Russian indictments: Cybersecurity challenges far beyond the Trump White House

This blog will posit a difficult task for the reader: Focus on the Kremlin, not the Trump White House. While the president may or may not be guilty of the illusive term “collusion,” Special Counsel Robert Mueller’s Russian indictments pose much larger and possibly intractable challenges to US national cybersecurity policy, not least in the rationales for and execution of appropriate retaliation. That these actions came from the Mueller investigation and not from an independent intelligence agency’s surveillance effort only muddies the water with endless cable news shout downs over Trump’s guilt (or not) and the impact on the US presidential election.

Here attention will center on the dimensions of the wide-ranging Russian cyberattack (cyberwarfare?) on the US presidential election and the democratic process. Mueller’s indictment caused me to go back and review the extensive coverage in this blog of the unfolding epic of the past year. Here are some reflections.

First, though to the general public Mueller’s wealth of details regarding the names and myriad of activities from Russian sources is mind-boggling, in reality the US had already charged the Russian government with interfering in the US presidential election in a January 2017 report to President Obama by 17 combined intelligence agencies. That report stated unequivocally: “We assess that President Putin ordered an influence campaign in 2016 at the US presidential election.” At the time, it was noted that the report was big on accusations and light on supporting evidence. As Susan Hennessey of Lawfare was quoted: “This isn’t a remotely risk taking document . . . . It’s clear that those with very conservative views about protecting sources prevailed . . . . The unclassified report is underwhelming at best.”

Flash forward to the Mueller indictments. Here one finds the wealth of detail Susan Hennessey lamented was missing last year — but also bizarrely, no direct connection to Putin and Russian government sources. Robert Mueller’s team, which had little special expertise internally with intelligence sleuthing, clearly was given access to the results of at least four years of US intelligence surveillance of the wide-ranging Russian activities, from cyber espionage to overt political activities to disrupt the election and ultimately denigrate Hillary Clinton. So now we have the strange situation of a direct accusation against the Russian government without details, succeeded by an indictment of nongovernment Russians buttressed by copious details but no direct tie to Mr. Putin.

For the balance of this blog, I want to describe (admittedly with less than adequate detail), two different paths forward in dealing with the Russian cyber incursions.

My AEI colleague John Bolton argues the comprehensive intelligence revelations underpinning Mueller’s indictment provide the opportunity for President Trump to “take tough action.” Specifically, Bolton writes:

What happened in the 2016 campaign was graver even than the “information warfare” alleged in [the] indictment. This is, pure and simple, war against the American idea itself. . . .We need to create structures of deterrence in cyberspace, as we did with nuclear weapons. . . . One way to do that is to engage in a retaliatory campaign against Russia. This should not be proportional to what we have experienced. It should be decidedly disproportionate. The lessons we want Russia (on anyone else) to learn is that the cost to them from future cyberattacks against the United States will be so high that they will simply consign all cyberwarfare plans to their computer memories to gather electronic dust.

Similarly, Andrew McCarthy of National Review challenges the use of the criminal justice system to deal with what he argues is an information war that necessitates a strong response:

We use counterintelligence rather than criminal investigation to thwart foreign adversaries because prosecution is a woefully inadequate response. The point of counterintelligence is to gather information so we can stop our enemies, through meaningful retaliation and discouragement. Generally, that means diplomatic, economic, intelligence, and, in extreme cases, military means. It could mean deploying our own cyber capabilities. . . . This cannot be accomplished by a mere indictment.

Bolton and McCarthy present a strong case for ending the dithering by both Obama and Trump over the proper response to cyberattacks, which have just emboldened adversaries such as North Korea, China, and Russia to test the limits of US capabilities and resolve.

Against these calls for action, there is also a powerful cautionary note advanced by Harvard University’s Jack Goldsmith. Goldsmith, who by no stretch of the imagination can be called “soft” on Russia (or any other potential US adversary), has argued for over a year that the US explore the possibility of reaching some accommodation with the Russians. He has doubled down on his arguments in light of recent events — and with the emergence last fall of a Russian proposal to the Trump administration for a noninterference pact regarding domestic politics. “Noninterference” remains to be spelled out, but it would have the US cease its campaign for “internet freedom” and democracy promotion.

Briefly, Goldsmith bases his “contrarian” arguments on what he considers several stark realities. First, he does not believe the US will be able to raise its defenses adequately to face future cyberattacks by the Russians or other adversaries: “The United States is not close to raising defenses adequately and likely will not in the foreseeable future. Offense has too great an advantage over defense. We have too many soft targets and are constantly surprised when new ones are attacked or exploited.”

Second, Goldsmith argues the US “cannot have its cake and eat it too.” By this he means that we cannot exploit our cyber capabilities to the fullest — including interfering in foreign elections and domestic politics — and expect others to desist in such activities. He writes:

My normative preferences, for what they are worth, are for the United States to exploit its offensive advantages in cyber to collect whatever information serves our national interests, to use this information in ways that serve our interests, and to promote those interests further by spreading the US conception of freedom of speech and thought to other nations.

The question is whether these are realistic goals. I think they are not, given the clear costs that the United States is suffering and will continue to suffer in the cyber realm. I don’t think the United States can continue unabated with all of its aggressive cyber actions abroad — intelligence collection, cyber attacks, information operations, and especially operations that undermine control abroad — if it wants relief from the cyber operations that are proving to be so damaging to US society.

Goldsmith concedes readily that the trade-offs are huge, and knowledgeable critics have called the suggestion “politically infeasible [and] normatively undesirable because it surrenders US human rights leadership in cyberspace.” Still, Goldsmith has raised challenging questions about future US cybersecurity policies and the fraught dilemmas we face.

Whatever the political outcome of the Mueller probe, the debate over the proper response to future cyberattacks, forthrightly set out by Bolton and Goldsmith, should take top and urgent priority.