Russian involvement in the US presidential election, as formally alleged by the Obama administration, represents a constitutional moment for state conduct in cyberspace. On the one hand, it could catalyze disruptive and potentially destabilizing activities on digital networks by nation-states. This scenario looks likely in the short term. On the other hand, this period could spur the creation of international instruments to regulate the behavior of states and their proxies, though a treaty, say, for the “peaceful uses of cyberspace,” is in any case many years away.
To states that do not have the capacity to execute sophisticated cyber attacks, the US-Russia confrontation over the presidential elections offers three conclusions:
First, that it is possible to destabilize digital infrastructure without violating international law. Certainly, the Obama administration appears to have concluded that the Russian election hacks were not in breach of any international obligation. Even if the US were to attribute the attacks to Russia with a high degree of confidence at an international platform, its own domestic regulations of the time did not label electoral systems as “critical infrastructure” (CI). This raises the question—what exactly is Moscow liable for? Russia would not be in violation of even the basic cyber norm of avoiding attacks against another’s CI. Complications on this point stem from the decision of the UN Group of Governmental Experts in 2013 and 2015 not to define “critical infrastructure,” allowing expansive national interpretations of the term. Ironically, this created a coordination problem—in the absence of legal standards that apply across jurisdictions, states are free to target the CI of others. Labeling an industry “critical” has the benefit of directing domestic funds and resources to map its vulnerabilities, so as to raise its defenses. However, domestic law alone does little to signal to a foreign party that attacks against CI will face consequences at the international level.
The US response to the alleged Russian hacks established that even the most advanced cyber power can do little to deter disruptive conduct on digital networks. Perhaps given that the intrusions violated no international obligation, the Obama administration limited its (public) response to expelling Russian diplomats from the country. And even if the US launched a devastating covert counter-attack on Russia’s digital infrastructure, this does not help establish a precedent that deters foreign adversaries and lends strategic stability to cyberspace. Granted, the twin problems of signaling and deterrence in international relations are not limited to cyber weapons alone. Disruptive or malicious digital tools are different from other dual use technologies, however, in that they cannot possibly be limited by export control regimes. For now, states will exploit this legal vacuum to build their capabilities and test the response of their adversaries. And the election hacking has shown that such actions need not cross a threshold that invites retaliatory measures.
The second lesson from the current US-Russia standoff for smaller states is that responses to “cyber” activities will likely be, at least in large part, “non-cyber.” As the US Director of National Intelligence James Clapper’s recently testified before the Senate Armed Services Committee, it is difficult to control escalation in conflicts involving digital networks, given that most countries do not know the disruptive capacity of their adversaries. “The problem is […] not knowing if you do retaliate in the cyber context, not knowing exactly what counter-retaliation you’ll get back,” said Clapper.
Countries that cannot claim conventional superiority in battle will have an incentive to use cyber weapons, knowing that the adversary’s response will be predictable, “non-cyber” and moderated. The international legal thresholds around necessary and proportionate responses to the use of force by other states are well developed, as is the high standard for acts that qualify as an “armed attack” under the UN Charter. A devastating cyber attack against critical infrastructure will probably qualify as one, but countries can get away with a whole range of less destructive actions that do not elicit any conventional response of consequence.
And third, smaller states will be mindful of the regime-setting potential of this episode. Almost every major confrontation between the United States and Russia in the 20th century has been followed by the establishment of plurilateral instruments to prevent further escalation. The Castle Bravo tests by the United States in 1954 and the Cuban Missile Crisis triggered discussions around the Partial Test Ban Treaty (PTBT), one of the earliest instruments to regulate the use of nuclear weapons. The launch of Sputnik 1 by the Soviet Union in 1957 prompted the United States to engage the USSR in discussions on the “peaceful uses” of outer space. After the Cold War, Russia and the United States worked together to create the Wassenaar Arrangement, which replaced the West-led Coordinating Committee for Multilateral Export Controls (COCOM) but needed Russian support to limit the transfer of “sensitive” technologies to smaller states. Far from taking sides in the US-Russia contest for superiority in cyberspace, many states will thus be wary of a scenario where both countries come together to create new instruments of international law. To preempt this development, they are likely to build their offensive cyber capabilities, even announce their military doctrines around the exploitation of digital networks.
Messages of rapprochement towards Moscow from the Trump administration will also lead states to believe Russia and the United States will cooperate in the near future to design regimes around cyberspace. This is not a bad outcome: countries that have contributed positively to the creation of international law, like India, are likely to join a non-partisan, regime building effort. If the conversations between Russia and the United States prove bilateral and exclusionary, however, many states may be tempted to stay away from any consequent regime.
The United States would do well to engage its major partners—France, Germany, Japan and India, for instance—and jointly assess how best to respond to future incidents. In exercising strategic restraint, perhaps the United States government is also mindful of the example that it would set. However, the capacities and motivations of smaller states—almost all of whom can readily access exploits and zero day vulnerabilities—are different from that of Russia or the US. For the reasons mentioned here, they will be emboldened by the election hacking episode. International legal instruments eliciting strong commitments from states and prescribing punitive measures for non-compliance offer the brightest prospects for cyber stability. United States and Russia should drive their creation, with active involvement from other major players.