Yelena Chernenko has a PhD in History and is head of the international section at the Kommersant newspaper.
Resume: The leaders of major cyber powers have declared an intent to restrict their actions in virtual space. This new weapon looks too lucrative indeed. Major crises will be unavoidable until the main players realize that mutual restrictions and the rules of the game are crucial.
As the 2016 U.S. presidential election drew near, tensions over cybersecurity issues heated up. On November 5, just three days before U.S. voters went to the polls, NBC News quoted a senior anonymous intelligence official and some classified documents as saying that “U.S. military hackers have penetrated Russia’s electric grid, telecommunications networks, and the Kremlin’s command systems, making them vulnerable to attack by secret American cyber weapons should the U.S. deem it necessary.”
“The cyber weapons would only be deployed in the unlikely event the U.S. was attacked in a significant way,” U.S. officials said. They continued to express concern that Russia “would use its cyber capabilities to try to disrupt the forthcoming presidential election.” According to NBC News, many U.S. intelligence officials “anticipate so-called cyber mischief, including the possible release of fake documents and the proliferation of bogus social media accounts designed to spread misinformation.”
This leak was most likely deliberate and authorized. Moreover, what makes the leak so important is not just the outspoken threat it contains. If all that has been said on this score is really true (or at least a declaration of intent), the point at hand is in fact the possibility of applying the principle of an “imminent retaliatory strike”—a cornerstone of strategic nuclear stability since the 1950s—to the modern cyberspace. In all likelihood, this may encourage significant efforts to establish a certain code of conduct, quite similar to the one the Soviet Union and the United States abided by in their standoff starting in the early 1960s. So far the leaders of major cyber powers have confined themselves to declaring an intent to restrict their actions in virtual space, but nothing identical to the non-proliferation of weapons or weapons control agreements has been discussed in earnest yet. This new weapon looks too lucrative indeed. Major crises will be unavoidable until the main players realize that mutual restrictions and the rules of the game are crucial.
For the first time, the U.S. officially accused the Russian authorities of staging hacker attacks one month before the election. In a special statement published on October 7, the Department of Homeland Security and the Office of the Director of National Intelligence claimed that Russian hackers penetrated e-mail servers of U.S. citizens, political organizations, and government agencies with the aim of intervening in the electoral process in the country. The secret services argued that given the “scope and sensitivity of these efforts only Russia’s senior-most officials could have authorized these activities.” First and foremost, it was a direct reference to attacks against Democratic Party servers.
Previously, the U.S. had brought official charges of complicity in cyber sabotage only against China, North Korea, and Iran. It should not be ruled out that more U.S. sanctions against Russia may be due: back in 2015 the U.S. president assumed the right to punish cyber aggressors in this way.
Russia dismissed the U.S. authorities’ accusations as “nonsense.” The Russian Foreign Ministry added that “documentary evidence of such fundamental charges is utterly absent.”
“The U.S. Administration is either unable to piece together a set of arguments or the charges were invented by those in Washington who obviously work under a political contract to fan unprecedented anti-Russian hysteria,” the Russian Foreign Ministry said.
This is a landmark event that indicates cyberspace, which has been booming ever since the 1990s, has not yet turned into a uniting medium or a domain of practical cooperation by the leading powers, but turned into yet another scene of confrontation among them. This is true of not only Russia and the U.S.; the cyber weapons race is well underway. Secret services use the potential of cyberspace for covert operations, including those targeting allied countries. Corporations sustain tremendous losses due to industrial cyberespionage, quite often encouraged at the government level. Of late, hacking techniques and know-hows were frequently employed in world politics to attain geopolitical aims and settle scores with opponents.
In this situation, calls have been increasingly frequent to create a code of responsible behavior for countries in cyberspace. U.S. President Barack Obama urged this once again in September 2016. Notably, Russia was the first to propose measures to prevent the use of the World Wide Web for criminal intent in the United Nations in 1998. However, a breakthrough came only in 2015, when a UN group of governmental experts released a consensus report naming for the first time the basic principles all states should abide by in cyberspace. Russia hopes that the UN General Assembly in 2017 will vote for a special resolution containing these (and possibly some other) norms. The problem is that such resolutions are not mandatory, but mere recommendations. Only binding restrictions, like those concerning weapons of mass destruction, will succeed in making cyberspace safer. Alas, no such legal act is likely to see light in the upcoming years.
