On Feb. 13, America’s intelligence chiefs gathered before the Senate Intelligence Committee for the Worldwide Threat Briefing, an annual forum designed to discuss pressing national security issues.
Among the many topics covered, one brief exchange stands out. It occurred between CIA Director Mike Pompeo and Sen. Angus King, an independent from Maine. King began by lamenting the lack of a coherent strategy for deterring cyberattacks, especially from Russia:
Pompeo: …[Y]our statement that we have done nothing does not reflect the responses that frankly some of us at this table have engaged in …
King: But deterrence doesn’t work unless the other side knows it. The doomsday machine in “Dr. Strangelove” didn’t work because the Russians hadn’t told us about it.
Pompeo: It’s true that it’s important that the adversary know it, but it is not a requirement that the whole world know it.
Pompeo’s remarks suggest that the United States has already retaliated against Russia for meddling in the 2016 U.S. elections. This may seem like an appropriate response. But it runs contrary to the conventional wisdom that deterrence in cyberspace is impractical. Our research helps explain how the kinds of actions Pompeo gestured toward in his remarks might operate in practice.
The problem of “doomsday machines”
King’s doomsday machine reference captures the essence of what many argue is a critical impediment to cyber-coercion. The logic goes like this. Generally speaking, threats are useless unless you can detail the pain you’ll bring to bear if demands go unmet.
But this is a problem in cyberspace. Announcing specific kinds of attacks before they occur offers would-be targets an invaluable opportunity to patch vulnerabilities or shutter Internet connections. Because of this, the argument goes, cyber-intruders operate in the shadows, conducting attacks in secret and remaining anonymous indefinitely. Anonymity is fine, of course, if one’s goal is simply to steal information or cause virtual and physical damage. But it’s essentially worthless for coercion.
In a series of previous articles, we pushed back against the notion that perpetrators must — and do — keep their identities hidden indefinitely. To the contrary, we argued that states may willingly come clean after attacks to showcase their ability to do harm should a target continue to resist their demands. This doesn’t alter the fact that cyberattackers still operate behind a veil of secrecy. But claiming credit afterward can send powerful signals about one’s overall capabilities to potential adversaries, ultimately enhancing the credibility of future deterrent threats.
Building on this idea in a forthcoming article at the Journal of Global Security Studies, we identify two reasons why states that choose to out themselves in cyberspace might do so quietly, communicating only with their target rather than broadcasting complicity to the whole world.
First, states are fairly easy to retaliate against. They have lots of potential vulnerabilities, including most worryingly critical infrastructure: a high-value target often with minimal defenses. Second, the victims of cyber-coercion face powerful incentives not to reveal that they’ve been hacked. Working things out behind closed doors, so to speak, creates opportunities for prudence, helping avoid unnecessary and unwanted spirals of escalation.
What do we know about U.S. retaliation?
Which brings us back to Pompeo. We’ve seen a number of hints that the United States might retaliate against Russia in-kind as a way of deterring future electoral interference. Less than a month before the 2016 U.S. election, Vice President Joe Biden told NBC’s Chuck Todd: “We’re sending a message. We have the capacity to do it,” adding that, “[Vladimir Putin will] know it, and it will be at the time of our choosing. And under the circumstances that have the greatest impact.”
Some two months later, after the election, President Barack Obama echoed Biden’s earlier remarks, noting that “Our goal continues to be to send a clear message to Russia and others not to do this to us, because we can do stuff to you.” Obama made clear, though, that “some of it we do publicly; some of it we will do in a way that they know but not everybody will.”
Pompeo’s recent response to King suggests that the Trump administration is following this same course, quietly conducting cyberattacks against Russia to send a message that interference won’t be tolerated. If true, it stands to reason that Putin himself may be receiving the message loud and clear — but chooses to conceal this from domestic and international spectators.
The kinds of operations hinted at in these remarks are consistent with recent research by University of Chicago professor Austin Carson, who argues that covert measures like those pursued by Obama (and now the Trump team) limit the odds of unintended escalation. Our research suggests that such actions are not only credible because they are risky, as Carson notes, but also because they develop a state’s reputation for cyberpower. For this approach to work, though, states must ensure that enemies know who is responsible. Pompeo seems to understand this, based on his remarks.
Will it work?
There’s one big question, though: Will these efforts be successful? The short answer is that it’s too soon to tell. Even the clearest threats of credible pain may not be enough to deter actors from pursuing unwanted behavior. As recent relations between the United States and North Korea demonstrate, this problem transcends operational domains. Yet, the secrecy surrounding cyber-operations, combined with the incentives states face to keep quiet about coercive attempts, makes it unusually hard for outsiders to assess whether deterrence in cyberspace is working.
Here’s what is evident from the 2018 Worldwide Threat Assessment. The U.S. government, and the intelligence community in particular, see America’s ability to “hack back” as crucial for deterring future cyberattacks. The written report, signed by Director of National Intelligence Daniel Coats, underscores this point.
After identifying Russia, China, Iran and North Korea as the preeminent cyberthreats to the United States, the report concludes: “These states are using cyber operations as a low-cost tool of statecraft, and we assess that they will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations.” Remarks by Biden, Obama and now Pompeo all suggest that the U.S. government is thinking hard about these repercussions.
Michael Poznansky (@m_poznansky) is an assistant professor of international affairs and intelligence studies in the Graduate School of Public and International Affairs at the University of Pittsburgh and an affiliate of the Pitt Cyber Institute (@PittCyber).
Evan Perkoski (@eperkoski) is an assistant professor of political science at the University of Connecticut.