THE LATEST alert from the United States and Britain about Russian intrusion into computer networks contains alarming conclusions. Earlier warnings were issued about Russian meddling in social media, election systems, and energy, water and aviation controls. The new alert calls attention to Russian efforts to compromise network devices, such as routers, the heartbeat of the Internet. The alert says that existing network vulnerability, coupled with a “worldwide” Russian campaign, “threatens the safety, security, and economic well-being of the United States.”
How is the United States going to respond?
The alert says the FBI “has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the- middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.” In essence, the Russians have infiltrated the digital byways at giant data intersections.
Calling out the perpetrators is significant but not a sufficient response. We don’t know any cyberwarriors who gave up after a public scolding. Perhaps the perpetrators could be indicted, as a means of sending a message, as was done with China, but they are unlikely to be prosecuted. At the end of the day, the big questions are: Is an offensive cyber- operation called for, what would it look like, and would it effectively deliver the message that there are high costs for such malevolent intrusions?
Most U.S. offensive cyber-operations are shrouded in secrecy, making it hard to evaluate the risks or rewards of retaliation. But it is worrisome to see that, even after the April 16 alert, so little has been said by this administration about a response. Sanctions have been imposed for the election interference, but the latest alert suggests the Russian campaign went way beyond fake news on Facebook. It is also discouraging to see the top advisers on cyber matters and homeland security leaving or being pushed out of their White House jobs at this critical time. It takes competent people to make good policy and continuity in personnel to sustain it.
Separately, Microsoft, Facebook and 30 other global tech companies have rolled out a pact in which they pledge to work together to improve cybersecurity, striving to protect all customers from malicious attack, regardless of the source. They announced they will “not help governments launch cyberattacks against innocent citizens and enterprises from anywhere.” The significance of the initiative is that tech companies are beginning to see that they must work together and that a laissez-faire approach is untenable. Microsoft’s president, Brad Smith, has talked about creating a digital Geneva Convention. This may be the first building block in that direction. But as the companies well know, cyberconflict is raging and the bad actors are not stopping to check treaties or rule books.