DNC Hack: An escalation that cannot be ignored
The Democratic National Convention hack constitutes a grave interference in the electoral process of a nation. Given the unprecedented level of attribution to Russian authorities, authors Matthijs Veenendaal, Kadri Kaska, Henry Rõigas and Can Kasapoglu analyse this attack in the broader setting of the use of cyber capabilities as part of influence operations. A lack of response, the analysis concludes, contributes to the already existing deterrence problem and even encourages further aggression. This article first appeared on NATO CCDCOE.
The recent disclosure of internal communications of the DNC has embarrassed the Democratic Party and their presidential nominee, Hillary Clinton. Although the documents reveal no serious wrongdoing by the DNC, it does give an unappealing insight into the dirty business of political campaigning.
The novel use of cyberattacks and strong indications of Russian involvement are by far more worrisome than the unsurprising content of the e-mails. Based on the analysis by Crowdstrike (and corroborated by Fidelis Cybersecurity and Mandiant) there is convincing evidence that hackers closely associated with the Russian government were behind the attacks on the DNC.
Unprecedented Use of Cyber Operations
Based on the evidence, the attackers seem to have been involved in other high profile attacks on governments. For instance, the command-and-control address hardcoded into the DNC malware seems to be identical to the one used to hack the German Parliament in 2015. One of the identified attackers is also associated with the hacks of other US government agencies. Both attackers used highly sophisticated means, usually associated with state or state sponsored actors. The technical and political attribution seems to point in a single direction, at least on a balance of probabilities.
Technically, nations and other actors have launched this kind of attack before, and digital espionage is nothing new but something many nations actively engage in. What is relatively new is that in this case the purpose of the hack has apparently been to discredit the DNC and the presidential campaign of Hillary Clinton by publishing the swiped material.
This is therefore an attempt by a nation, possibly through a proxy, to influence the political and the top electoral process of another nation by means of a cyberattack (See for instance P. Brangetto and M. Veenendaal, Influence Cyber Operations: The Use of Cyberattacks in Support of Influence Operations, 2016 8th International Conference on Cyber Conflict, Tallinn 2016, page 113 https://ccdcoe.org/multimedia/8th-international-conference-cyber-conflict-proceedings-2016.html). The scale, impact and the rather transparent (maybe too transparent) involvement of Russian authorities in this leak indicate an escalation that cannot be ignored and may cause the US to choose novel ways to retaliate.
If this is truly an act of or supported by the Russian government, the incident sets a new precedent and constitutes another escalatory step in the use of cyberattacks. Such an insolent attempt to interfere with the political process of a Western nation has not been witnessed before.
It is interesting to see whether the response of the US will be different in this case than to other recent cyberattacks. The effects of the DNC hack are as unprecedented as the cyber operation against the Ukrainian electrical grid in December 2015. If both of these attacks are in effect conducted by the Russian Federation – whether by state actors directly or under their direction and control –, the DNC hack represents a next effort by Moscow to test national responses and the limits of acceptable behaviour of states in cyberspace.
Targeting the ‘Grey Area’
The attack on the DNC is an example of an influence operation in and through cyberspace, the goal of which is to influence attitudes, behaviours or decisions of target audiences in order to further a nation’s interests and objectives. Influence operations offer the promise of victory through ‘the use of non-military [non-kinetic] means to erode the adversary’s willpower, confuse and constrain his decision-making, and undermine his public support, so that victory can be attained without a shot being fired’.
One of the attractions for states of using cyberattacks as part of an influence operation lies in the fact that they are generally difficult to attribute and thus provide a high degree of deniability combined with a limited risk of provoking a strong or quick response from the target nation. Even with all the evidence mounting against Russia, it can still build a plausible case to deny its involvement and responsibility.
The attack, however, does fit in with Russian military doctrine and past actions. Russia, more than any other actor, seems to have integrated cyber operations into a larger influence operations framework.
Russia has always sought to achieve strategic advantages without provoking an armed response from NATO. This is a core element of Russian security policy which is based on the assumption that conflicts between developed nations must remain below the threshold of an armed conflict, or at least below the threshold where it is actually proclaimed to be an armed conflict.
All Means and Methods
This strategy is exemplified by the Gerasimov doctrine on nonlinear war which posits that ‘[t]he role of non-military means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of weapons in their effectiveness’. Hence, a greater reliance on the information domain is obvious.
