Cyberattacks can be annoying but don’t fit the description of war.
As Thomas Rid argues, there will be no war in cyberspace because we are unlikely to see death, injury and destruction — the violence 19th–century military strategist Carl von Clausewitz describes in his classic volume “On War.” Instead, cyberattacks tend to be information operations and espionage activities utilizing new tools. The December Ukraine power plant hack, the first to take down a complete power grid, is perhaps an outlier example because of the severity and potential harm the operation could cause.
We’re seeing more cyber conflicts, but the severity of attacks is restrained and non-escalatory. Some strategists suggest espionage is the second oldest profession — certainly information and deception operations are longstanding. Russian information warfare and U.S. attempts at cyberespionage are by no means new developments.
But here’s what is different: Cyberattacks do seem to work in a limited way if the goal is to steal information. My team’s ongoing research suggests that the great majority of cyberattacks are either espionage or disruption attacks — rather than classical coercive movements to compel the enemy to back down and alter behavior. When states do use cyber tactics to try to force a reaction, they generally fail. When states utilize cyber methods to harass, annoy or collect data, they can be successful.
What was Russia’s goal?
Russia regularly seeks to influence external elections and often succeeds. So if the goal of Russian proxies was to annoy and embarrass the DNC, mission accomplished. Debbie Wasserman Schultz resigned, and the first night of the DNC convention saw Sen. Bernie Sanders’s supporters charge the election system with collusion. But the information released to WikiLeaks demonstrates what we already knew, that Hillary Clinton was the chosen Democrat establishment candidate and these institutions exhibited a strong preference towards this choice.
If the goal of Russian operatives was to get Donald Trump elected or harm Clinton’s poll numbers, the operation likely will be a huge failure. The leak of DNC emails drew attention to the alleged Russian connections of both Trump and his top adviser — and did nothing but increase calls for Trump to release his tax records because he may have financial relationships with Russian operatives.
Trump himself joked about rumors that he had any connection with Russia and paradoxically pleaded with Russia to seek out Clinton’s “missing” emails. Yet evidence keeps piling that Russia is involved in this attack and this highlights the swift change in the cybersecurity discourse: No longer is attribution the key problem in cyber conflict, rather the issue is more about accountability. Can we hold someone accountable? Who authorized the operation?
While the cybersecurity research field is thriving, there has been minimal attention to decision-making investigations and the deep investigative research needed to understand government motivations. Just how involved was Putin personally? Did he direct the harassment activities or did Russia just unleash their thousands of proxies on a plethora of targets? It may be many decades before we have access to internal U.S. or Russian government documents to answer these sorts of questions.
The hack is a reminder about organizational security.
The general takeaway should not be that cyberespionage operations can change elections. The broader message here is the need to be mindful of personal and organizational security. Russia has successfully hacked U.S. networks, but the successes come through hacking third parties or individuals. In another famous case, third-party vulnerabilities helped Chinese hackers breach Office of Personal Management files in 2013.
Cyber defenses are complex, and cyber operations change at a dizzying pace. This leaves those in charge of critical networks with limited organizational capacity to protect these networks. While core U.S. military networks and governmental organizations appear safe, the Internet is so dispersed it is tough to plug all the leaks. But the diffuse nature of the Internet also points out another potential risk: The threat to civilians and critical systems can be incalculable and there can be no assurance that a targeted cyberattack would be limited only to non-civilian targets.
In short, the DNC hack/leak was nothing new, just Russia attempting its classical information warfare operations targeting the U.S. election. Nothing spectacular was released, and information we now have just confirms what many have long suspected. The academic question we have left is how to judge who is to be held responsible for malicious activities online — and determining just how effective these latest coercive endeavors prove to be.
Brandon Valeriano is a reader at Cardiff University and the Donald Bren Chair of Armed Politics at the Marine Corps University. He is the co-author of “Cyber War Versus Cyber Realities: Cyber Conflict in the International System,” published by Oxford University Press.