Hope for Global Cyber Norms Struggles Following Russian Hacking Allegations The gates of Kremlin and the Kremlin are pictured on October 31, 2013 in Moscow, Russia (Photo by Andreas Rentz/Getty Images) The Obama administration issued a public response to hacking incidents against U.S. political institutions and meddling in the presidential election attributed to the Russian government in the way of sanctions against individuals and organizations affiliated with the conspiracy. Though welcomed by some, others have criticized the response as too late, noting that the sanctions — with the potential for covert action forthcoming — won’t necessarily hurt the Russian economy or named individuals. Michael McFaul, former ambassador to Russia in the Obama administration told The Atlantic that the recent set of sanctions won’t really damage their targets, but noted that was not the intention. “The intention is to exact a cost and to attribute this attack to those entities and those individuals,” he said. Senate Armed Services Committee Chairman John McCain, R-Ariz., and Sen. Lindsey Graham, R-S.C., in a joint statement called the punitive measure “a small price for Russia to pay for its brazen attack on American democracy.” However, while McFaul doesn’t believe the sanctions are enough to deter Russia from future similar behavior against the U.S., he believes the response, or any response, is part of a greater effort to develop international norms in cyberspace. Russia, among others, has demonstrated what many believe to be flagrant behavior facilitated through cyber means. These include cyberattacks that preceded Russia’s military incursion into Georgia, cyberattacks against Estonia in 2007, the 2014 military incursion into Ukraine utilizing what many have termed “hybrid warfare,” and most recently efforts to undermine elections in European democracies similar to what was done against the U.S. China, for its part, was also publicly called out by Obama administration officials for its alleged hacking of American institutions for economic gain. The so-called naming and shaming by the administration led to a landmark deal between the two nations, with both pledging not to hack each other for the explicit purpose of economic benefit; to be sure, hacking for the purpose of espionage was left out of the agreement. “All Americans should be alarmed by Russia’s actions,” President Barack Obama said in a statement. “In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia’s efforts to undermine established international norms of behavior, and interfere with democratic governance.” Despite what some have deemed as a slow response, Michael Sulmeyer, the Belfer Center’s Cyber Security Project director at Harvard University, believes the clock did not run out on a response. He voiced to C4ISRNET that the Obama administration made a compelling case for the decision and actions it took, adding that if Russia is going to engage in this type of activity, there will be a price. Moreover, if the incoming Trump administration decides to unwind sanctions levied against Russian individuals by the Obama administration, the next administration will have to explain why it’s going against a mostly bipartisan consensus about Russia’s guilt, according to Sulmeyer, Distinguishing between norms and interests, Sulmeyer noted that the U.S. has an interest in preventing hacks and manipulations witnessed during the presidential election. But on the norms front, there is historical precedent of states meddling in the elections of other states. State Department Coordinator for Cyber Issues Christopher Painter has traveled extensively working with other nations in an attempt to build coalitions and consensus for international cyber norms. “I think the correct course is for us [the U.S. and its allies] to … pursue this idea of what effects we’re trying to control, what are the rules of the road, what are the norms that we want, how does international law apply, how do we communicate with each other … to make sure we have a long-term, stable environment in cyberspace,” he told the Senate Foreign Relations Committee in May last year. “That’s, I think, a more effective route, especially now. We’re still in the beginning of this conversation,” he continued adding that compared to the nuclear discussions, the international community is still in the infancy of these conversations. Michael Schmitt, a law professor at the U.S. Naval War College, believes Russia violated certain international legal principles, specifically the prohibition of intervention, which broadly outlaws coercion from one state into matters reserved to another state. As a general matter, this violation of international law — as well as Russia’s provocative behavior elsewhere, namely the annexation of Crimea — speaks to a broader concern about Russia. The expulsion of 35 Russian officials from the U.S. — another component to the executive order issued by Obama to punish the Russians for their alleged involvement electoral hacking — relates to not just a cyber problem but deteriorating relations with Russia. Schmitt, who is also the director of the Tallinn Manual project — a leading effort in international cyber law for crafting norms — told C4ISRNET that incidents like this are good because it forces states to take a position. Discussions like crafting international norms can move slowly because states move cautiously, one reason being they might not want to restrict themselves, as international laws and norms apply to everyone. Incidents such as the most recent election hacking episode could force states to become more aggressive in pursuing laws and norms they otherwise would not have endorsed, Schmitt said. While many in the international community have tried to equate existing norms of peace and war to apply to cyberspace when crafting rules of the road, the nature of cyber in its obfuscation present problems — especially as they apply to deterring behavior. The Obama administration has been derided by members of Congress for not developing a coherent enough cyber deterrence strategy. The administration maintains it wants flexibility when responding to events and does not want to telegraph exactly what activity will warrant what specific response. The 2017 National Defense Authorization Act, recently signed into law by Obama, specifically requires the next administration to submit a cyber deterrence strategy to include “military and nonmilitary options available to the United States for deterring and responding to imminent threats in cyberspace and malicious cyber activities carried out against the United States by foreign governments and terrorist organizations.” Even with a coherent deterrence strategy or policy, some believe true deterrence is difficult to achieve. According to Sulmeyer, the difficulty with deterrence is gauging its effectiveness. He said that adversaries might be weighing a whole host of options when deciding whether to execute an attack, and it is hard to quantify if a particular deterrence policy is having any effect on these decisions. Additionally, compounding the deterrence problem is the position taken by many, including the Obama administration, eschewing specified “red lines.” Telegraphing to enemies what thresholds will engender certain responses, as the argument against red lines goes, might encourage adversaries to walk right up to the line without punishment. The difficulty in crafting certain red lines is that they are difficult to craft on an international level because of a lack of consensus, Sulmeyer said. Using any nuclear weapon in any case is a clear red line, he added. But in the cyber context, it becomes much more difficult, especially from a U.S. perspective, with press reports surrounding the Stuxnet virus and Snowden leaks that outline U.S. hacking capabilities, Sulmeyer said. This makes red lines such as hacking or meddling in an election difficult to solidify.