In the Russian view, information warfare is conducted in peacetime, in the prelude to war and in wartime in a coherent manner. In the Russian doctrine, information warfare uses ‘all the means and methods of impacting information, information-psychological, and information-technological objects and information resources to achieve the objectives of the attacking side’. These include intelligence, counterintelligence, deceit, disinformation, electronic warfare, debilitation of communications, degradation of navigation support, psychological pressure, degradation of information systems, and propaganda. In this context, be it distributed denial of service attacks (DDoS), advanced exploitation techniques, or the RT network all contribute to the same goal.
From this perspective, using intrusive cyberattacks as part of a broader influence operations strategy makes perfect sense. Given the limited possibilities for attribution and the absence of any real chance of provoking an armed (or any kind of significant) response, cyberattacks have so far proven to be relatively low-risk, low-cost capabilities that can contribute to the destabilisation of an adversary. If the main goal of an influence operations campaign is to sow doubt and confusion in order to undermine trust and confidence in the governments of targeted nations, cyberattacks can certainly contribute to that. Plausible deniability seems to provide enough cover not to worry too much about the legality of such actions or any meaningful response by the victim.
Response Needed, but Deterrence Complicated
Given that attribution in this blatant attempt to influence the electoral process seems to be strong and was provided exceptionally quickly, it is interesting to see if the US will change its position and react resolutely and swiftly to these attacks. So far, the US and West at large have been unable to deter similar influence operations conducted by using cyberattacks. While nations may have a legal base to respond, the options for immediate actions offered by international law have very limited practical value when responding to a cyber operation as attribution is not immediate, the damage has already been done and the attack has usually ended.
However, a state-sponsored cyberattack that meddles with the electoral process of another country encroaches on what the International Court of Justice has called an ‘essential foundation of international relations’: the right of a State to remain free of intervention in its internal or external affairs by any other State, whether such intervention be direct or indirect and for whatever reason it occurs. Even in the absence of physical damage, the DNC hack therefore should not be accepted to pass without a credible response.
Measures to counter apparent state-sponsored cyberattacks against the US have been mainly limited to sanctions and indictments of individuals. Although unconfirmed reports of some clandestine operations exist, solid responses to influence operations through cyberattacks have been perfunctory to non-existent. It is logical and sound for the FBI to start an investigation into the attacks, but its relevance to the political impact of the DNC hack will be limited as law enforcement is not equipped to stop a State-sponsored adversary from launching this kind of operations. The question now is whether the US will decide that this case has crossed a ‘red line’ and thus qualify for a different, more significant response that would cause substantial costs for the attacker (See also recently released US Presidential Policy Directive on Cyber Incident Coordination). If so, a precedent will be set and all eyes are on the US.
The US has declared a policy of no tolerance towards malicious disruption of its cyber infrastructure. In its 2011 International Strategy for Cyberspace, the US expressed its intent to ‘along with other nations, encourage responsible behaviour and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors, and reserving the right to defend these vital national assets as necessary and appropriate’.
The challenge posed by the DNC hack is choosing responses that would be effective and prove a deterrent against similar future breaches while avoiding undue escalation or spill over, or violating the country’s own obligations under international law. Hence, the response will have to combine diplomatic, economic, technical, public information, and other legitimate means in proportion to the impact of the attack.
Lukewarm Response Encourages Aggression
The US could theoretically also respond by launching retaliatory cyberattacks against Russia. But this kind of an eye for an eye response can be counterproductive. Responding in kind to the Russian provocations can easily lead to unwanted escalation of cyber conflict and might start a clandestine ‘cyber war’ between the superpowers which cannot be monitored and is therefore difficult to contain. In addition, any profound response will likely trigger Russia into divulging more or less substantiated accusations about covert US actions in cyberspace targeted at Russia.
The DNC hack, in conclusion, constitutes a grave interference in the electoral process of a nation. If the US is convinced it has sufficient evidence to attribute it to Russia it has the right and obligation to respond. This response needs to go beyond the usual condemning, naming and shaming that has been the preferred response to previous cyberattacks, as it appears these did not deter the DNC hack. The lack of a credible response to most cyberattacks by the West is also contributing to the already existing deterrence problem and even encourages further aggression. A longer-term, structural response should offer a robust deterrence strategy to ensure that these kinds of influence operations through cyberspace will no longer be seen as relatively low risk operations which come with little or no repercussions. This strategy should not only depend on responses with cyber capabilities but include all proportionate diplomatic, economic, technical, public information, and military means available to a state.