A new domain of operations
It takes just one little piece of news to illustrate how strongly the technological breakthrough of the past 25 years has changed the world. In August 2016, NATO officially recognized cyberspace as a “domain of operations.” Previously, the alliance had applied this term only to land, sea, air, and outer space. Now there has emerged a fifth, man-made medium.
The U.S. was the first country to award such a status to virtual space. In May 2011, the U.S. adopted a government action strategy in cyberspace to reserve the right to respond to computer sabotage with available means, including nuclear weapons. In December 2011, Russia took a similar stance in the Defense Ministry’s Conceptual Views on the Activity of the Armed Forces of the Russian Federation in Information Space. With this in mind, one will easily agree that this decision by NATO looks quite expected and even somewhat belated.
What practical consequences the recognition of a fifth medium as yet another scene of potential clashes will entail remains anyone’s guess. There are disagreements within NATO, which has spread the principle of collective defense to cyberspace (Article 5 of the Washington Treaty). Ideally this should mean that in the event of a cyberattack against any individual member-state, the entire alliance should retaliate. But nothing is said anywhere about how strong the potential harm has to be in order to trigger such a response. Nor is there any hint at how NATO plans to go about the problem of attribution (and identifying a cyber-aggressor with 100-percent certainty is extremely hard).
Many U.S. and European experts maintain that the DDoS attacks on Estonian resources in 2007 (during the row over the relocation of the Bronze Soldier Memorial, a Soviet-era war memorial) were the first instance of a cyberwar between countries. In the end, the harm was minimal (the websites of several Estonian government offices and banks were stalled for just a few hours). No proof that Russia’s government agencies were responsible has ever been presented (although certain suspicions do exist that the sabotage was staged by a pro-Kremlin youth movement). Whatever the case, the Estonian authorities turned to their NATO allies for help. The principle of collective defense was not applicable to cyberspace at that time, so nobody put Estonia under protection. Now the rules have changed, but it is totally unclear how they will be used.
Still more questions arise when the focus is on the applicability of existing international law (above all humanitarian) to cyberspace. In 2013, the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE), established in Tallinn a year after the war memorial affair, published a 300-page document entitled “The Tallinn Manual on the International Law Applicable to Cyber Warfare.” For the first time it presented algorithms of action to be taken by countries and military alliances in response to large-scale cyberattacks. The purpose of the document was to prove that the existing international legal rules were good enough for cyberspace, too. Consequently, in defiance of all the arguments presented by Russia and some other countries, no new laws are required at all.
This manual is worth reading at least to find out what future conflicts might look like. The largest section of the manual is devoted to cyberattacks accompanying traditional armed conflicts. These conflicts, if the manual’s authors are to be believed, should fall under the operation of all rules of international humanitarian law, including the recognition of participants in and organizers of computer sabotage as combatants, who may be taken prisoner or killed.
The manual adjusts many other legal provisions concerning armed conflicts to cyberspace specifics. It is prohibited to conduct cyber operations against civilians (except for members of paramilitary militias) and facilities, for instance, hospitals. Attacks against dams and nuclear power plants should be carried out with the utmost caution in order to minimize civilian casualties. In using computer malware to restrict the enemy’s power supply by disrupting the operation of nuclear power plants, NATO experts recommend putting special emphasis on maintaining the “continued integrity of the reactor’s cooling system.”
Also, the manual explains in great detail in what other situations civilian facilities can be attacked. For instance, “a factory that produces computer hardware or software under contract with the enemy’s armed forces is a military objective by use, even if it also produces items for other purposes than military.” And a cyber operation against a water reservoir’s Supervisory Control and Data Acquisition (SCADA) system might be employed to release water into an area in which enemy military operations are expected, thereby denying its use to the enemy.”
The Russian authorities responded to the Tallinn Manual with great caution. Russia interpreted that document as a step towards legitimating the very idea of cyber warfare, something Russia opposed for the first time in 1998.
Russia mounts a peace offensive
In 1997 switches in a utility substation in San Francisco were turned off for unclear reasons to cause a 24-hour power blackout affecting 125,000 local residents. A few days later the U.S. Senate held special hearings on the issue. For the first time a term was proposed that has since been eagerly repeated by alarm-minded cyber-security experts: ‘electronic Pearl Harbor.’ Coined by U.S. Deputy Secretary of Defense John Hamre, it was used as a warning against what some enemies might plot with the use of modern technologies. Hamre was certain that next time an attack would be targeted not against a naval base, but against one of the country’s critically important infrastructures (a nuclear power plant or a dam).
