Moisés Naím

View Original

Why Democracies Are at a Disadvantage in Cyber Wars

Moisés Naím Columbia Journal for International Affairs, Special 70th Anniversary Issue

“War is God’s way of teaching Americans geography.” This well-known quip that satirist Ambrose Bierce made late in the nineteenth century has a contemporary version: “Attacks against the United States are God’s way of teaching Americans how weaker enemies are stronger than they seem.”

Osama bin Laden and al-Qaeda are of course the paradigmatic examples of this. They taught Americans, and indeed the rest of the world, what “asymmetric warfare” is. After 9/11 it became tragically clear what that concept meant. It is an armed conflict between two sides with significantly different military power and substantially different strategies, tactics, and weapons.

In this case, 19 suicidal terrorists armed with box cutters gained control of three commercial jetliners and used them to strike against some of the most sensitive and symbolic targets of the most powerful and technologically advanced nation in the world. Al-Qaeda spent an estimated $500,000 on the attacks that killed almost 3,000 people and caused hundreds of billions of dollars in material losses. The reactions to the attacks were even larger and more consequential, notably the longest war ever fought by the United States (in Afghanistan) and the third longest (in Iraq). According to Joseph Stiglitz and Linda Bilmes these two wars cost between $3 trillion and $5 trillion. Moreover, the geopolitical disruptions created by 9/11 and the reactions to that day’s attacks are still shaping today’s world.

Recently, America has been rocked by a new kind of asymmetric war. This one is taking place in cyberspace. The reason why this new conflict is asymmetrical is because liberal democracies are at a distinct disadvantage when waging cyber wars against authoritarian regimes and illiberal democracies. The disadvantage is not technological. The United States is the world’s undisputed leader in the information technologies needed to wage cyber wars. Instead, its competitive disadvantage stems for the fact that its authoritarian rivals do not have the legal, institutional, and political constraints or the checks and balances of a democracy.  

Another factor that hampers the competitiveness of democracies in cyber wars is that democracies need more time to act than dictatorships. Democracies are not meant to function quickly—checks and balances get in the way. And in cyber campaigns, time matters both in planning and execution. Democracies have yet to adapt, making Western institutions uniquely constrained by the need for compromise across disparate bureaucratic organizations. In contrast, it is safe to assume that the bureaucracies of autocratic countries like Russia take less time to carry out an order coming from the top on average than say the time it takes for the orders of the U.S. president to be executed.

Furthermore, democratic values protect, and in some odd way might actually incentivize, leakers. In an autocracy, it is easier to hide governmental misdeeds, and to make those who disobey orders or even implicit norms just disappear. If an imitator of Edward Snowden appears in Russia, he’ll be executed pretty quickly (and his family, friends, and other people he loves might have their lives ruined as well). The legal protections individuals enjoy in the West make it harder to deter this type of behavior—and rightly so. But the cost of leaking in an autocratic society is far greater than anywhere with liberal values.

Thus, if Osama bin Laden and al-Qaeda taught Americans what a kinetic asymmetric war is, WikiLeaks and the Kremlin are now teaching us what a cyber asymmetric war is. While the first relies on kinetic energy to kill people, destroy buildings, and disable critical infrastructure, the second uses the Internet and other cyber tools to damage institutions that are critical for the functioning of a democratic government.  

A Cyber Pearl Harbor?

Again, a concrete example makes it easy to understand what a cyber asymmetric war is. In January 2017, the Office of the Director of National Intelligence of the United States released a report that summarized the non-classified findings and assessments of the Central Intelligence Agency, Federal Bureau of Investigation, and National Security Agency. The main conclusions of Assessing Russian Activities and Intentions in Recent US Elections are:

  • “Russian efforts to influence the 2016 US presidential election represent the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order, but these activities demonstrated a significant escalation in directness, level of activity, and scope of effort compared to previous operations.”

  • “We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments.”

  • “We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him.”

  • “Moscow’s approach evolved over the course of the campaign based on Russia’s understanding of the electoral prospects of the two main candidates. When it appeared to Moscow that Secretary Clinton was likely to win the election, the Russian influence campaign began to focus more on undermining her future presidency.”

  • “Moscow’s influence campaign followed a Russian messaging strategy that blends covert intelligence operations—such as cyber activity—with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or ‘trolls.’”

  • “We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.”

