Why Russian hackers didn’t strike during the midterm elections

Despite probing and trolling, a Russian cyberattack is the dog that did not bark in Tuesday’s elections. This is the assessment of the Department of Homeland Security, which says there were no signs of a coordinated campaign to disrupt US voting. This welcome news raises a relevant and important question: Were cyber adversaries actually deterred from infiltrating voter databases and changing election results? That was a very real fear in the 2016 presidential election.

In September, the White House unveiled a new policy aimed at deterring Russia, China, Iran and North Korea from hacking US computer networks in general and the midterms in particular.

National Security Adviser John Bolton acknowledged as much last week when he said the US government was undertaking “offensive cyber operations” aimed at “defending the integrity of our electoral process.”

There aren’t many details. Reportedly this entailed sending texts, pop-ups, e-mails and direct messages warning Russian trolls and military hackers not to disrupt the midterms. US officials tell me there is much more going on that remains classified.

It is part of a new approach from the Trump administration that purports to unleash US Cyber Command to hack the hackers back, to fight them in their networks as opposed to America’s. Bolton has said the policy reverses previous restrictions on military hackers to disrupt the networks from which rival powers attack the US.

Sometimes this is called “persistent engagement” or “defend forward.” And it represents a shift in the broader US approach to engaging adversaries in cyberspace. Jason Healey, a historian of cyber conflicts at Columbia University’s School for International and Public Affairs, says the administration’s posture is the most significant change since 1998, when the Pentagon first defined what computer network attacks were.

Cyber offense is not new for the US (remember the Stuxnet attack on Iran’s nuclear centrifuges). But those attacks, which were considered intelligence operations, were approved at the highest levels of the US government. The difference now is that America’s cyber warriors will routinely try to disrupt cyberattacks before they begin.

This approach is also a form of deterrence, which is a peculiar concept when applied to cyber conflicts. Compare it to nuclear deterrence, where the objective is to never use the weapon: You nuke us, we nuke you. In cyberspace, the weapons are constantly being deployed.

The object of cyberdeterrence is not to get an adversary to never use cyberweapons. It’s to prevent attacks of certain critical systems such as voter registration databases, electrical grids and missile command-and-control systems. The theory, at least, is to force adversaries to devote resources they would otherwise use to attack the US to better secure their own networks.

This shift has been a long time coming. The last two directors of the National Security Agency testified that adversaries are not deterred in cyberspace. “How often do you want everybody to get what I call free shots on goal?” asks Rob Joyce, a former White House cyber coordinator.

It remains to be seen whether America’s new cyber posture will affect the calculations of China, Russia, Iran and North Korea. Healey is agnostic on this point in a forthcoming paper. But he warns that “persistent engagement” may lead to both a spiral of escalation in cyberspace and miscalculations from adversaries. What’s more, other states will follow America’s lead and the open Internet will become more of a battleground. “How much of cyberspace will survive the war?” he writes.

Consider Iran. Over the summer, senior US officials warned that Iran had laid the groundwork for cyberattacks on US and European critical infrastructure, such as water systems and electrical grids. That’s not surprising for a rogue state. From the Iranian perspective, however, the activity is seen as a response to the Stuxnet virus deployed about a decade ago.

All that said, there is evidence that cyberdeterrence can work in the traditional sense. Just ask Russia, which dodged a robust cyber response from the US in 2016 in part because then-Director of National Intelligence James Clapper was worried Russian hackers would retaliate by using cyber weapons to shut down US electrical grids.

It is now US policy to force Russia to make the same kind of calculation today that Russia imposed on them in 2016.

© 2018, Bloomberg Opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *