Games States Play in Cyberspace

Indictments can be a useful signaling mechanism to states and foreign hackers working on their behalf. But if the time it takes for hackers to be publicly charged exceeds a year, does that diminish the value of indictments in promoting responsible state behavior in cyberspace? Put differently, understanding that state hackers could potentially face a timeline of a year or longer before being indicted by the United States, could that incentivize states to take more aggressive action?

As a creative scaffold for understanding the strategic geopolitical value of indictments, consider Walter Mischel’s famous willpower experiment at Stanford University in the 1960s —the so-called Marshmallow Test. In the test, preschool-aged children were offered one marshmallow to eat immediately, but if they could refrain from eating it for 15 minutes, they would then be rewarded with two. The study found a positive connection between children who could delay instant gratification and indicators of “success” in their future adult lives. Superimposing the design of this test also offers a unique perspective for reexamining the logic of states who risk having their skilled cyber operators indicted, arrested, and arraigned before a U.S. magistrate judge. How? In a “go-big-or-go-home” transactional analysis game between states, waging a two-marshmallow cyber campaign could appear as the more rational decision.

Timeline and Strategy

First, consider a concrete example: The Justice Department’s October 2020 indictments of six Russian military intelligence officers.

Not only did the federal grand jury’s 50-page indictment reveal a range of techniques and targets, but also a surprisingly long period between when the crimes occurred and when the indictment was returned. The mean was approximately three years. This length of time is considerable, especially since indictments are a non-violent means to hold actors accountable for their actions in cyberspace, and ideally deter further aggressive acts.

Focusing on the timeline: on October 19, the Justice Department indicted six Russian intelligence officers in the Main Intelligence Directorate of the General Staff of the Armed Forces (GRU). The GRU officers worked in the Main Center for Special Technologies, Military Unit 74455, and were charged with conducting “the most disruptive and destructive series of computer attacks ever attributed to a single group,” said Assistant Attorney General for National Security John C. Demers. The charges in the federal grand jury’s 50-page indictment include deploying some of “the world’s most destructive malware to date,” such as NotPetya in 2017 and Olympic Destroyer against the 2018 Pyeongchang Winter Olympic Games. It recounts other disruptive cyber acts like targeting Ukraine’s electric grid in 2015 and 2016, France’s 2017 election, the networks of Georgian companies and state entities in 2018 and 2019, and investigations into the 2018 Novichok poisoning.

To be sure, indictments are useful signaling tools, however, there is room for improvement for timely imposing consequences on actors who violate the 2015 norms of responsible state behavior in cyberspace, and more recently the UN cybersecurity Open-Ended Working Group’s 2021 report to advance peace and security in cyberspace.

According to John P. Carlin, the former assistant attorney general for national security and a proponent of using indictments as part of a cyber deterrence strategy, the Justice Department’s investigations and indictments “are the bedrock of our whole-of-government approach because they facilitate the use of so many other tools that promote deterrence.” However, if state hackers face a general timeline of perhaps a year or longer before being indicted—all other things equal—states may be oddly incentivized to risk their skilled officers in pursuing aggressive longer-term operations (i.e., earning a two-marshmallow payoff) versus a less aggressive and immediate cyber intrusion (i.e., a one marshmallow payoff). If a state is willing to accept the risk of having their officers publicly indicted and arrested during foreign travel, this could unintentionally foster an incentive to take bolder, more sweeping action, like the recent cyberespionage SolarWinds campaign and the Microsoft Exchange Server hack in March.

Rebalancing This Structure

But what if the second marshmallow, representing a higher-payoff target in this thought experiment, had at least a 50/50 chance of being toxic? How might that change state decisionmaking? The Defense Department’s new “defend forward” strategy has the broad potential to reshape this calculus by working with allies and partners.

The U.S. Cyber Strategy Summary describes defend forward as “confronting threats before they reach U.S. networks.” It has two core elements: the strategic persistent engagement of adversaries and working with allies and partners to promote security. By exploring new ways to defend U.S. networks and grow partnerships, defend forward becomes that toxic second marshmallow. For example, as part of U.S. Cyber Command’s campaign to safeguard the 2018 midterm elections against the Russian Internet Research Agency, Cyber Command used “direct messaging” to target operatives working for the GRU. “Using emails, pop-ups, texts or direct messages, U.S. operatives beginning in October let the Russians know that their real names and online handles were known and that they should not interfere in other nations’ affairs,” reported the Washington Post. This type of timely, direct messaging, coupled with the legal power of indictments, could influence the risk calculus for actors.

“Indictments send a powerful message,” reasons James A. Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “The Russian government hates them, and it regularly warns its hackers of the threat of indictments and the need to avoid foreign travel when indicted because of the risk of arrest.” By methodically blending indictments with defend forward’s elements of expediency, collaboration, and friction, this iterative strategy could, at least temporarily, help curb states’ appetites for reaching for that second marshmallow—until hunger pangs increase.

Zhanna Malekos Smith, J.D., is a senior associate (non-resident) with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C., and a professor of cyber warfare studies with the Air War College.

The views expressed are those of the authors and do not necessarily reflect the official policy or position of the Department of Defense or the U.S. government.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2021 by the Center for Strategic and International Studies. All rights reserved.

Zhanna L. Malekos Smith
Senior Associate (Non-resident), Aerospace Security Project, and Adjunct Fellow (Non-resident), Strategic Technologies Program