OFFUTT AIR FORCE BASE, Nebraska ― Nearly a dozen nations, including the United States, attributed a 2019 cyberattack on the country of Georgia to Russia’s military, a move that experts said was the most high-profile example yet of an effort to establish acceptable behavior in cyberspace.
However, the experts also told Fifth Domain Feb. 20 they expect the strategy to fall short of stopping future attacks.
The October 2019 attack took two Georgian television stations off the air and disabled thousands of government websites. That event, several experts said, violated a 2015 United Nations agreement that outlines how nation-states should not target civilians during peacetime.
Leaders from more than 10 countries, including the U.S. State Department and NATO, spoke out against the attack Feb. 20, an unusually high level of cooperation that demonstrated several nation’s long-held desire to establish acceptable levels of behavior in cyberspace.
Speaking to reporters while visiting U.S. Strategic Command, Secretary of Defense Mark Esper said the Trump administration knows it needs to speak out when it sees attacks on allies and partners and vowed to “push back hard.”
“We will continue to help partners and allies deal with threats from Russian interference… whatever manner they take,” Esper said. “It’s something we’re going to be dealing with for quite some time.”
Whether nations will follow a similar game plan as they did this time will be decided on a “case by case basis,” he said, but “clearly we have to do more than just play defense. We have to play more of an offensive game, and I think under this administration, we have.
“I think to a degree when it makes sense to name and shame, to call groups out, either groups or governments, we should do that,” he said. “The new normal can’t be that we continue to suffer from some kind of influence in our country or our political system, nor with our allies and partners.”
The secretary also intimated that responses may not always be diplomatic, twice mentioning that President Donald Trump has given the department “additional authorities” when it comes to cyber capabilities, likely a reference to new authorities that gives the Pentagon greater flexibility to respond to a cyberattack.
More attacks means more coalitions
The Russian attack was “clearly under the threshold for a use of force or an armed attack but clearly can damage and affect a society and undermine institutions," said Adam Segal, director of digital and cyberspace policy program at the Council on Foreign Relations. "The West, the U.S. and its partners, are trying to set a norm about those types of events.”
For more than a decade, the U.S. government has used the so-called “name and shame” tactic to call out unwanted cyber behavior as a means of holding actors accountable. Officials in the Trump administration have followed a similar approach, explaining that they want to build a coalition of like minded-states in order to create a much stronger position for levying responses and applying pressure on adversaries.
Legal experts pointed to several similar instances of western nations banding together to call out what they view as unacceptable actions, including the NotPetya global cyber event, Russia’s alleged targeting of the Organisation for the Prevention of Chemical Weapons and the World Anti-Doping Agency.
They also said they expect to see similar coalitions in the future.
“We’re going to see a lot more of these going forward. I think that’s part of the project of norm creation and norm enforcement is getting these coordinated coalitions of statements condemning particular behaviors … [it’s] increased a lot over the last couple of years and it’s going to continue going forward,” Kristen Eichensehr, an assistant professor of law at UCLA Law School, told Fifth Domain.
She added that when states don’t call out unacceptable behavior, it weakens norms over time.
Duncan Hollis, a professor of law at Temple University, agreed. He said that while these types of statements are rare, they are not new. However, he questioned whether future statements will continue to be coalitions of like-minded western states or if they will broaden to include countries, like India and Brazil, which typically have not weighed in on these matters.
But, without the coalition describing either specific legal violations or attribution – they might not have the effect leaders want.
The Feb. 20 statements “remain pretty light on details both as to the basis of the attribution and what it is exactly that we’re supposed to be upset about. They reference international law principles or international norms but they don’t actually tell us what rules do you think were violated and by which activity,” Hollis told Fifth Domain. “I think we’ve had a transparency problem with international law applying to cyberspace for a number of years now … If you’re going to go out of your way to accuse Russia of this sort of behavior, why not line it up and explain what it is you’re thinking Russia did wrong.
The risk of not doing so, he said, is states can become hypocritical because this turns into how states view espionage in that they all argue they do it to each other, and thus – to a large degree – don’t complain when it’s discovered.
The statement from the Czech government noted that officials there didn’t have primary forensic evidence of Russia’s alleged actions in Georgia, but nonetheless had no reason to doubt the attribution performed by allies.
“It seems like the evidence supporting the attribution was not widely shared and I think there’s a potential to actually build broader coalitions if states are more transparent about the evidentiary basis of their attribution claims,” Eichensehr said.
Several experts said this approach could lead to sanctions or possibly retaliation.
“Before venturing into that territory, you want to be very clear [about] what lines would be crossed or at what point” countermeasures would be imposed, said Tim Maurer, co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace.
U.S. government leaders have long maintained it takes a “whole of government” approach to such international incidents.
For its part, the Department of Defense released its own statement regarding Russia’s alleged actions, saying, the attack “is just one more example of how Russian malign behavior erodes transparency and predictability, undermines the rules-based international order, and violates the sovereignty of its neighbors. The U.S. government position has been clear, we will defend our partners' and allies' core interests and hold the Russian Federation accountable for these destabilizing activities.”
DoD did not respond to request for comment regarding how it would hold Russia accountable aside from the public attribution.
In recent years, the United States and its partners have publicly outed other cyberattacks by Russia and the Department of Justice has unsealed indictments against alleged hackers.
“It’s sending the signal that there is the ability to trace back the source of a cyberattack, whereas attribution remains very difficult … this statement shows that these kind of attribution capabilities have gotten better – that it is possible to trace back who’s behind it,” Maurer said.
Rep. Jim Langevin, D-R.I, a vocal member on federal cybersecurity issues, said in a statement that the delay between the attack and the Feb. 20 announcement needs to shrink. He called for stronger partnership with the European Union on the issue.
“Three and a half months from incident to attribution is still too long to enable us to respond agilely, and the delay hampers our ability to tie attribution to instituting economic sanctions, taking diplomatic actions, or employing other instruments of state power,” Langevin said. “I hope the administration will work with the EU to take meaningful steps to ensure that malicious activity in cyberspace will be met with consequences that go beyond simply pointing the finger of blame.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.
Aaron Mehta was deputy editor and senior Pentagon correspondent for Defense News, covering policy, strategy and acquisition at the highest levels of the Defense Department and its international partners.
Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.