The Value of Dialogue Between Adversaries

It has been like meeting old friends. In recent weeks, I have looked anew at the Dartmouth Conference, a series of meetings that began at the height of the Cold War as an effort to get Soviets and Americans to talk to each other.  Dartmouth was the subject of my book, but it has been more than a decade since I last considered it in any depth.

The Dartmouth Conference is the longest continuous bilateral dialogue between Americans and Russians. Norman Cousins started it in 1960. He was the renowned editor of the Saturday Review. He was an anti-nuclear activist and believer in world government, a man the powerful wanted to speak to, including Eisenhower, Kennedy, and Khrushchev. Cousins believed that the United States and the Soviet Union had a common interest in not blowing each other up. He also believed that dialogue outside official channels could help prevent that holocaust.

How could it do that?  A naïf would argue that through dialogue we can dissolve differences. That is almost never the case. It was certainly not the case during the Soviet era when Soviet participants in Dartmouth like Georgi Arbatov and Yevgeniy Primakov, who became Russia’s prime minister, made their differences with American policy clearly known. The ability of Soviet participants to deviate far from official pronouncements was limited in any case.

What dialogue can do is to clarify the differences between the two sides. It can show what perceptions, experiences, and reasoning lead two sides to oppose each other on a particular issue. Or in general. It can also reveal what interests they share. During the Cold War, the two superpowers wanted to avoid nuclear war and nuclear proliferation at the same time that they were nearly coming to blows over Berlin and Cuba and fighting proxy wars in Africa and Afghanistan. The dialogues at Dartmouth did not paper over the differences—would one expect participants like Zbigniew Brzezinski to soft pedal what they saw as Soviet malfeasance?

But the participants at Dartmouth have also sought areas of common interest. And found them. In time, they came to propose ways to strengthen those common interests. Primakov “noted that we achieved considerable progress in designing measures to normalize the situation in the Middle East.” Policy makers don't always pay attention, as Primakov also noted. But they do sometimes and that can be important. In 1984, Secretary of State George Schultz used information gained from Dartmouth about Soviet attitudes to further an improvement in U.S.-Soviet relations from the cold freeze of the early Reagan years.

Dialogues like Dartmouth that involve people trusted by both sides and are sustained over time can also provide a ready-made back-channel for policy makers to use to send messages or, as Primakov put it, “to ‘test the water’ regarding ideas put forward by their governments.” Alexander Haig, Reagan’s first Secretary of State, was not the only one to do this with Dartmouth.

I’m pleased to be able to say that Dartmouth continues to meet and make recommendations that could help American policy as it deals with conflict across the globe. For example, the 19^th Conference, held in March this year, recommended that Russia and the United States “create a contact group to work on common approaches to such issues as controlling the flow of fighters [to Islamic State], financing and possibly sharing ideas on the sensitive issue of Turkey’s role in this conflict.” Who knows what influence that might have had on the mess we find ourselves in now in Syria.

Dialogues like Dartmouth are especially important at a time when regional expertise is devalued in academia and government and language skills are diminishing across the board in the United States. The chances that we might be trapped in the bubble of our own assumptions are increasing. History is rife with errors made by those who could not escape that bubble.

I spent much of an earlier part of my career, before I became involved in cybersecurity, cyberwar, and the like, looking at Dartmouth. For several years, I’m proud to say, I worked with Hal Saunders, a former Assistant Secretary of State and co-chair, with Primakov for a time, of the Dartmouth Regional Conflicts Task Force. I am a realist by nature and a pessimist about international relations, yet through that experience, I learned that if there is dialogue, there is hope that the worst can be avoided. The 20^th session of the Dartmouth Conference just ended. Long may it continue.

Will More Cyber Offense Deter Cyber Attacks?

Admiral Mike Rogers, the head of CyberCommand, told the Senate Armed Services Committee recently that we need to “think about how can we increase our capacity on the offensive side.” He was responding to Senator McCain and other members of the committee who were pushing for CyberCommand to put a greater emphasis than it has on offensive measures. Their reason for that emphasis? To deter attacks like those we have seen in the headlines, especially the attack on Sony.

That is the wrong message, given at the wrong time for the wrong reason.

There is no doubt that the United States needs a strong capability to launch cyber-attacks. They may, indeed, help deter some attacks by some adversaries. But other reasons are more essential to national security.