  • “We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks. Moscow most likely chose WikiLeaks because of its self-proclaimed reputation for authenticity. Disclosures through WikiLeaks did not contain any evident forgeries.”

  • “Russia collected on some Republican-affiliated targets but did not conduct a comparable disclosure campaign.”

In 2012, Leon Panetta, then U.S. secretary of defense, gave a speech, warning that the United States was facing the possibility of a “cyber Pearl Harbor.” His message was that the United States was increasingly vulnerable to foreign cyber attacks that could dismantle the nation’s power grid, transportation system, financial networks, and government. In his speech, Panetta said that an “aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches” and they “could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” This may involve “cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack.” This, Panetta warned, could be akin to a “cyber Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”

While this kind of full-blown, cyber Pearl Harbor envisioned by Panetta has not materialized yet, the report released by the intelligence community clearly shows that the United States was the victim of a political cyber Pearl Harbor. 

This time “the day that will live in infamy” (or the many “months of infamy” that Russia’s political cyber attack are likely to have lasted) did not cause losses of American lives nor the destruction of military assets like those wrought by the Japanese attack on Pearl Harbor in December 1941. But, as the report of the intelligence agencies meticulously describes, it was an attempt to tilt the results of the U.S. election in favor of Russia’s national interest. It may not have destroyed buildings, but it did damage institutions that are critical pillars of America’s democracy and therefore important sources of its strength at home and abroad.

Democracies too are using cyber attacks against non-democratic states. Perhaps the best known example is Stuxnet, the successful attack, most likely by the United States, that used a malicious computer worm to sabotage Iran’s nuclear program. And it is safe to assume that countries that have these capabilities are stealthily using them against their rivals. As a member of president Obama’s Council of Advisors on Science and Technology told me: “The Internet is now fully weaponized.”

But, so far, the main political victims of cyber attackers have been leaders and public figures in democratic countries—especially the United States. We are yet to read in WikiLeaks compromising or embarrassing revelations about high-ranking government officials or political leaders in Russia, China, Iran, or other autocratic nations. And, as already noted, in most authoritarian regimes, whistleblowers pay with their lives for their revelations. It is not an accident that we have yet to read the information leaked by a Russian, Chinese, North Korean, or Cuban leaker.

Globalizing Political Cyber Attacks

Surely, the United States is not the only democracy vulnerable to political cyber attacks from its non-democratic rivals. While the report by the U.S. intelligence community centered on Russian activities and intentions only against the United States, one of its conclusions points to a much broader implication:

  • “We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes.”

In 2017, several European countries will hold general elections and referenda that can drastically alter the European Union and the old continent’s policies toward Russia. Candidates in Germany, France, and the Netherlands are promising that, if elected, they will push their nations to follow the United Kingdom in exiting the EU. This would greatly please Russia’s leaders and we know that the Kremlin has both the means and the will to interfere in democratic elections around the world.

Both the United States and the European Union have imposed stern economic sanctions on Russia in retaliation for its takeover of Crimea and for its continuing efforts to destabilize Ukraine. Getting the United States and the EU to lift the sanctions is a national priority for the Russian government. Therefore, getting leaders elected that will cut sanctions would be a huge success for the Kremlin. Additionally, Putin has long despised NATO, a military alliance that he sees as a threat to Russia. And President Trump has dismissed NATO as “obsolete” and a “bad deal” because its European members contribute less financially than the United States. Again, having NATO members governed by leaders that are skeptical of its mission would be a great win for Putin.

How Should Democracies Respond?

The irony in all of this is that the United States and some European countries have assembled the strongest and fiercest killing institutions (military, intelligence, etc.) the world has ever known. Far more lethal than autocracies. To do this, the military has had to culturally readapt its members and its institutions, and there’s no reason why they can’t do that in the cyber arena.

But why has the West not made the necessary reforms to adapt to the changing landscape? Why has it let countries like Russia get the upper hand, not in capabilities, but in practice?

One answer is that Western institutions only react and change after a Pearl Harbor. Perhaps the real significance of the Pearl Harbor analogy is not that it is going to happen and be horrific, but that the United States will change its ways only after being shocked by a catastrophic event. It remains to be seen if the political Pearl Harbor just inflicted in the United States is enough of a shock to produce the reforms needed to ensure that the nation’s technological prowess in cyberspace is matched by its institutional capabilities.