Russia and the DNC Hacks

The UN Charter makes clear that any act by one state that threatens the territorial integrity or the political independence of another state is illegal, and it makes clear that actions of this kind could justify some punitive response. The recent hacks of the Democratic National Committee (DNC) do not threaten the United States’ territorial integrity, but they do threaten its political independence. They are part of a larger Russian effort to shape politics in the West to advance Russian foreign policy goals and damage the United States (a forthcoming study by my CSIS colleague Heather Conley will detail this) using misinformation, subsidies, and Internet trolls.

Russian attempts at manipulation do not signal the return of the Cold War, despite the desire of some analysts to cram them into that antiquated framework, if only because there is no reason for the Russians to think they would do any better the second time around. Russian tactics are different now, requiring a different response that may be difficult for an over-militarized U.S. foreign policy to generate. We are not going to war with Russia over hacking, nor will nuclear weapons deter them, but that does not mean inaction is the best choice. This is not the Cold War, but a new kind of conflict for the defense of democracy, with new tools and ideas that have yet to be developed.

One lesson that can be drawn from our experience with state-sponsored hacking is that, if there is no reaction to a hack, an opponent will take this as a green light to continue. A central goal for international cybersecurity is to establish consequences for malicious action; without consequences, malicious cyber actions will increase. This would be the lessons of the Sony incident, the actions by Iran against major U.S. banks and intrusion into critical infrastructure networks, and Chinese cyber commercial espionage. The United States has four primary opponents in cyberspace, but we have effective action against only three of them.

If there is a desire to pretend it wasn’t the Russians who were responsible for the DNC hacks, it is far too late to reverse this story. Both private and government sources attribute the hacking to Russia. The evidence that the material provided to WikiLeaks came from this Russian hack is less clear (putting aside Julian Assange’s ties to the Russians and the absence of indications that any other party was responsible), but the action that requires response is the Russian penetration of the DNC servers.

Wrangling over evidentiary standards misses the point. The rules for great power politics are not the same as the rules for a court, if a country wants to remain a great power. This is politics, not jurisprudence, and the audiences for any counteraction are the attacker, waiting to see if the U.S. will accept the hack, and the international community that is watching what the United States will do. Holding to a legal evidentiary standard only increases the likelihood of indecision and continued opponent action against us.

There are rumors that the United States and Russia have discussed the issue privately. If true, this also misses the point. Consequences must be public to have effect. Foreign Minister Sergey Lavrov’s reference to a four-letter word when asked about the incident does not generate confidence that the Russians are concerned about a U.S. response so far.

The argument that there are more important matters in the bilateral relationship, such as the Baltics or Syria, is frivolous. There is nothing more important than the political independence of the United States. Similarly, the “equivalence” argument make no more sense now than it did in the Cold War. While the Russians may believe that the United States seeks to undermine the Vladimir Putin regime, this is just paranoia. Both sides spy on each other, but one spies to defend democracy and the other to undermine it. If you have doubts about this, visit the sites of Reporters Without Borders or Human Rights Watch.

The Russians may feel justified in their actions, seeing them as retribution for the Panama Papers or for U.S. support to democratic groups in Russia. They may remember that they hacked both parties in previous elections, incidents where no information was leaked, and the matter was regarded as normal espionage practice. Russia may believe that it faces little risk of consequences in hacking the DNC. The goal for policy should be to change this belief, building the precedents for attribution, response, and thresholds established by U.S. actions against our other cyber opponents. Hacking should not be penalty free if we want it to stop.

The United States needs to respond to the DNC hack just as it responded to North Korea, Iran, and China for malicious actions in cyberspace. This leads to the more difficult question of what kind of response would be appropriate. We are not discouraging the Russians from coercive acts, nor are we likely to regain their affection. The upcoming Presidential election adds a further complication, but this does not justify waiting until after the election to respond.

The options for response include counter-leaks, indictments, sanctions, or some other public censure. The use of military force is not justified, and military demonstrations (overflights, ship passages, increased force levels in Europe, or covert cyber operations) are risky, given Russia’s confrontational attitude, and too indirect to be effective. Other options might include some kind of defensive or temporary stricture that makes it harder for Russia to connect to the global Internet, but the ability to carry out this kind of action is not well developed. The most effective response is likely to use legal tools—sanctions or indictments—and since the evidentiary standards for sanctions are lower than for indictments, they might be preferable. Sanctions are a more flexible tool than indictments, more visible than covert action, and they displease and annoy the Russians. All this makes them attractive.

Even an announcement that the United States is considering sanctions will prompt fury in Moscow and may incite further Russian retaliation. The United States would need to signal to Russia that further incidents or escalation will only increase risk to the Putin regime. Ultimately, responding to Russian political operations against the West will require a larger strategy that recognizes the end of the period of unchallenged American supremacy and the development of new kinds of nonmilitary responses to cyber actions. But a first step is to not let hacking go unpunished. To do otherwise will unravel the progress this administration has made with its carefully constructed efforts to make cyberspace more stable and secure.

James A. Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2016 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program