Influence Campaigns and Disinformation

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. Facebook's plan to minimize information operations. Facebook caught a lot of flak last year for amplifying misinformation about the U.S. presidential election, such as the Pope endorsing Donald Trump and Hillary Clinton selling weapons to the so-called Islamic State group. In a white paper released this week, Facebook acknowledges that state and non-state actors use its platform to spread misinformation and collect data about specific users to shape public perceptions in the United States and elsewhere. To combat these efforts, the paper outlines a mix of existing Facebook policies, such as notifying users their accounts may be compromised, and newer measures, like better detecting bots and working with fact checkers to identify false content. Over time, Facebook hopes that these measures will stem the tide of false content and promote "authentic" interactions on its platform. 2. No more spying on Paul to learn about Pytor. The New York Times reports that the National Security Agency (NSA) will end its practice of collecting the communications of U.S. persons communicating with people outside of the United States who mention targets of foreign surveillance, a practice known as "about collection." Although the NSA defends the practice as lawful, it has attracted significant criticism from privacy advocates who argue that it effectively amounts to warrantless surveillance of U.S. citizens and people in the United States. According to the Daily Beast, the NSA was forced to shut down the program following the result of an unfavorable Foreign Surveillance Intelligence Court ruling. 3. Fancy Bear packed its bags and moved to Paris. Cybersecurity company Trend Micro released a report covering the recent activities of Fancy Bear, widely believed to be a Russian state-sponsored cyber actor. Turns out the bear has been spotted in France targeting the campaign of French presidential candidate Emmanuel Macron. The phishing attempts on the Macron campaign reportedly resemble those that led to the compromise of the U.S. Democratic National Party, as well as several other incidents attributed to Fancy Bear in 2016. The Macron campaign first reported hacking attempts back in February, but Trend Micro says it is unclear whether the incidents are distinct or part of a protracted Fancy Bear cyber operation to influence another election. 4. Do people feel safer online? The answer: yes, marginally. According to a new Center for International Governance Innovation (CIGI) survey on trust and the internet, 57 percent of respondents expressed concern about their online privacy, down from 64 percent in 2014. Governments were not the primary source of concern--they ranked fourth in terms of what people feared most. Instead respondents expressed more anxiety about cyber criminals, internet companies, and their fellow citizens. 5. Let’s make a deal. Australia and China reached a new bilateral agreement, in which both countries pledged to neither conduct nor support the cyber-enabled theft of intellectual property for commercial gain. That language is similar to pledges China made with the United States in 2015, the United Kingdom, and at the G20.

This post was co-written with Alex Grigsby, assistant director of the Digital and Cyberspace Policy program. This morning, the U.S. Department of Justice (DOJ) announced the indictment of four people allegedly responsible for the breach of over 500 million Yahoo accounts the company announced last year. What makes this interesting is that two of the indictees are Russian intelligence officials working for the FSB--the successor to the KGB. It looks like the Federal Bureau of Investigation (FBI) nabbed a pretty classic espionage operation. According to the indictment, two FSB officers--Dmitry Dokuchaev and Igor Sushchin--and Alexsey Belan--one of the FBI’s most wanted criminals and named in the sanctions President Obama issued against Russia in response to the DNC hack--obtained access to Yahoo’s user database. They then used that access to access the accounts of possible Russian intelligence targets, such as