Pages

2 January 2017

Russia and America's Cyber Deterrence Dilemma

Matthew Rojansky

Sanctions won't deter future Russian cyber attacks not only because of Washington’s limited ability to impose costs on officials it believes ordered the hacking, but because neither side is ready to accept deterrence in the cyber domain.

After months of increasingly strident warnings about Russian cyber attacks, including Russia’s alleged meddling in the 2016 presidential race, the Obama administration has imposed an array of sanctions and punitive measures against Russian targets. The President described the measures as a “response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election.” After “repeated private and public warnings that we have issued to the Russian government,” Obama added, sanctions “are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior.”

In its remaining time in office, the Obama administration’s resolve to respond to Russia’s actions is clear. A bipartisan majority on Capitol Hill appears almost certain to support these measures, and is likely to impose additional punitive sanctions against Moscow in the near future. Much less clear is whether pressure from such sanctions can actually change the Russian behavior that has caused so much consternation in Washington.

U.S. sanctions against Russia are not new. Throughout the Cold War, Congress and the Executive branch wielded trade sanctions to underscore U.S. disapproval of Soviet foreign policy, as well as Moscow’s treatment of its own citizens, including Jewish refuseniks and other dissidents. Since the collapse of President Obama’s own attempt to “reset” relations with Russia, sanctions have once again taken center stage as the preferred instrument of U.S. opposition to Russian policies.

In 2012, Obama signed into law the Magnitsky Act, which sanctioned designated Russian individuals for their involvement in human rights abuses, and to which Moscow responded with a ban on adoptions of Russian orphans by U.S. citizens, plus a crackdown on U.S.-supported Russian charities and NGOs. New rounds of U.S. sanctions, this time paired with similar European measures, followed Russia’s 2014 invasion and annexation of Ukraine’s Crimean Peninsula, and its support for an armed insurgency in Eastern Ukraine. Russia responded with counter-sanctions against Western products and services, harsh anti-Western rhetoric, and—according to U.S. and European intelligence communities—a concerted disinformation campaign, including cyber attacks on U.S. political targets.

If the purpose of the Magnitsky sanctions has been to improve the situation for dissidents and whistleblowers in Russia, it would be hard to argue that they have succeeded. Likewise, to the extent that Ukraine-related sanctions seek to compel Moscow to implement its commitments under the Minsk framework agreements, they have clearly fallen short as well.

It should be no surprise that Western sanctions have resulted in neither dramatic reform of the Russian political system nor reversals in the Kremlin’s foreign policy. But, as sanctions advocates contend, they could serve as part of an effective deterrent against future Russian actions. The key question, therefore, is whether the latest sanctions—or any sanctions, for that matter—will be adequate to deter future Russian actions of the sort that have provoked this U.S. response.

At the height of the Cold War, Nobel laureate economist Thomas Schelling defined deterrence as the use of power not to coerce or compel, but to prevent an adversary’s attack. Schelling’s view of nuclear weapons as a deterrent echoed George F. Kennan’s famous insistence that the Soviet leadership could be deterred. “If the adversary has sufficient force and makes clear his readiness to use it,” Kennan wrote, “he rarely has to do so.”

What would it take for such a deterrence framework to constrain future Russian cyber attacks? First, the attacks must be clearly defined and clearly attributed to Russia. By that measure, it is problematic that the White House has announced retaliatory measures before releasing the results of an intelligence community review of Russia’s intervention in the 2016 election to be completed later in January.

While some U.S. intelligence sources have already concluded with “high confidence” that senior Russian officials approved of cyber attacks on U.S. political targets with the intention of swaying the 2016 election, President-elect Donald Trump has dismissed this finding, tweeting, “these are the same people that [in 2003] said Saddam Hussein had weapons of mass destruction.” The problem is that if Americans are not in clear agreement about the specific Russian actions being punished—and thus the actions to be deterred in the future—they risk muddling the message to Russians, Chinese, or anyone else Washington intends to deter.

The second measure of a successful deterrent strategy is whether the threatened punishment is credible and within Washington’s power to execute. The administration will almost certainly follow through on punitive measures against those listed in the new executive order, including Russia’s top FSB and GRU leadership. The President has also promised to “continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized.” What matters is whether the targets of these measures are those actually responsible for the cyber attacks, and thus those who can decide whether to undertake such attacks in the future.

The final measure is whether the adversary is actually deterred: are U.S. sanctions more costly for the Russians than the perceived benefit of the attacks? Judging from the Kremlin’s reaction thus far, it does not appear that individual sanctions against senior Russian officials will have much of a deterrent effect. On the contrary, U.S. measures “naming and shaming” top Russian officials, while punishing other individuals and entities linked to cyber attacks, are very likely to be treated by the Kremlin as a justification for new countermeasures.

“If Washington really does take new hostile steps,” the Russian government has already warned, “they will be answered.” Recalling Russia’s retaliation following past U.S. sanctions, Washington should indeed expect escalation of the conflict rather than effective deterrence. Where and how this will occur is not yet clear, underscoring the risk of uncontrolled conflict escalation in the cyber domain.

U.S. sanctions are unlikely to deter future Russian cyber attacks not only because of Washington’s limited ability to impose adequate costs on the senior Russian officials it believes have ordered the hacking, but because neither side appears prepared to accept mutual deterrence in the cyber domain. In the early 2000’s, the Russian side proposed negotiations towards a cyber arms control treaty, but at the time U.S. officials had little interest in constraining capabilities in which they expected to enjoy unrivaled dominance. Now, the Kremlin may view cyber attacks as an indispensable counterweight to U.S. and NATO dominance in the conventional military sphere, and thus the Russians may be less inclined to negotiate.

The simple truth is that if either side believes it can gain more by using cyber weapons than by preventing their use, deterrence will fail. So far, U.S. sanctions have underscored the urgency of the cyber threat, but they are not likely to reduce it. Although President-elect Trump has signaled his desire to reduce conflict with Russia and focus on common interests, such as combatting ISIS, he will inherit a dangerously dysfunctional relationship, drifting rapidly toward a 21st century version of the Cold War.

No comments:

Post a Comment