Cyber State Competition

800px_COLOURBOX12992284.jpg

By Stephen Howard

On March 19th, 2016 hackers associated with the Russian intelligence agency the GRU began a spearphishing campaign against John Podesta and other officials of the Clinton Presidential campaign in an attempt to weaken or even defeat the person who many saw as the next President of the United States. Secretary Clinton was defeated, Citizen Trump was made President Trump, and the United States has dealt with the fallout of being attacked by a hostile country ever since.

Let me be clear: State competition is a continuous and brutal affair. Regardless of what we’d like the ideal state of the world to be, states pursue their national interest above all else – and sometimes it is within the national interest to weaken or destroy a different state. While there has been some attempt at standardizing the rules of competition to make it harder to miscalculate and create unintended massive tragedy, the actions taken in pursuit of state competition are by no means universally standardized. States pursue what they believe to be the best course for them in the world and engage in coercive or manipulating actions against those who they deem to be in the way of that course. As this is the modus vivendi of the world, it is something that needs to be accepted. In this light, the Russian hacks and attempts to damage the democracy of the United States are in fact routine and should surprise no one. Yet surprised the US is, and several political bodies within the US seem unwilling or unable to deal with it. Thus, there are two lenses through which we can view this event. 

First, we should look at this event through the uncaring lens of history: France under Richelieu and the United States in the Philippines in the 1950s provide strong examples of how states act in their own interests in subversive ways. Policy is the intersection between knowledge and action. Knowledge, like history, is impartial. Action is necessarily partial, even when the action is to take no action, and thus cannot be uncaring. That is how the second portion of this paper examines the Russian attack on US democracy, by taking the knowledge imparted by history and imparting perspective on it. In this case, specifically how the US reaction to the Russian attack is, in a word, insufficient.

Not insufficient from his perspective.

Not insufficient from his perspective.

 

History

30 Years War

Armand Jean du Plessis, Cardinal de Richelieu, was the First Minister of France from 1624-1642. During this time, he used his new principle of raison d’etat (reason of state) to elevate France by very underhanded means (or so considered for that time period). In 1627 Richelieu granted the Protestants the right to worship, which was the very thing Hapsburg Europe had been fighting for 11 years to stop. Rather than just being a humanitarian gesture, this was actually a play to interfere with the domestic underpinnings of the war and weaken the Hapsburgs by giving the Protestants reason to keep fighting an extended war. Further, in 1635, after the Hapsburg Empire and the multiple German states had fought to the point of exhaustion (with the German States looking about to surrender), France joined the fight directly against the Hapsburgs. This extended the fight even further until it was ended in 1648 by the Peace of Westphalia.

Today we see this in strictly state versus state terms – one state trying to undo another by interfering with its war. However, this is not how it was viewed at the time. While state-state conflict was still very much a thing, this conflict was Catholics-Protestants, and a Catholic state interfering on the side of the Protestants was very much an asymmetric action which was meant to undermine the domestic stability of the Hapsburg Empire. The action was considered underhanded, and as Henry Kissinger would term it, Realpolitik, but it was no more than an extension of state sovereignty which was made for the benefit of the French state. (Diplomacy, Henry Kissenger)

 

Huk Rebellion

After the ending of WWII and the re-occupation of the Philippines, one of the most pressing issues in the archipelago was the suppression of the Hukbalahap (Huk, pronounced “Hook”) Rebellion. The rebellion had actually begun in 1942 when indigenous forces rose up against the Imperial Japanese invasion. While they were considered freedom fighters during the occupation, they quickly lost that reputation with the Philippines and United States once the Huk carried over their revolutionary war to fighting the Philippine and US forces after 1945. The US was determined to end this rebellion, and in 1946 sent in Edward Lansdale, a former marketing worker, to put a stop to the guerrilla movement.