diplomats, investigative reporters, and representatives of U.S. companies. Dokuchaev and Sushchin also used the data to help Karim Baratov access approximately 80 accounts hosted by Google and an unnamed Russian provider. Baratov, a 22-year-old dual Kazakh-Canadian citizen living outside of Toronto, was paid for his services and liked nice cars. The indictment also alleges that Dokuchaev and Sushchin helped Belan mine the Yahoo data for his personal criminal purposes, who searched compromised accounts for credit card details and gift cards either to use for himself or to sell in cybercrime forums. There are a couple of significant differences between this incident and the other instances in which the U.S. government laid hacking charges on state-sponsored actors. In the 2014 indictment of the five People’s Liberation Army (PLA) officers, it was clear that China was not going to turn them over. In that case, the charges were probably more political--forcing China to reckon with seriousness with which the United States took the pilfering of its companies’ intellectual property. The 2016 charges against the Iranians affiliated with the Revolutionary Guards were probably less political, but nevertheless were partly meant to discourage Iranians from hacking U.S. targets lest it hinder their ability to travel and as a deterrent to future hacking, a sign that the United States could attribute attacks to individuals. In this recent case, at least one of the indictees--Karim Baratov--is likely to see the inside of a U.S. court. Canadian authorities arrested him yesterday and he is likely to be extradited. There are a number of instances in the indictment that suggest U.S. authorities obtained evidence of the links between Baratov and the FSB by monitoring their communications. During a criminal trial, that would possibly require U.S. prosecutors to disclose how they monitored the conversations and under what authorities. In a recent case against alleged child pornographers, the DOJ chose to drop its charges instead of revealing how investigators exploited a vulnerability in the TOR network to identify the suspects. That could also happen here if Baratov contests the accusations. The DOJ could put pressure on Baratov to plead guilty to lesser charges to avoid that outcome. It is worth noting that in a previous hacking case, Su Bin, a Chinese national living in Canada, pled guilty to stealing information from U.S. defense contractors for the PLA’s consumption, making it unnecessary for the federal government to prove its case. Another oddity with the case is the fact that Dmitry Dokuchaev was arrested earlier this year in Russia and accused with treason, along with the former head of the FSB’s information security center, Sergei Mikhailov and a former Kaspersky employee. It is unclear what Dokuchaev might have done that was treasonous in the eyes of the Russian legal system. One theory is that he was a CIA mole, which begs the question why would the U.S. file charges against one of its assets?Another could be that he hacked the wrong people while making a bit of money on the side, and got swept up for that. The ripple effects will be felt on two fronts. First, these indictments obviously worsen and complicate the relationship with Russia in cyberspace. Some saw the Shadow Brokers leaks of NSA hacking tools in August 2016 as retribution for the attribution of the DNC hacks to Cozy Bear and Fancy Bear and as a warning shot across the bow, a reminder that Russia is a very capable actor in cyberspace. We will have to wait how the Kremlin decides to respond this time, but it is likely to be a mix of official and asymmetric actions. Second, in announcing the indictments, the DOJ trumpeted the cooperation with Yahoo and other tech companies, and Yahoo did the same. For DOJ and FBI, this is a welcome change of messaging to Silicon Valley. The headline is not that law enforcement wants to weaken encryption and build backdoors in products, but that working closely with the government can result in taking down state-backed hackers that threaten the private sector. That message might resonate for a little, but long term tensions are bound to return.

Tony Craig is a PhD candidate in the Department of Politics and International Relations at Cardiff University. Brandon Valeriano is a Reader at Cardiff University, the Donald Bren Chair of Armed Politics at the Marine Corps University, a fellow at the Niskanen Center, and author of Cyber War versus Cyber Realities on Oxford University Press. The fear brought on by Russia’s hacking of the Democratic National Committee (DNC) has been profound. This is part of a broader concern over Russia’s growing activity in cyberspace which include disputes against Estonia, Georgia, and Ukraine. One recent commentator notes the “impressive” increase in Russia’s cyber capabilities given its frequent use of cyber tactics against rival countries. Another source claims that Russia has overtaken the United States in cyber capabilities because of its use of troll armies to launch cyberattacks. The mistake they make, however, is equating a greater usage of cyber aggression with an increase in capabilities. Russia is suspected of being behind a number of high-profile cyber incidents. In the last decade, the Kremlin is thought to have orchestrated the disruption of Estonia’s banking and government services, the defacement of Georgian websites, the Ukraine power grid hack, the compromise of the DNC during the U.S. election, and a phishing campaign against U.S. think tanks.. While these incidents are a cause for concern, the use of cyber tactics cannot be used as an indicator of cyber capability for two reasons. First, an actor that uses cyber aggression with more frequency is not necessarily a more capable one. Spraying a target with continual cyberattacks is no guarantee that you can hit a target with any effectiveness. A more capable actor may, in fact, be less willing to reveal its cyber tools, since once used, rivals can learn from the attacker’s methods and patch vulnerabilities. Second, cyberattacks involve varying levels of sophistication depending on the target and the aims of the attacker. For instance, to punish Estonia for removing a Soviet statue, Russia allegedly chose to flood Estonian websites with junk traffic, causing them to crash. On the other hand, to steal information, Russia is suspected of choosing phishing methods to infect computers with the necessary malware. These examples cannot lead to a conclusion that Russia has increased its cyber capabilities, only that Russia used different tools for different purposes. So how can cyber capabilities be measured absent of hype? Capabilities refer to the set of resources and assets the state possesses that increase its potential to carry out its aims. In conventional warfare terms, capabilities are measured by factors like the country’s population, industrial capacity, technological advancement, or the size of its military forces. In cyberspace, capabilities refer to the state’s resources and assets that help it achieve its goals in cyberspace such as numbers of hackers, the level of expertise in computer science, and malware sophistication. There is only anecdotal evidence of Russia’s ability in these areas, and a more systematic investigation is lacking. The impact of these factors is also crucial. True, there are reports of the changing organisational structure of Russia’s cyber troops, but to really understand what an advancement in capabilities mean, observers need to understand how these developments lead to increased effectiveness on the cyber battlefield. Even if Russia, China, or other actors are increasing their cyber capabilities, these advances should not be conflated with cyber power. Power is measured by the actual influence exerted or the outcomes brought about. When commentators talk about cyber threats, they often only discuss the hackers’ initial achievements in gaining access to networks or bringing down websites. Although this may be a successful cyber operation on the surface, it may not lead to victory in the strategic sense that a rival state has succumbed to another’s will and changed its behavior. The DNC hack likely had some small impact on the U.S. election but Clinton’s failure to engage the Rust belt, the FBI note on a continuing investigation days before the election, and dissatisfaction with immigration and identity politics all likely had a greater impact on events than hacking. Policy needs to be informed by empirical evidence rather than projected fears. Overall, there has been a remarkable level of restraint in the cyber domain, but mistakenly perceiving increases in capabilities may trigger security competition and arms races that will threaten the dramatic progress digital connectivity brings to society. We are not in a cyber world war, but at cyber peace. Maintaining this will be an active project aided by sober analysis that cuts through the hyperbole.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. The most successful intel op ever? According to the Washington Post, a CIA intelligence assessment has concluded that the Russian cyber espionage campaign against organizations and individuals affiliated with the Democratic party was intended to increase the odds of Donald Trump winning the presidency. To support their claim, the CIA reportedly believes Russian intelligence accessed Republican National Committee networks but chose not to disclose compromising information, Donald Trump’s policy positions were more suitable to Russian interests, and that sowing chaos in the U.S. electoral process was payback for perceived U.S. meddling in Russia’s 2011 parliamentary elections. There were indications earlier in the week that the CIA’s judgement was not shared by the entire intelligence community though they seem to have come around. The president-elect, however, has not. Nevertheless, the assessment, along with reports that Russian President Putin may have personally been involved, rekindled the debate of how the United States should respond. In a press conference, President Obama promised a response, but noted that it might not be publicized and questioned whether a naming and shaming approach would work with Russia, like it seems to have done with China. I’ve argued that non-cyber means are probably the best form of response, and that it should be made public, particularly if the White House wants it to have a deterrent effect on others. 2. Get this fake news out of here. Facebook has announced new measures to limit the spread of false news stories and information among its 1.8 billion users. The new measures, announced Thursday, supplement efforts Facebook has already undertaken to reduce the advertising revenue individuals can collect by spreading false but clickbait-infused stories. The social media giant will now make it easier for users to report items as fake and will partner with fact checking organizations to determine the validity of flagged stories. The new measures are being rolled out to a subset of users and, should they prove successful, will be rolled out to a broader audience over time. 3. UNESCO committee adopts guidelines for cultural funding in the digital environment. A UNESCO committee that oversees the 2005 Convention on the Protection and Promotion of the Diversity of Cultural Expressions agreed to a set of draft guidelines to help states party to the convention implement it in the digital age. Although the final guidelines have yet to be made public, a previous iteration of the draft requires that states update their respective laws "to protect and promote the diversity of cultural expressions in the digital environment." The spread of online content platforms like Netflix, Amazon and Google have sparked worries in some countries that new media distribution models will increase cultural uniformity, favor U.S. content over local content, and undermine local cultural protection laws. In response, some countries are hoping to require U.S. giants contribute to the production of local content, either through national laws or international agreements. 4. Yahoo compromised, again. Yahoo announced that approximately one billion accounts were compromised in 2013. That is on top of the 500 million accounts that were compromised in 2014, which Yahoo announced in September shortly after Verizon announced its intent to buy the company for $4.83 billion. If you’re still using Yahoo at this point, you will want to change your password and don’t use the same one across multiple accounts.

Robert Morgus is a policy analyst with New America’s Cybersecurity Initiative and International Security Program and he is the co-author of the recently published Graphic Guide to Cyber Norms. You can follow him at @RobMorgus. Last month, Admiral Michael Rogers, the director of the National Security Agency, called the systematic leaks and spread of disinformation during the U.S. election a “conscious effort by a nation-state to attempt to achieve a specific effect.” Later in the same conversation, he highlighted U.S. efforts to advocate “what’s acceptable from our perspective, and what is not” with other countries. The process he’s referring to in the latter statement is a series of ongoing conversations that have played out over the past several years attempting to negotiate and normalize a series of norms that help govern and guide state behavior in cyberspace. Russian interference in the U.S. election has triggered questions about the value of developing cyber norms and stoked reflection on what a norm is, exactly. As my friend and Carnegie Endowment scholar, Tim Maurer put it to me in a recent conversation, there are really two types of norms. The first type is what he called “actual norms”—the norms that actually describe the predictable behavior of states. Norm is short for normative behavior, and in this context, a normative behavior is a behavior we could and should reasonably expect from a state. There is no controversy that norms like this exist and hold value in preserving a stable international ecosystem. The value of the second type of norm—what Tim calls an “aspirational norm”—is far less certain. This is the kind of norm the United States advocates around the world and what Admiral Rogers was referring to. These are the behaviors that, while not yet universal or universally accepted, the United States and many of its partners would like to see normalized. So what does all this have to do with Russia interfering with America’s democratic process? A lot. In 2009, Russia and a group of likeminded states began work on a proposal for a broad international treaty on information security. In their view, the set of norms that governed state behavior before the rise of the internet did not translate to state behavior in an internet age. In other words, a new digital age required new norms. Many in the United States, Europe, and elsewhere flatly rejected the proposition on the grounds that international laws existing offline should and do constrain online behavior. The problem with this approach is that saying something exists does not make it so. International law dictates that states are prohibited from interfering in the domestic affairs of other states. Whether or not this norm is an actual norm or an aspirational norm is up for debate, though anecdotal data suggests it is more aspirational. Nevertheless, in a 2011 letter to the United Nations General Assembly outlining a proposal for an “International Code of Conduct for Information Security”, the Russian coalition proposed a codification of this concept, stipulating that states subscribing to the Code pledge to “not use information and communications technologies and other information and communications networks to interfere with the internal affairs of other states or with the aim of undermining their political, economic and social stability.” In parallel, Russia and others have pushed to further solidify this and other proposed norms in treaty form. Russia’s information operations could conceivably radically reshape the cyber norms debate and puts the United States in a predicament. Russia is ironically in a better position to advocate the need for binding rules to prohibit non-interference through cyberspace. Even though Moscow is widely believed to be behind the U.S. election shenanigans, it can still argue that a non-interference rule, had it been in place, could have prevented the election tampering. That puts the United States in the unenviable position of publicly arguing for a ban on using cyber means to interfere in the internal affairs of states but having to reject a seemingly ready-made solution. Almost no one in the U.S. intelligence or national security community actually believes that Russia would abide by a cyber non-interference pact. Furthermore, many in the U.S. cyber policy community in government do not see new treaties as a viable option for cyberspace given the unique challenge of monitoring and verification that exist in the cyber domain. Nevertheless, Russia and its allies can use the election tampering as evidence new UN cyber treaties or codes of conduct are necessary. Further confounding the United States’ position is the U.S. government’s insistence on creating clear separation between cybersecurity and the concept of information security.  For the last decade, U.S. cyber policy has focused on the security of hardware and software, not determining what content and information should be allowed online. These conversations, in the U.S. view, open the door for human rights abusers to argue for sovereign control of information and crack down on dissenting voices via censorship. But Moscow’s election-related activities brought the importance of Russia’s conceptualization of information security front and center in the United States, possibly making it harder for Washington to separate cybersecurity from information security. The Russian influence operation on the election was probably not carried out for the sole purpose of creating a bargaining chip for Russian diplomats. It would also be a stretch to argue that the norms debate played into Moscow’s equites calculation. Nonetheless, it is now harder for the United States to convincingly argue against the need for a more structured and enforceable institution codifying the notion of non-interference in cyberspace. From Russia’s perspective, its influence operation against the U.S. election is the gift that keeps on giving.

According to a NBC News report, the United States has penetrated Russia’s electric grid, telecommunications networks, and command and control systems in order to be able to launch retaliatory cyberattacks if the Kremlin attacks critical infrastructure during the election. An unidentified senior official reportedly said that if Russia attacked critical infrastructure then Washington could shut down some Russian systems. Washington has called out China and Russia for "preparing the battlefield" by penetrating and surveilling networks in the past. Admiral Michael Rogers, head of U.S. Cyber Command and director of the National Security Agency, told the Senate Armed Services Committee in 2015, “We believe potential adversaries might be leaving cyber fingerprints on our critical infrastructure partly to convey a message that our homeland is at risk if tensions ever escalate toward military conflict.” The NBC report is confirmation (by leak) that the United States is, not surprisingly, doing the same. This is clearly an effort to create a deterrent. President Obama also reportedly warned President Putin about interference in the election at their last meeting two months ago. Like Lawfare’s Jack Goldsmith, I am skeptical that deterrence by leak is an effective method. In previous leaks claiming the United States would respond with cyberattacks, there has been no visible follow through. While there may have been covert disruptions, there is little reason to think Moscow would take these new reports more seriously. Moreover, the Russians can easily remain below the threshold of an attack on critical infrastructure. The theft and public disclosure of the emails of the Democratic National Committee and Clinton campaign manager John Podesta have been more than effective in stirring up questions about the integrity and legitimacy of the electoral process. Russian hackers do not need to take down the power grid; brief distributed denial of service attacks on social media platforms on election day could do the trick. The NBC story raises questions about the viability and efficacy of norms of behavior in cyberspace. In 2015, the United States, Russia, and eighteen other countries agreed to refrain from cyber activity during peacetime that "intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public." If the United States did penetrate Russian networks, these actions may not, as Paul Triolo and others note, have violated the norm since it prohibits damage and impairment, not access to networks. In other words, the norm prevents an action that states have no interest in pursuing, and does nothing to stop escalatory actions like mapping the battlefield. The leaks, and Russian response, also cast doubts over U.S. cyber diplomacy. One of the more touted accomplishments in the bilateral relationship was a number of cooperative mechanisms announced in 2013, including the creation of a new working group, exchanges between computer emergency response teams, and the establishment of a White House-Kremlin direct communications line. This line, a secure voice communications line between the U.S. cybersecurity coordinator and the Russian deputy secretary of the Security Council, is to be used "should there be a need to directly manage a crisis situation arising from an ICT security incident." There is, however, no reporting that it has been used in this or any previous incident. Like the above mentioned norm, a confidence building measure has done little to stop cyber conflict from becoming more intense. (UPDATE: A little over a week after this blog post first appeared, the Washington Post reported that the White House had in fact used the direct communications line to warn Russia about engaging in cyber operations that would further disrupt the U.S. elections.) In the face of Russian efforts, many have noted that the next administration will have to rethink how to strengthen U.S. government defenses against cyberattacks, energize private sector cybersecurity efforts, and establish a credible deterrent in cyberspace. U.S. diplomatic efforts will have to be similarly reexamined. What is the utility of pursuing consensus on a set of cyber norms if they don’t cover escalatory activity at the core of U.S.-Russian tensions or establishing confidence building measures specifically designed to de-escalate the current situation if neither country is going to use them? Maybe the United States is better off working with its friends and allies to identify, deter, and counter Russian action instead of pursuing a norms-based strategy.

Last week, I sat down with my colleague Adam Segal, CFR’s director of digital and cyberspace policy, to discuss the recent denial of service attacks on popular websites like Netflix and Twitter, the vulnerability of the U.S. presidential election to hacking, and the effectiveness of deterrence in cyberspace, among other topics. You can check out the video of our discussion below or on Facebook. Note: If the video is not displaying in your browser, please click here.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. Fallout from the Dyn denial of service incident. In the wake of last Friday’s attack on Dyn, a Chinese electronics firm issued a recall of all webcams containing its circuit boards. The company, Hangzhou Xiongmai, says that the issue is that users haven’t changed the (often unchangeable) default passwords on their devices, allowing hackers to take control of them for nefarious purposes. The real issue is that security considerations are often an afterthought in internet of things (IoT) devices, and unlike car or other manufactures, software and hardware companies are often not liable should a product malfunction. The European Union is preparing to issue new regulations on IoT devices that may help mitigate future incidents, and the U.S. government is looking to issue guidance for IoT manufacturers. By contrast, China is threatening legal action against those who make “false claims” about the integrity of Chinese-manufactured devices. Director of National Intelligence James Clapper stated on Tuesday that last week’s attack was likely carried out by a nonstate actor, and Dyn has confirmed that the attackers exploited the same Mirai malware that has been used in many of the recent DDoS incidents, including the one that targeted Brian Krebs’ website. 2. U.S. director of national intelligence on Russia and Dyn incident. James Clapper sat down for a Q&A session with Charlie Rose at the Council on Foreign Relations where he talked about the Dyn incident and responding to Russian cyber activities, among other things. On Russia, Clapper stuck to the script of the official statement he and the secretary of homeland security released three weeks ago. However, he did mention the challenges associated with responding, noting challenges associated with revealing U.S. intelligence capabilities, controlling escalatory activity, and ensuring the legality of a response. The recent compromise of e-mail accounts of people close to Russian President Vladimir Putin has led to speculation that the Obama administration has begun responding. Putin continues to deny that the accusations are anything more than anti-Russian propaganda. 3. Well that was fast. The Privacy Shield agreement that governs the transfer of personal information between the European Union and the United States is facing a legal challenge from the privacy advocate group Digital Rights Ireland on the grounds that its privacy protections are insufficient. The online case filing is sparse, detailing only the parties, date of filing, and that the subject concerns an “area of freedom, security and justice.” Privacy Shield, which has only recently begun to actually be implemented, has attracted criticism on privacy grounds since the draft text was first released. 4. Law enforcement access to data. Microsoft, which owns Skype, was fined €30,000 by Belgium yesterday for failing to assist investigators in 2012 by intercepting users’ communications over the messaging service, a request the company says was impossible to fulfill. There has been a trend in certain jurisdictions with courts fining or banning messaging providers for failing to hand over data they don’t have, as was the case in Brazil four times over the last two years with WhatsApp. In related law enforcement news, Yahoo released their newest transparency report, which indicated a slight decline in law enforcement requests for user data. The Yahoo transparency report is an outlier given that most tech companies are seeing law enforcement requests rise.

Almost four months after the cybersecurity firm CrowdStrike claimed that two Russian hacker groups were behind the theft of data from computers at the Democratic National Committee and other political organizations, the U.S. government has publicly attributed the attacks to Russia. In a joint statement from the Director of National Intelligence and Department of Homeland Security, the intelligence community declared that it was "confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations." According to the statement, the hack was not the work of an individual calling himself Guccifer 2.0 or a 400 pound hacker sitting on a bed, but was: intended to interfere with the U.S. elections; consistent with other Russian efforts to influence public opinion in Europe and Eurasia; and was likely to have been authorized at the highest levels of the Russian government. This is the latest in a growing list of cyberattacks that the United States has attributed to state-supported hackers. Washington accused the PLA of hacking U.S. Steel and others; North Korea of attacking Sony; and seven hackers tied to the Iranian Revolutionary Guard Corps of attacks on U.S. financial institutions and a dam in Rye, New York. Russia has, not surprisingly, denied any responsibility, saying the claims "lack proof" and are an attempt to create "unprecedented anti-Russian hysteria." The next steps for the Obama administration are unclear. As Henry Farrell notes, the U.S. government will now have to decide if it will provide compelling evidence of Russian culpability. Releasing additional proof will be necessary if the United States wants to build some international legitimacy for whatever retaliatory actions it takes. In fact, the United States signed onto a 2015 UN report that said that accusations of internationally "wrongful acts brought against states"--the kind the United States is accusing Russia—"should be substantiated." But substantiation has significant risks. It will be difficult to assign responsibility without revealing intelligence capabilities, and attribution may allow Russia to patch vulnerabilities and result in the loss of U.S. defensive and offensive capabilities. A number of analysts have stressed the challenges facing the United States in responding to these attacks, and especially in preventing the confrontation from spinning out of control. While covert cyber operations would be one example of a proportional response—and the United States certainly has the capability to attack Russian networks—it cannot ensure escalation dominance and the ability to end the conflict. Attacks that attempt to undermine Putin’s legitimacy by exposing emails or financial records and revealing compromising information might provoke even more widespread threats to U.S. critical infrastructure. Moreover, as former NSA general counsel Rajesh De and former CIA deputy director Michael Morrell note, offensive cyberattacks are counterproductive to the norms of behavior that the United States is trying to establish. This does not mean there should be no reaction. Instead, Washington will want to consider a range of options such as extending sanctions to those around Putin using a new executive order, more aid to Estonia and other states on Russia’s periphery, and more funds for the development of next generation anonymizing tools for dissidents and non-governmental organizations that monitor the Kremlin. The United States could also take steps to dismantle the IT infrastructure and hop points that Russian intelligence used to compromise U.S. political institutions to disrupt future cyber operations. This could take the form of clandestine activity or publicly visible steps, such as working with the international network of computer emergency response teams much like the United States did to counteract the 2011-2013 Iranian denial of service attacks against U.S. banks. Great powers are still trying to navigate the bounds of acceptable and proportionate responses when faced with confrontational state-sponsored cyber activity. Although analogies to nuclear policy or previous U.S. experience with Russian kompromat from the past may be helpful to navigate the present, cyberspace has unique characteristics that make these imperfect parallels. Washington’s response to Moscow’s actions will set the bar for future responses and set the example for other countries who could be victim of the same kind of activity. The White House will want to choose its next move carefully.