The West’s Cyber Appeasement Helped Give Putin a Green Light
By James Stavridis, Dean Emeritus of the Fletcher School of Law and Diplomacy at Tufts University
There were many reasons Russian President Vladimir Putin finally decided to invade Ukraine, but one was the failure of an international alignment on the consequences of such aggression. Tacit indifference to Russia’s behavior from both sides of the Atlantic — regarding previous invasions of Georgia in 2008 and Ukraine in 2014, nerve-agent attacks on political opponents, support for a bloody war criminal in Syria — undoubtedly encouraged the Kremlin’s provocations.
But it’s not just indifference to Russia’s recent kinetic aggression that’s to blame. Insufficient response to its non-kinetic military operations helped equip the Kremlin with an effective virtual complement to the traditional invasion. The West in effect conducted a policy of digital appeasement in response to multiple cyberattacks. How did we get here, and what can we do going ahead?
In 2015, Russia’s military intelligence directorate launched a cyberattack that knocked out power for over 200,000 Ukrainians two days before Christmas. This was followed in June 2017 when shadowy Russian actors compromised a popular tax accounting software called M.E. Doc, which was later distributed to hundreds of thousands of customers via a corrupted software update. Malware that was apparently intended for local effects propagated globally, resulting in billions of dollars in damages. It cost pharmaceutical company Merck & Co. an estimated $1.3 billion alone.
More recently in the U.S., we have seen ransom attacks by Russian cybergangs against various corporations and critical infrastructure, including the Colonial pipeline and parts of the food chain. The 2020 SolarWinds Corp. attack, which affected hundreds of the largest corporations in the U.S. and many government agencies, almost certainly originated in Moscow.
Thus it should have come as no surprise that in recent days Ukraine’s largest bank and defense agencies reported being hit with the biggest denial-of-service attack in the country’s history. This, and subsequent hacks, set the stage for the Thursday’s military thrust.
Cyberwarfare is a powerful asymmetric capability for any nation-state seeking to prepare the battlefield for an invasion; to support operations at sea, in the air or on land; and to achieve disruptive or destructive effects against digital or physical targets. Despite this military effectiveness, however, far too often the West has failed to respect cyberwarfare’s role as a strategic instrument of power projection.
Russia wields the power of cyber not necessarily to cause widespread damage, but to operate with precision below the perceived threshold of war, and thus beyond the reach of political consequences. Cyberattacks are at the heart of Putin’s so-called hybrid warfare, central to the current Kremlin playbook. And the Western allies have allowed Russia to act virtually unchallenged — even when it has involved meddling in U.S. and European elections — evoking legitimate comparisons of European appeasement of the Nazis in the lead-up to World War II.
There are three explanations for this modern-day form of digital appeasement.
The first is that the West’s diplomatic corps is simply not equipped to engage in influential dialogue with other cyber-powers. Said differently, our diplomacy isn’t technical enough. This isn’t a pejorative statement; rather, the diplomatic culture hasn’t adapted to the digital dimension of geopolitics.
We need to precisely define what constitutes an attack. Why not draw a red line for gigabit-per-second denial of service attacks against banks, or for arbitrary code execution of known flaws in commercial software with a rating in the Common Vulnerability Scoring System above 8? Overstepping that line would draw immediate retaliation. The more the U.S. resorts to vague descriptions of cyber-aggression, the more its adversaries exploit the domain to their advantage
This point segues into the second, which is hesitancy to risk escalation — the proportions of which are untested and therefore unknown. Western governments risk being crippled by the fear that clear red lines will inevitably be crossed, triggering a global cyber-conflict in which the West has more to lose than its autocratic enemies.
Democracies fear not only attacks against their own military and civilian critical infrastructure, but perhaps even burning their own capabilities — showing their opponents what they have — in the process. This fear is not unfounded, but it must be balanced with the reality that unchecked cyber-aggression has its own escalatory properties. In cyberspace, tolerance of some level of short-term conflict might be necessary to establish a credible and enduring deterrent.
Finally, there is a false sense of security in Western cyberdefenses against nation-states like Russia that have both the will and capability to attack. For too long, we have relied on technical measures alone to stymie cyber-aggression. This week the Department of Homeland Security released a so-called Shields Up alert, noting that the “Russian government understands that disabling or destroying critical infrastructure — including power and communications — can augment pressure on a country’s government, military and population and accelerate their acceding to Russian objectives.”
The department should be commended for communicating best practices to the public. But while enforcing two-factor authentication, installing antivirus software and patching vulnerable servers might be effective against the majority of actors, it won’t stop the Russians. The U.S. needs to develop a sense of deterrence in cyber, and doing so will require more aggressive responses than it has been willing to employ thus far.
Now that the Russians have acted so strongly in the physical domain, we may find them even more emboldened in the cyber domain.
This piece was re-published from Bloomberg Opinion.