Lansdale’s tactics were unorthodox and, again as some might say, underhanded. Numerous white, gray, and black operations (explicitly undertaken by the US, actions taken by the US but without direct links, or covert actions) were undertaken by Lansdale. While some were admirable, such as focusing on good governance of villages and proper conduct of soldiers as to decrease the appeal of the Huks vis a vis the government, others were certainly against international law (such as killing, and then draining an enemy soldier of blood to convince the superstitious enemy army that there was a vampire on the hill they were staying. The move, which involved the mutilation of a corpse and is strictly against international law, worked and scared the enemy enough to leave the hill they had occupied). What both action did have in common was that they were intended not to destroy the military forces of the Huks, but to destroy their morale and restrict their ability to maneuver by changing opinion towards them. It was information warfare aimed at civilian populations to reduce the appeal of the enemy, and increase the appeal of the allied government. (The Road Not Taken: Edward Lansdale and the American Tragedy in Vietnam, Max Boot)

Rare footage of the Huk vampire.

Rare footage of the Huk vampire.

What each of these historical examples show is that states, when not bound by treaty (and sometimes even when bound) will do what they must to get what they can. This includes interfering with another state’s population. The only true stop on the actions a state can take is the deterrence level associated with the action in question, which can make the costs of an action outweigh any benefits gained by it. When the action is undeterrable, either because no deterrence has been created for it or because for whatever reason it is legitimately undeterrable, we should expect the states which can use the method in question, whatever it might be, to do so.

 

Theory

Now, as I said at the beginning of this paper, it is not surprising nor particularly unethical that Russia attacked the United States via cyber operations. Countries are constantly engaged in struggles against each other, and the continually improving ability to engage in low intensity and hard to attribute warfare against enemies is becoming ever more common.

Make no mistake, cyber operations are a form of warfare, just one that hasn’t been fully defined, and therefore has no viable deterrence yet. This means that while the scope and ability of cyber operations continues to grow, the line where states will respond to those cyber operations, by any means, is poorly defined at best. Several states, like the United States, have defined what type of attack would warrant a kinetic response, such as critical infrastructure, but that’s a red line that leaves the vast majority of state functions below it vulnerable. The problem with cyber is the scope of its potential, the ability to bring down power grids, shut down internet connectivity, spy, blow up reactors/fuel refineries, influence foreign populations, and the list goes on. This in turn makes them massively more dangerous.  This terra incognita makes cyber operations a perfect asymmetric option for states facing democratic countries, because democracies tend to forget that their very democratic process can be targeted for attack.

While some preliminary talks are going on to try to standardize the rules of this warfare, like the Tallinn and Tallinn 2.0 conferences on explicit and implicit cyber warfare, there are no real rules in this realm yet and may not be for the foreseeable future. This means that, regardless of whether the state in question intends to undertake offensive cyber operations itself, it should expect other states to take advantage of the lack of rules. This might be by conducting routine cyber influence operations in the same frequency that they should expect any other type of espionage operations which have not been explicitly defined as “acts of war.” Take, for instance, China’s use of economic warfare on states in its near abroad, which it uses to force states into concessions they would rather not make (War by Other Means, Jennifer Harris/ Robert Blackwill). China’s use of Confucius Academies to re-write history are also a perfect example of a state using seemingly begin institutions for authoritarian policy (How Everything Became War and the Military Became Everything: Tales from the Pentagon, Rosa Brooks).

This expectation also means that countries should be expected to respond to such attacks to build deterrence or undertake active measures to force compellence that defends the national interest. This expectation is forced by the three factors of legitimacy, sovereignty and the national social contract. To put this theoretically, if Sokovia attacked Wakanda via cyber, the people of Wakanda would and should expect their state to undertake actions to ensure 1) Sokovia ceases operations and removes themselves from Wakandan cyberspace and 2) Sokovia will not pursue such endeavors in the future. Further, Wakanda would have to make the deterrence/compellence public to some extent, to extend the deterrence engendered by the Wakandan response to Sokovia to any other cyber-attack that might be thought about from a different state. Not having these two guarantees would be tantamount to ceding Wakandan sovereignty to Sokovia, meaning Wakanda would be either a puppet or failed state.

Wakanda Forever!

Wakanda Forever!