However, it was not the U.S., but Russia that was the first to urge restrictions on how far individual countries might go in cyberspace. In September 1998, Russian Foreign Minister Igor Ivanov addressed UN Secretary-General Kofi Annan with a special message saying it was essential to prevent the militarization of virtual space. The chief Russian diplomat warned that the devastating effects of cyber weapons might be as serious as those of weapons of mass destruction. That message was used as the basis for what would become a resolution called “Developments in the Field of Information and Telecommunications in the Context of International Security,” which Russia presented at the 53rd UN General Assembly session. The resolution was passed unanimously. Since then Russia has been updating the resolution and proposing it for consideration by the UN General Assembly every year. By tradition the General Assembly approves the document, but this ritual entails no practical effects.
In the summer of 2011, Russia took the first steps to promote an International Convention on Information Security at the UN, which would discuss rules to control the Internet in accordance with military, political, criminal, and terrorist challenges. Alongside a ban on using the World Wide Web to intervene in the affairs of other countries and for ousting unwanted governments, Russia suggested giving national governments great freedom of action within the “national segments” of the Internet. Among other things the draft proposed a ban on the militarization of cyberspace and, in particular, on the prevention of using information technologies for hostile actions, including hacker attacks.
That initiative achieved little, though. The U.S. and its allies interpreted it as an attempt by a weaker party to restrict the opportunities of a stronger one. The U.S. dismissed the proposal for prohibiting the development of offensive cyber technologies as “unrealistic.” It argued that traditional agreements (such as equivalents of the Non-Proliferation Treaty—NPT) would be ineffective in cyberspace. The idea of applying the principle of non-intervention in the internal affairs of countries to the Internet and giving more powers to national governments was slammed as an attempt to impose censorship and government control over the web.
The activities of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications, created in 2004, have been difficult (Russia’s Andrei Krutskikh was its first chairman; currently he holds the position of special presidential envoy for international cooperation in the field of international information security). After wasting several years on terminological and procedural disputes, the group only managed to achieve a breakthrough in 2015, when it submitted its report to the UN Secretary-General for consideration. This report might hypothetically lay the groundwork for a global electronic non-aggression pact.
In accordance with the agreements achieved within the group’s framework, countries would pledge to use cyber technologies exclusively for peaceful purposes. In addition, they would promise not to attack each other’s crucial infrastructures (nuclear power plants, banks, transport control systems, etc.), stop infecting their IT products with malcodes, refrain from accusing each other of cyberattacks, and take steps to combat hackers who carry out acts of IT sabotage from their national territories or via these territories.
True, this code of conduct for cyberspace still remains a declaration of intent because the group’ report imposes no commitments. The Russian authorities expect that a UN General Assembly session will adopt a special resolution in support of the report in 2017, thus considerably enhancing its importance. But even then the resolution will not become law, because all of the UN General Assembly resolutions are of advisory nature.
An equivalent to the agreements on the non-proliferation of nuclear weapons or arms control might have made cyberspace far safer. However, just one look at how much time the UN group of experts spent on formulating just a handful of voluntary restrictions is enough to understand how hard it will be to expect the emergence of legally binding rules. The adopted rules will be very hard to enforce because of the specific traits of cyberspace. Unlike computer malware, a nuclear missile is hard to hide. There are still fewer problems with finding out where a missile was launched and who is responsible. Not so in cyberspace, where exposing the aggressor is far more difficult.
A Huge disservice
Control and verification matters are not the sole stumbling block. Ever more obvious is that despite what politicians have said in public, not a single cyber power, including Russia, feels any significant need for such an agreement. Aware of the advantages of cutting-edge technologies, governments are in no hurry to restrict themselves in using them—not on paper, but in real life; which merely multiplies threats coming from cyberspace.
The militaries are very skeptical about the idea of restrictions, as they pin great hopes on cyber weapons. In the Pentagon’s new cyber strategy of 2015 the U.S. military expects that offensive capabilities in cyberspace will make it possible to put a hypothetical enemy’s command and control systems out of order and strip the opponent of the capability to use weapons. Many other countries, including Russia and China, have placed their bets on cyber weapons.
