and could have done more to disrupt the 2016 presidential election. Russian hackers have penetrated Pentagon systems, State Department systems and White House networks, accessing sensitive information such as the president’s daily schedule.
Other nations, including China, Iran and North Korea, also have capabilities to wreak havoc in our democratic process if they so choose. Thankfully, they haven’t yet. But their capabilities will only improve by 2020.
So far, our country seems unwilling to acknowledge the basic facts about new cybertechnologies or our cyber-vulnerabilities, let alone take the necessary measures to attribute, deter and defend against future attacks. Trump has an opportunity to get cyber policy right. If he doesn’t, cyber-interference in future elections — in the United States and around the world — is likely to become more frequent and severe.