The Russia Hacks

What is truly striking about Russia’s operations against the US are twofold. First, the scale and ambition of the program carried out against the lone global superpower is stunning, showing how much confidence Russia has in its capabilities. Remember, this was not a OPM hack meant to collect data, the Russians actively influenced the US election – showing they didn’t believe the US would retaliate to the extent that it would made the hack pointless, in other words they didn’t believe the US had a deterrence.

Second, Russia seems to be right. When the attack was first revealed, the party which benefited (the US Republican Party) reacted with belligerent disbelief, and many have stayed that way. For the others which have accepted that an attack happened, many absurdly attempt to draw a parallel to US actions in the past to justify the Russian attack on the US. This type of response is ipso facto unamerican, as it denies that the US has the right to sovereignty over its own borders by its own people. If this is the case, then the United States as an entity ceases to exist, instead becoming the client state of any who wish to interfere in it, given they can find a historical precedent (which should not be taken lightly, as the US committed genocide against the natives who lived here not 200 years ago).

While many would like to think that this is just a function of the Republican Party’s unethical spinelessness confronted with a difficult situation, I find it hard to believe that the Democratic Party would have reacted any differently given the tables were turned. The failing of the Republican Party is not a function of corrupt politicians, but a social condition whereby Americans will never admit that they were wrong, nor will they surrender power no matter how ill gotten. This then lends to the idea that, as long as a cyber-attack on the US benefits one side or the other, there will -never- be effective deterrence or compellence, because the benefitting side will block any attempt lest they acknowledge they benefitted from illicit measures. Instead, they declare their own intelligence agencies fraudulent, becoming better enemies of the United States than the hostile actor could ever hope to be.

If, as posited, states do what is in their own interest the US must begin to act aggressively against cyber-warfare by different measures. Active measures can be debated, including retaliatory actions or even pre-emptive strikes, but it should be noted that this is a different type of warfare than has been experienced in the past. Cyber operations constitute pure offense with little to no visible mobilization beforehand, and cannot be intercepted on the way as if it was an invasion fleet sent across the ocean – they can either be struck at pre-emptively or defended against on the spot. Given these choices, to defend not only the national interest but the American people at large, it is preferable to make the battlefield the staging point where an attack would have come from, and not the wires and shops of the US. For instance, it is clear that the US knew about Russian influence efforts prior to the election, and to some extent worked to counter them. Still, due to a possible inability to learn from past mistakes such as 9/11, the Obama Administration preferred to “monitor” the situation and continue to collect intelligence instead of acting – similar to what the CIA did before 9/11 with a known hijacker’s identity.

Passive measures cannot be debated, but for how they are implemented. This includes better information sharing between different intelligence agencies and targets of attempted cyber strikes, social media and other internet technology companies taking responsibility when their platforms are being used as weapons, public information campaigns to inoculate the public from this type of attack in the future, and the two most important, a strong and public deterrence strategy that states how the US will deal with these attacks in the future, and the creation of international norms and laws regulating the use of cyber-warfare. The deterrence strategy needs to be overarching enough to be able to cover any type of permutation of cyber-attacks in the future, with realistic and painful deterrents, not just sanctions, included. Most importantly – the deterrence strategy needs to be followed through, regardless of the economic pain that it puts on the US. No one doubts the capability of the US to inflict significant amounts of pain on who or whatever it truly wishes to, but they do doubt its resolve. Norms and international laws, while unable to overtly protect states, implicitly limit the battlefield and make miscalculation and escalation less of a possibility.

 

Conclusion

State competition in the cyber age is going to be something that is incomprehensible to those who came before us. It is a world where a country can disable the entire electrical grid of another without having to come within 1,000,000 miles of the place. But it is not unprecedented. Before Richelieu no one could imagine an avowed Catholic state defending heresy for its own gain. Before Napoleon, no one could imagine a state wantonly drafting its entire population into war on the basis of nationalism. Before The Great War, no one could imagine using flying vehicles to bomb and shoot at their enemy. Before WWII, few could imagine the revolution the atom would bring to the world. Not to belabor the point, while the methods of waging war have changed, state competition in itself has not changed – and will not change for the foreseeable future. Let’s hope that it doesn’t take a major war for the citizens of the US to see just how serious cyber will be.