Despite probing and trolling, a Russian cyberattack is the dog that did not bark in Tuesday’s midterm elections. This is the assessment of the Department of Homeland Security, which says there were no signs of a coordinated campaign to disrupt U.S. voting.
This welcome news raises a relevant and important question: Were cyber adversaries actually deterred from infiltrating voter databases and changing election results? That was a very real fear in the 2016 presidential election.
In September, the White House unveiled a new policy aimed at deterring Russia, China, Iran and North Korea from hacking U.S. computer networks in general and the midterms in particular. National Security Adviser John Bolton acknowledged as much last week when he said the U.S. government was undertaking “offensive cyber operations” aimed at “defending the integrity of our electoral process.”
There aren’t many details. Reportedly this entailed sending texts, pop-ups, e-mails and direct messages warning Russian trolls and military hackers not to disrupt the midterms. U.S. officials tell me there is much more going on that remains classified.
It is part of a new approach from the Trump administration that purports to unleash U.S. Cyber Command to hack the hackers back, to fight them in their networks as opposed to America’s. Bolton has said the policy reverses previous restrictions on military hackers to disrupt the networks from which rival powers attack the U.S.
Sometimes this is called “persistent engagement” or “defend forward.” And it represents a shift in the broader U.S. approach to engaging adversaries in cyberspace. Jason Healey, a historian of cyber conflicts at Columbia University’s School for International and Public Affairs, says the administration’s cyber posture is the most significant change in this policy since 1998, when the Pentagon first defined what computer network attacks were.
Cyber offense is not new for the U.S. (remember the Stuxnet attack on Iran’s nuclear centrifuges). But those attacks, which were considered intelligence operations, were approved at the highest levels of the U.S. government. The difference now is that America’s cyber warriors will routinely try to disrupt cyberattacks before they begin.
This approach is also a form of deterrence, which is a peculiar concept when applied to cyber conflicts. Compare it to nuclear deterrence, where the objective is to never use the weapon: You nuke us, we nuke you. In cyberspace, the weapons are constantly being deployed. The efficacy of malware or implants in an adversary’s network deteriorates over time, because a hole or exploit can eventually be patched.
The object of cyberdeterrence is not to get an adversary to never use cyberweapons. It’s to prevent attacks of certain critical systems such as voter registration databases, electrical grids and missile command-and-control systems. The theory, at least, is to force adversaries to devote resources they would otherwise use to attack the U.S. to better secure their own networks.
This shift has been a long time coming. The last two directors of the National Security Agency have testified before Congress that adversaries are currently not deterred in cyberspace when it comes to probing and infiltrating public and private networks in the U.S. “How often do you want everybody to get what I call free shots on goal?” asks Rob Joyce, a former White House cyber coordinator.
It remains to be seen whether America’s new cyber posture will affect the calculations of China, Russia, Iran and North Korea. Healey is agnostic on this point in a forthcoming paper. But he warns that “persistent engagement” may lead to both a spiral of escalation in cyberspace and miscalculations from adversaries. What’s more, other states will follow America’s lead and the open internet will become more of a battleground. “How much of cyberspace will survive the war?” he writes.
Consider Iran. Over the summer, senior U.S. officials warned that Iran had laid the groundwork for cyberattacks on U.S. and European critical infrastructure, such as water systems and electrical grids. That’s not surprising for a rogue state. From the Iranian perspective, however, the activity is seen as a response to the Stuxnet virus deployed about a decade ago.
All that said, there is evidence that cyberdeterrence can work in the traditional sense. Just ask Russia, which dodged a robust cyber response from the U.S. in 2016 in part because then-Director of National Intelligence James Clapper was worried Russian hackers would retaliate by using cyber weapons to shut down U.S. electrical grids. “When people try to claim that there’s no such thing as deterrence in cyberspace,” cybersecurity expert Bruce Schneier observed, “this serves as a counterexample.”
Apparently it is an example American security and intelligence officials have taken to heart. It is now U.S. policy to force Russia to make the same kind of calculation today that Russia imposed on them in 2016.