For the secret services, cyberspace has become the most popular theme park ride. The details of covert operations by the U.S. intelligence in the World Wide Web, revealed by National Security Agency whistleblower Edward Snowden, are stunning. Far less is known about the capabilities of Russian and Chinese secret services, but there can be little doubt they use the potential of information and communication technologies in their activities to the maximum extent possible.
In politics and diplomacy, though, this potential is tapped in the most creative way. In this respect the U.S. is certainly the frontrunner. Within the framework of the “digital diplomacy” concept that emerged when Hillary Clinton was U.S. Secretary of State, the U.S. started using new technologies for the sake of attaining its foreign policy aims. The Voice of America has given way to social networks and microblogs; crash courses for dissidents have ceded their function to online games, and coded and microfilmed messages have been replaced by the shadow Internet and independent mobile communication networks.
Naturally, the Russian authorities are very suspicious about such methods as attempts at intervention in the internal affairs of states. A large share of Russian diplomatic initiatives (including the 2011 Convention on International Information Security) was aimed at putting an end to such practices. Incidentally, cyber warfare charges addressed to Russia have been heard increasingly often of late.
It all began with the hack into the U.S. National Democratic Committee. Unknown perpetrators reportedly used computer malware to gain access to the e-mails of the Democratic Party’s leadership, downloaded several thousand messages, and passed them on to the portal WikiLeaks. As followed from the leaked correspondence, the Democratic Party’s key figures played into Hillary Clinton’s hands by ridiculing and criticizing her rival, Bernie Sanders. A mighty row erupted virtually in no time. Debbie Wasserman Schultz, chairperson of the Democratic National Committee, had to step down.
The research team CrowdStrike, which the Democrats hired to probe into the affair, claimed that there were two groups behind the attack, both presumably with connections to Russian special services. One was called Fancy Bear and the other Cozy Bear. U.S. analysts suspect that both have repeatedly hacked government, military, information, and commercial resources around the globe since the mid-2000s. CrowdStrike specialists provided a number of arguments to back up their theory, but certainly not enough to make an unambiguous conclusion that Russian special services were somehow involved in the affair.
Yet Hillary Clinton blamed the cyberattack on Russia, which, she argued, was keen to bolster Donald Trump’s popularity ratings. For several months, the U.S. authorities refrained from official charges against the Kremlin. U.S. intelligence and law enforcement officials agreed to say only on condition of anonymity that they were investigating a Russian connection. The official charges were pronounced loudly and clearly only on October 7, as relations between the U.S. and Russia had plummeted to a record low over the developments in Syria. Shortly after that, WikiLeaks published another portion of disclosures; this time e-mails received and sent by John Podesta, the leader of Clinton’s election team. Podesta was quick to point an accusing finger at Russia.
Russia dismissed all the charges, of course. President Vladimir Putin urged far greater attention to what was presented to the eyes of the public at large instead of focusing on matters of secondary importance, such as trying to find out who was behind the hacks. A hefty dose of irony over his opponents it was. Putin said as much when hackers got into the database of the World Anti-Doping Agency (WADA) and everybody learned that quite a few well-known Western professional athletes had been allowed to take prohibited substances ostensibly for health reasons.
WADA officials accused the Russian authorities of sabotage, but failed to present any irrefutable evidence. Did the Russian special services have the capability to hack into the U.S. Democratic Party and WADA servers? They did. Is it possible that they may have been interested in this? It is. Russia obviously preferred to see Trump win and Clinton lose. In addition, the Clinton-Sanders affair demonstrated perfectly well the hypocrisy of politicians and the flaws of a political system that tries to position itself as an example of democracy for the entire world to replicate. As for the media reports about doping substances used by U.S. athletes as “daily meal,” as Kyrgyzstan’s President Almazbek Atambayev put it, they placed their Russian counterparts, barred from the Rio Olympics, in a far more favorable light.
But did the Russian services in question actually do what they are thought to have done? More information is needed for an answer. However, although many pieces of evidence may be available at this point, it will be very hard to arrive at an unequivocal conclusion that it was Russian government agencies that were behind all those incidents. That is how cyberspace works and what makes it a very attractive instrument to politicians. At the same time, the nature of cyberspace reduces the chances that mandatory rules of behavior for countries in this medium can be adopted.