Will U.S. sanctions against Russia fix cybersecurity?

The United States has finally announced a comprehensive package of responses to Russia’s 2016 influence operation against the U.S. elections. In a nutshell, it includes the creation of a new sanctions authority, the use of that authority to sanction nine Russian individuals and institutions, the expulsion of 35 Russian operatives from the U.S., the shutting down of two Russian compounds here in the U.S. and the publication of technical details intended to help organizations defend themselves against future intrusions by these actors.

This is a significant response, but a closer reading of the package reveals four important lessons about what this means for deterrence, statecraft and cybersecurity.

Adversaries are getting more aggressive, and our tools must evolve to keep up

Our understanding of the threat landscape has changed dramatically in just the last couple of years. Although election hacking wasn’t unheard of when the cyber-sanctions executive order (E.O.) was first written in 2015, most cybersecurity experts weren’t focused on it. Instead, the E.O. was aimed at two particular threats: the commercially motivated theft of intellectual property and attacks on critical infrastructure. And it was effective: At the time, just the threat of sanctions under the new E.O. was enough to bring China to the table to negotiate, ultimately slowing to a trickle the flood of IP theft.

One year later, the E.O. has been amended to address a very different type of activity:

“(E) tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions;”

The threat landscape is changing fast, and we must adapt our tools to deal with new threats as they emerge.

The addition signals that interference with a national election is not only different from the other major threats contemplated by the E.O., but that it is just as serious. This may not be surprising — trust in our electoral process is at the core of our democracy, so any attack on that should be of the highest priority — but such a public marker reinforces how seriously we take this activity.

Only time will tell how effective the E.O. is as a deterrent against this new threat, but it is striking that the first sanctions under the E.O. came a year after its creation, in response to a threat not even widely contemplated when it was first drafted. The threat landscape is changing fast, and we must adapt our tools to deal with new threats as they emerge. The fact that the U.S. was able to adapt this E.O. is encouraging, and provides a framework for how the cybersecurity community at large needs to continue to develop tools and technology as new threats emerge.

As tempting as “offensive cyber” might be, the best deterrent is often asymmetric

In recent weeks, there has been much speculation about the possibility of cyber-retaliation as a deterrent response. To be clear, this is not off the table. The president’s statement emphasizes that the announcement “is not the sum total of our response,” and that some future responses “will not be publicized.”

Nevertheless, this response was about making clear that the actions in question were unacceptable, and cyber-retaliation is not well-suited to that goal. Hacking back is unreliable, time intensive and risks committing us to a tit-for-tat escalation, which would only further destabilize the environment. There may well be a place for a well-chosen covert response in the future, at — as the president is fond of saying — “a time and place of our choosing.”

But by focusing instead on deterrence through the traditional tools of statecraft, the response avoids the perception that the U.S. is legitimizing Russia’s actions by engaging in them itself. It also helps to frame this dispute not as a fight between two equally transgressive powers, but as a clear example of one nation violating the well-accepted international norm that nations should not interfere in the domestic politics of other states. A key development to look for in the days to come will be whether other countries weigh in to support the U.S. response: Other nations adding their voices to the U.S. would help reinforce the existing norms and strengthen the deterrent force of this response.

Deterrence is not a panacea

A substantial government response is long overdue, and it’s tempting to treat it as the final step of a long process — but the truth is it’s only a first step. Naming the actors and imposing costs on Russia is about deterrence, and deterrence alone is not enough. It can make intrusions more costly if the operators are caught, but as long as breaking into systems is as easy as it is today, state and non-state actors will still be tempted.

Over the past year, Russia-backed hackers have targeted think tanks, political party organizations, candidates themselves, hundreds of former officials, current officials and policymakers, state election committees and dozens of other entities. Many of these are small organizations with limited security, but they nevertheless house sensitive information that is incredibly valuable for international diplomacy. And while the threats we’ve seen in 2016 have been more extensive than ever before, this targeting isn’t new: Presidential campaigns and political targets were hacked in 2012 and 2008.

Deterrence … must be combined with enhancements in security to make these intrusions more difficult.

The right deterrence can make actors think twice, but deterrence is tricky, especially in the wake of ongoing public disputes about attribution — even in the face of widespread agreement by experts in government and the private sector that Russia was responsible. Overeager attempts to tie probing at a Vermont utility to the broader Russian campaign have muddled the clear deterrent message of the release, and critics of the response continue to speak out, even as technical evidence mounts. Dissuading all comers from targeting exposed high-value information through deterrence alone would not only be incredibly difficult to achieve, the level of deterrence required would be so extreme that it could destabilize international relations and be greeted with criticism at home and abroad.

Deterrence, as effective as it can be, will always be linked with political, as well as domestic and foreign policy considerations, which means that will not serve well as a complete solution. It must be combined with enhancements in security to make these intrusions more difficult.

The economics of cybersecurity need to evolve

The response package also seeks to address this other side of the cybersecurity coin with a Joint Analysis Report (JAR) from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) that provides technical indicators that network defenders can use to identify and defend against future nation-state intrusions. Unfortunately, this portion of the response has already been heavily criticized by many in the security industry as misleading, incomplete and repetitive of work already done by private security firms.

To be honest, while technical indicators are an important part of security, the challenge is much simpler than that.

A key part of the challenge we face with cybersecurity is that while major corporations may be able to invest the millions required to secure their systems, most smaller organizations cannot. This is an especially significant problem when defending against information operations, because many organizations holding valuable information are comparatively small organizations with limited security budgets. Even if the JAR report had provided revelatory new information and all the details experts needed to use that information, many likely targets wouldn’t be able to leverage that information with the resources they currently have.