CyberCom Is Targeting Russia’s Election Meddlers — and Changing How Governments Use Cyber

We learned last week that U.S. Cyber Command is conducting operations against Russian operatives suspected of interfering in U.S. elections. The goal according to the New York Times is “to deter them from spreading disinformation” and “[tell] them that American operatives have identified them and are tracking their work.” Direct messages were apparently sent to these individuals to erase doubt about who attacked them and why.

This episode breaks the mold of what is typically understood as traditional cyberspace behavior. Operations in this domain are rarely coupled with intentional and clear acknowledgement by the perpetrator. Instead, they usually look like Russia’s 2016 election interference where communication is nonexistent and responsibility vehemently denied. Cyber Command’s operation is different and may portend an evolution in how states utilize cyber weapons and what goals they may try to achieve.  

The Logic of Credit Claiming

In a recently published article in the Journal of Global Security Studies, we investigate why states (and nonstate actors) might claim credit for their cyber intrusions and, if they do, whether they will do so discretely or publicly. This research sheds light on why Cyber Command is being unusually direct.

The very fact that they alerted Russian operatives that the attacks were delivered by the United States government is significant. Scholars often assume that anonymity is a defining feature of cyberspace, pervading operations from start to finish. This may indeed be true for most operations to date, where perpetrators do all they can to remain in the shadows indefinitely. Nevertheless, while cyber operations can’t be announced beforehand since doing so provides significant defensive advantages, coming clean afterwards is neither impossible nor uncommon for some.

In fact, nonstate actors like Anonymous, the Syrian Electronic Army, and others routinely claim operations and alert victims. Cyber Command targeting Russian operatives, however, is just one of a handful of cases known to the public where states intentionally claimed their handiwork and coupled it with a clear message to the targets. Interestingly, some policymakers suggested doing something similar during the Stuxnet operation which targeted Iranian nuclear plants. More recently, senior Department of Defense officials have extolled the virtues of “loud,” attributable cyber weapons. Although it’s too soon to tell, there may be greater acceptance among state actors of self-attribution in this domain.

The next logical question is what incentives actors have—states, in this case—to come clean following a cyber operation. Put differently, why did Cyber Command forgo anonymity by communicating directly with Russian operatives? Mission objectives likely played an important role. When a cyber operation can succeed without the target doing anything or changing its behavior, self-attribution is unnecessary and counterproductive. For example, claiming credit during cyber espionage operations would needlessly compromise access and invite retaliation. As an example, China would have gained little by communicating its successful breach of Office of Personnel Management databases in 2015.

Conversely, states are likely to embrace ownership of their operations when pursuing coercion, or goals that require a target to do something (compellence) or to not do something (deterrence). Self-attribution serves two functions in these kinds of cases. First, depending on the sophistication of the attack, it can send a costly signal of resolve and commitment. Second, claiming operations can build prestige, or a reputation for cyber power. For states seeking to leverage their cyber capacities to deter their adversaries, claiming operations can lend much-needed credibility to their coercive demands.

So, what’s going on with recent U.S. operations? Based on what is known so far, Cyber Command wants to deter Russian interference in the U.S. midterm elections (and probably future elections as well). Simply threatening Russia with vague warnings of retaliation would likely have little effect. But by demonstrating their overall capacity—and their willingness—to identify individual Russian operatives, the United States may be able to dissuade these agents from further action.

The Value of Discretion

No less significant is that it looks like only unnamed officials provided information to the New York Times. Although it’s hard to say for certain, this suggests that Cyber Command may well be trying to keep this operation relatively quiet; even the Timessources did not comment on the “methods that Cyber Command has used to send the direct messages” and whether “the information was delivered in an email, a chat or some other electronic intervention.” It certainly seems like responsibility for these cyber operations was intended to be low-key, communicated only to specific Russian operatives.

Here again, our research explains this. States will often work to keep operations like this out of the spotlight to limit the chances of unintended and unwanted escalation. Recent scholarship on this subject shows that rivals may even collude in this covert dance to keep hawkish publics at bay. A similar dynamic may be at work here: the New York Times notes that these attacks are limited in large part “to keep Moscow from escalating in response by taking down the power grid or conducting some other reprisal that could trigger a bigger clash between great powers.” By communicating complicity discreetly, the United States may be affording Russia an opportunity to change course without losing face.

This piece, first published by the Council on Foreign Relations, is used with permission.