Winter is Coming

 

Let’s start with what we know.  Russia hacked into both the Democratic and Republican National Committees before the U.S. Presidential election.  We can safely assume that it’s still happening.  How and what Russia specifically accomplished are unknown, but Russian cyber capabilities are without a doubt well-advanced and U.S. intelligence analysts were not surprised.  There is ample speculation as to why Russia did what they did and it leads to the same conclusion…to influence the U.S. election in favor of President-elect Donald Trump.

 This as a Russian “influence operation” – an effort to send information or disinformation to a target audience, in this case U.S. voters, to cause doubt or worry about the resilience and legitimacy of the U.S. electoral system.

 The argument that now dominates the analysis is whether Russia was actually able to produce their desired outcome…to help get Donald Trump elected.  If the premise is that Russia preferred a Donald Trump presidency to a Hillary Clinton presidency, then the conclusion can be easily if not accurately validated.  Russia’s hacking helped give us President-elect Trump.  However, we will never be able to draw that conclusion, albeit many have already proclaimed it the new “slam dunk.”  President-elect Trump’s victory is not in question, but the fact that we are talking about its legitimacy means Russia’s influence operation was a success.  Russia gets a win here.

 Taking a step back, the broader strategic is not the legitimacy of the outcome of our election or Russian intrusion into it via the internet.  The issue with the internet is that it is a new domain of competition that remains largely ungoverned.  In military terms, cyber is the new domain of war.  The law of war is a legal term describing and legitimizing war and the justifications for it.  These laws address how wars are declared, military necessity and proportionality, and prohibitions on certain weapons.  From these, we’ve derived the laws of land warfare, armed conflict at sea, and air war legitimacy.  By contrast, there are no similar rules prescribing behavior in cyberspace.  There should be.

 Anyone can do just about anything online.  We know that.  Cyber presence affords an anonymity that sadly, but predictably, encourages bad behavior.  Its prevalence and routine make the risks of misuse personal.  Currently, the misuse by Russia is political and we are right to be outraged.  However, the risk of a directed cyber operation to create an outcome has a consequence far greater than personal or political.  The risks are existential.  If not addressed, 300 years of U.S. history are at risk and this experiment of democracy teeters.

 After the Soviet’s successful nuclear test in 1949, nuclear competition with the U.S. created a coerced (thank goodness!) and cooperative understanding between Moscow and Washington that unchecked nuclear development was both limitless and pointless.  Mutually assured destruction, or “MAD”, convinced us both that something had to be done to reduce the threat of complete annihilation.

 Capabilities online to conduct both offensive and defensive computer operations put us at risk not dissimilar to a cyber MAD.  As we’ve witnessed, there is an increasingly precise capability to have a persistent presence online, to move anywhere, to linger anywhere, to peer over the shoulder, and to gather intelligence.

 This can be done by the voyeuristic or the trained.  The tools and skills are available to either.  Not surprisingly, we respond only to pain…far more than pleasure.  The pain right now is political meddling by the Russians in our Presidential election through a very prescribed computer operation.  It’s bold, intrusive, disruptive, and many have labeled it an “act of war.”  That may be a stretch, but it is where we are.

 Russia and many other nations and non-state actors use the internet to conduct their business…whatever that business is – legal, illegal or illicit.  The skills of these cyber warriors persistently grow asymptomatically, yet the competition is undefined.  There are no lanes, no finish line, no prescribed number of participants, no rules.  It’s time we create some.

 Unchecked cyber operations can and have gotten well beyond individual criminal malfeasance or political influence operations.  We are on the edge of a “cyber winter” where financial systems are at risk.  Supervisory Control and Data Acquisition (SCADA) systems that use computers and networked data communications to interface with machinery like electric grids, power plants, dams, traffic lights and emergency communications are at risk.  We don’t have enough hand pumps to draw water from underground wells.  We don’t even use underground wells anymore!  Traffic pile ups will occur; there will be a rush for gas; food on store shelves will spoil.  What access there is to the internet will be tightly controlled.  We won’t be able to stay in simple communications with each other.

 We will be out of touch and we will panic.

 This is a nightmare scenario, but it’s our next reality if we choose the easier wrong and not the harder right.  The harder right requires us (in this case the U.S. and Russia) to acknowledge the enormous cost of inaction.  The United States and Russia must cooperate and agree that we have everything to lose if we don’t govern our actions online.

 In 1929, the USSR and the U.S. agreed that the threat of nuclear war was existential and real.  Left unchecked, the effects were irreversible.  The Strategic Arms Limitation Talks (SALT I and II) were followed by the Strategic Arms Reduction Talks (START I and II).  Signed in 2011, New START governs the nuclear “relationship” between the U.S. and the Russian Federation.

 Today, we need to have the same diplomatic resolve to recognize and proclaim the menace of cyber terrorism and the existential threat of coordinated cyber-attacks.  Forty years ago, a nuclear winter was a shared picture of a real threat.  A similar “winter is coming” if not interrupted now.

 We used to call cooperation with the Soviet Union détente.  No panacea but détente provided codified and accepted rules to govern behavior…even bad behavior.  There were limits.  We need limits today.

 A new administration will establish new norms in our relationship with Russia.  There are many areas where trust-building measures can be prescribed and tested.  Syria is not one of those.  There’s too much at immediate risk by trying to coordinate tactical military operations with the Russian military in a hot war in the Middle East with no previous experience of cooperating on even the simplest of military tasks.  Not a good idea.

 However, the U.S. and Russia can and should embrace the chaos and real danger of ungoverned cyber activity.  This is our shared burden, a place to start our new relationship.  We can work our way through the protocols and construct an agreement that minimally sets some boundaries.  Forty years ago, we were equally incentivized to control the risk of a nuclear world that was a miscalculation away from disaster.  We need to find the incentive to do the same today.

 The threat is no less significant.