Democracy & Elections Foreign Relations & International Law

What Would Be a Sufficiently Strong Response to Russian Hacking of the U.S. Election?

Herb Lin
Saturday, December 31, 2016, 1:02 PM

A variety of recent reports have noted complaints that the sanctions on Russia for its meddling in the November election are insufficient. For example,

Published by The Lawfare Institute
in Cooperation With

A variety of recent reports have noted complaints that the sanctions on Russia for its meddling in the November election are insufficient. For example,

  • John Bolton said “I don't think they will have much impact at all,” and that these Russian actions were an “attack on our constitutional system.”
  • Senators John McCain and Lindsey Graham issued a joint statement saying that “The retaliatory measures announced by the Obama Administration today are long overdue. But ultimately, they are a small price for Russia to pay for its brazen attack on American democracy. We intend to lead the effort in the new Congress to impose stronger sanctions on Russia.”
  • The Democratic National Committee said: "These intrusions were not just ‘hacks.’ They were attacks on the United States by a foreign power and should be treated as such. Therefore, today’s action alone by the White House is insufficient."
  • Rolling Stone, skeptical of the intelligence community assessment of Russian involvement, said "If the Russians messed with an election, that's enough on its own to warrant a massive response – miles worse than heavy-handed responses to ordinary spying episodes." [boldface added]

All of these reports—spanning a wide range across the political spectrum—raise a very interesting question: if the announced sanctions are not enough, what would be enough? What would be a sufficiently strong response? Against what metric of “strength” are all of these complaints measured?

In a previous post writing about responses to malicious Chinese cyber activity, I wrote that we need to consider “how the bad actor (or the government of jurisdiction over the bad actor) will respond to US sanctions levied against them. Remember, we don’t get the last move in this game unless the other side simply rolls over and plays dead when we do whatever it is that we do.”

The same comments—or at least their spirit—apply to Russia as well. What all of the critics of the Obama sanctions are forgetting is that we need to be willing to tolerate whatever else the adversary (in this case, Russia) does in reaction to our response to their original action regarding the 2016 U.S. election. (Note, of course, that Russia doesn’t see it this way – they think that the United States started the problem by meddling in the 2011 Russian election.)

Putin has decided not to respond to the U.S. sanctions. If our response were “stronger”, would he have made the same decision? At some level of a stronger U.S. response, he obviously would have responded in some manner. For example, if the United States had decided to use a cruise missile against a Russian military facility as a response to Russian election hacking, I think the odds are high that a not-so-friendly Russian response would ensue. And I am quite sure that such a Russian response would not be in our interests.

How about something less provocative? Language about “attacks by a foreign power on American democracy” evoke sentiments for military action. Are there military responses possible short of blowing up Russian assets? Of course. We could:

  • Double U.S. military forces in Europe. The United States is already planning to add 4,250 more troops as as part of an additional armored brigade by early 2017. That number could be increased to the size of an armored division.
  • Sell lethal arms to Western Ukraine, the Baltic states, and to Eastern European members of NATO to enable them to resist Russian ground forces more effectively.
  • Conducting more joint military exercises with the Baltic States and NATO states in Eastern Europe.
  • Add to existing missile defense plans for Eastern Europe.
  • Increase naval deployments to the Mediterranean.

Even these military moves, less provocative than destroying Russian assets, would almost certainly provoke a strong Russian reaction. Would that Russian reaction be aligned with U.S. interests? I suspect not.

So anyone who wants to criticize the sanctions for being “inadequate” has to propose something “stronger” that will not result in an unacceptable-to-the-US reaction by the Russians. The Obama sanctions did not provoke a Russian reaction. I believe that most military responses by the United States would.

What about a cyberattack on Russia as a U.S. response? What would we expect a cyberattack to do? Harm Putin’s political interests? It’s hard to imagine an action that would play more neatly into the Russian narrative about the United States. Leak embarrassing secrets about Putin? It’s hard to imagine what would embarrass him. Shut off electric power in Moscow? That’s pretty close to military action.

I’m not happy about the situation the United States is in now—there aren’t many good options for responding now in my view. I share the frustration of those who say the U.S. response has been inadequate, and I too wish we could do something “stronger.” But from my perspective that inadequate response was manifest many months before the election, when various elements of the federal government didn’t respond appropriately to the various indications of cyber mischief happening then. And I worry greatly that those complaining about an inadequate response now have not thought through the end game, or even the opening game beyond what they would like to see beyond sanctions.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare