Global Cyber Norms Insufficient to Prevent Future Election Hacks

Cybersecurity

As the State Department works to gain international support for its cybersecurity framework, experts said that global norms and deterrence won’t be enough to convince state actors not to influence elections through cyber means in the future.

Robert Axelrod, Walgreen Professor for the study of human understanding at the University of Michigan, compared the Democratic National Committee (DNC) hacks to Watergate. Both incidents involved the theft of information. The difference is that in Watergate, the incident was handled by domestic law enforcement and the president resigned. In the DNC hacks the incident was handled by international powers and there was “minor retaliation,” according to Axelrod.

“Domestic law enforcement is more powerful than international norms and deterrence,” Axelrod said Thursday at the University of Michigan.

Peacetime norms aren’t enough to determine when it’s appropriate to retaliate, according to Robert Axelrod. (Photo: University of Michigan)

However, the State Department is crafting an international cybersecurity framework, which instills consensus among governments about what constitutes responsible state behavior, and provides voluntary norms for states to abide by during peacetime.

“Secretary [Rex] Tillerson during his confirmation hearing spoke about the importance of norms,” said Theodore Nemeroff, senior adviser at the State Department’s Office of the Coordinator for Cyber Issues. “It’s been a longstanding piece of our approach.”

Nemeroff, who has worked with his office on the cyber framework, said that it encourages transparency about what cyber capabilities states are working on and encourages cooperation between states when an international cyber incident occurs.

“You can also expect the conversation to move a little bit toward the question of deterrence and consequences,” Nemeroff said.

In the case of the DNC hack by the Russian government, the United States expelled 35 Russian diplomats and imposed economic sanctions. Axelrod said that these consequences were not enough to prevent future hacks.

“I think we’re going to see a lot more attacks like them in future campaigns,” said J. Alex Halderman, professor of computer science and engineering at the University of Michigan.

Halderman said that most people think that the United States’ voting machines are secure because they are different in each county and they aren’t connected to the Internet.

“In fact, many of these things break down,” said Halderman.

Halderman said an attacker can select the machines that are the most vulnerable or attack the third-party vendors that provide the memory cards for each machine. By using this method, an attacker could have altered the votes in 75 percent of Michigan counties, according to Halderman. He said that although he thinks that no states carried out sufficient forensics to determine whether their voting machines were hacked, he does not believe that those votes were manipulated.

Nemeroff said that the State Department created peacetime norms in order to give states a rallying point when another country veers from the norms.

“As more and more governments are developing capabilities…to operate in cyberspace, this creates the possibility for instability,” Nemeroff said. “We will respond to cyber incidents using all means of national power.”

Axelrod said the peacetime norms aren’t enough to determine when it’s appropriate to retaliate.

“Unfortunately, there’s been a substantial breakdown in the distinction between war and peace,” Axelrod said. “With cyber, it’s not clear exactly how big it is.”

 

Recent