How Democracies Lose in Cyberwar

In 2016, Russia used the American system against itself.

The Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colorado
The Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colorado (Rick Wilking / Reuters)

“War is God’s way of teaching Americans geography.” This 19th-century quip, often attributed to the satirist Ambrose Bierce, deserves a 21st-century update: “Attacks against the U.S. are God’s way of teaching Americans how weaker enemies are stronger than they seem.”

Osama bin Laden and al-Qaeda are the paradigmatic examples of this. On September 11, 2001, they gave Americans, along with the rest of the world, a lesson in “asymmetric warfare”—armed conflict between two sides whose relative military power differs significantly, and in which one party can gain advantage by targeting the other one’s weak points.

In that case, 19 suicidal terrorists armed with box cutters gained control of three commercial jetliners and used them to strike some of the most sensitive and symbolic targets of the most powerful and technologically advanced nation in the world. Al-Qaeda spent an estimated $500,000 on the attacks, which killed almost 3,000 people and cost hundreds of billions of dollars in material losses. The reactions that followed were even larger and more consequential than the attacks themselves: The United States launched what is to date its longest war ever (in Afghanistan), and its third-longest (in Iraq), at the estimated combined cost of $3 trillion to $5 trillion. Moreover, the geopolitical disruptions from all these events are still shaping today’s world.

If Osama bin Laden and al-Qaeda taught a new generation of Americans about kinetic asymmetric war, WikiLeaks and the Kremlin have taught them about cyber asymmetric war. While the first relies on physical violence to kill people, destroy buildings, and disable critical infrastructure, the second uses the internet and other cyber tools, which can cause not only physical damage but also weaken the institutions that are critical for the functioning of a democratic government.

When Leon Panetta, then the U.S. secretary of defense, warned in 2012 about the possibility of a “cyber-Pearl Harbor,” he envisioned physical calamity like hackers causing train derailments or contaminating the water supply. Russian interference in the 2016 U.S. presidential election, involving what U.S. intelligence believes were Kremlin-directed hacks and leaks of emails damaging to the candidacy of Hillary Clinton, differed from this vision. It represented a political cyber-Pearl Harbor.

And that cyber confrontation was asymmetrical, not because America was at a technological disadvantage (the U.S. is among the world’s leaders in the technologies needed to wage cyberwars), but because Russia was able to exploit the weak points of America as a democracy.

What made America uniquely susceptible to the attack from an authoritarian Russia is emblematic of what makes other democracies particularly vulnerable, relative to their authoritarian counterparts, to political cyberattack. For one thing, the 2016 election attack targeted the democratic process itself. In the words of the intelligence community’s January 2017 report on the incident, the hacks and leaks worked to “undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency.” They aimed to take advantage of the free flow of information in a democratic society, the affect of that information on public opinion, and the electoral mechanisms through which public opinion determines a country’s leadership. (The assessment did not allege cyberattacks on voting machines, nor asses the actual impact Russian meddling might have had on the final outcome.)

If, on the other hand, a hacker leaked damaging information about Vladimir Putin, there are various obstacles in the way of its having an electoral effect. Restrictions on the media in Russia could prevent the information from circulating widely. Even if it did manage to attract publicity and sway public opinion, what then? Putin has tight control over the country’s electoral apparatus, meaning that a voting citizenry inclined to punish him for leaked evidence of misdeeds has no real mechanism to do so. The Panama Papers leaks of spring 2016, which resulted from the alleged hack of a law firm specializing in offshore banking, help illustrate the point. Though they exposed shady financial dealings within Putin’s inner circle, the Russian media covered them in a way favorable to Putin. The leaks made virtually no dent in his popularity.

And if democratic politicians are more vulnerable to the effects of leaks, democracies are also more likely to produce leakers to begin with. The legal protections individuals enjoy in the democratic states make it hard to deter this type of behavior—though as illustrated by the case of Chelsea Manning, who provided classified U.S. government documents to WikiLeaks in 2010, leakers can be prosecuted and jailed. (Edward Snowden, who leaked classified details of government surveillance programs to journalists, fled the U.S. before he could face prosecution.) But the cost of leaking in an autocratic society like Russia, where political opponents of Putin have been known to wind up dead, could be far higher, obviously posing a major disincentive.

Democracies, too, have used cyberattacks against non-democratic states. Perhaps the best known example is the use of StuxNet, the successful attack, most likely by the United States and Israel, involving a malicious computer worm that sabotaged an element of Iran’s nuclear program. Other countries with similar capabilities could be stealthily using them against their rivals. As a member of former President Barack Obama’s council of advisers on science and technology told me: “The internet is now fully weaponized.”

But, so far, the main political victims of cyberattackers have been leaders and public figures in democratic countries—especially the United States. And the United States is not the only democracy vulnerable to political cyberattacks. One of the conclusions of the intelligence community’s report on the 2016 election hacks points to a much broader implication: “We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the U.S. presidential election to future influence efforts worldwide, including against U.S. allies and their election processes.”

With elections coming up in several European countries, the Kremlin might turn its attention to influencing outcomes that would benefit its national interests. From bolstering populist candidates who have vowed to leave the EU, to encouraging skepticism of NATO by global leaders (most notable, so far, being President Trump), to supporting candidates who would ease the economic sanctions imposed on Russia for its actions in Crimea, there are numerous incentives for Putin to interfere, and numerous ways in which he could do so. Indeed, Russian cyber meddling was longstanding practice in Europe before 2016, and France, Germany, and the Netherlands are facing cyberattacks ahead of their elections this year.

The question is: Why haven’t Western democracies made the necessary reforms to adapt to the threat? Why have they let countries like Russia get the upper hand, not in capabilities, but in practice? One answer is that democracies, by their very nature, hinge on checks and balances that limit the concentration of power and slow down governmental decisionmaking. While all bureaucracies, including those of authoritarian regimes, are slow-moving, Vladimir Putin or Xi Jinping surely are less encumbered by their laws and institutional constrains than their democratic counterparts.

Japan’s attack on Pearl Harbor in 1941 unleashed a massive American reaction. It remains to be seen what the reaction to America’s political cyber-Pearl Harbor will be—if any.