First, the cyber domain is an increasingly important part of the modern battlefield, much as air power became increasingly important in war during the first half of the last century. The military cannot ignore it, particularly as militaries other than our own are becoming both more capable and more reliant on this new technology. Our military must be prepared to take the cyber battle to the enemy, to project power through the cyber domain.

Second, cyber-attacks give policymakers an alternative means for pursuing policy objectives short of war. Economic sanctions are one set of several sets of tools that can be used to promote the ends that policymakers seek. Stuxnet showed how valuable an offensive cyber tool could be in this context. The Israelis were pushing for an attack on Iranian nuclear facilities; Stuxnet provided an option that could—and did—slow the Iranian push toward a nuclear capability.

But how useful will offensive cyber weapons be for deterrence? Keep in mind that deterrence is all about perception. It is not enough to have a capability and to say that you will use it. Your opponent must believe that you will retaliate if the opponent attacks and that you will cause that opponent harm that exceeds the probable gains from the original attack.

This puts several conditions on the use of cyber means used for deterrence. First, the attribution problem has to go away. Not only must we know who attacks us, our would-be attacker must know that we will know, despite efforts made to hide the source of the attack.

Second, would-be attackers must know the threshold beyond which they cannot go. Will we respond if embarrassing corporate emails are made public? If state secrets are stolen? If a million social security numbers are taken? If essential files are destroyed? If industrial control systems malfunction? If the power grid goes down? The threshold lies somewhere on a line drawn through that list, but where? The line has to be precise and clear to the opponent.

Third, a would-be attacker must know that the threat of our retaliation is credible. The opponent must know that action threatened will hurt and that there can be no effective defense against it. Such a threat is easy for a nuclear power to make. A nuclear blast does hurts and, as yet, there is no assurance that the delivery of nuclear weapons can be stopped.

It is different in the cyber world. Can a retaliatory attack on targets purely in the cyber domain cause enough damage to make an opponent think twice about attacking? Perhaps, but I suspect not. Attacks on cyber targets that affect the physical world are more likely to, if their success can be guaranteed. But a would-be attacker must believe that such an attack will happen and that it cannot be stopped. 

There is, of course, no reason to limit retaliation to the cyber domain. But such asymmetric responses get away from the committee’s call for a greater emphasis on offensive cyber weapons. They warrant consideration precisely because of the limitations of cyber attack. (McCain did not simply call for a greater emphasis on offense. He called for a strategy for deterring cyber attacks. )

Another problem with making a threat credible is that cyber threats against a determined defender are transitory. An attack that succeeds today will be defended tomorrow. Stuxnet relied on five zero-day attacks. They have been patched, though one was fully patched only recently. And we cannot assume that the Iranians are as vulnerable to attacks launched through USB devices and contractor’s laptops as they were in 2010. After all, the Defense Department was also the victim of an attack by USB in 2008. Measures have been taken and the department’s vulnerability has been reduced. It is true that the attacker has the upper hand in today’s environment.

It is also a truism that a determined attacker can succeed. But will a would-be attacker be convinced that offensive cyber attacks by the United States that can cause significant harm are unstoppable? There is good reason to think not, despite the skills of the personnel in CyberCommand.

In addition, a response to a cyber attack using offensive means has to take escalation into account. In the nuclear world, deterrence was more like playing poker: once you got to the threat of a nuclear exchange, the chips were in; the cards were on the table. The power of the weapons, the damage they could do, put stark, horrifying limits on how the game could play out. In the cyber world, deterrence is more like chess: you have to plan to meet your opponent's next move. And the options the opponent has are manifold. This is especially so as the United States, more dependent on information technology than most other countries, with an immense cyber sector, offers a multitude of targets, many, perhaps most, of which are poorly defended. Can we be ‘escalation dominant’ in the cyber realm? That seems unlikely, even if our offensive cyber capability becomes more robust.

To conclude, then, when policymakers consider how to allocate the resources we are prepared to give to cyber operations, it seems wiser to continue to focus on defense than to seek to strengthen deterrence using offensive cyber means. A strategy of deterrence for cyber attacks, as McCain called for, is needed, but it can and should draw on means outside the cyber domain. The recent executive order that ordered sanctions against those responsible for cyber attacks can be one element of such a strategy.

What is needed more strongly than even the strong defense that CyberCommand may be able to provide for DoD is a comprehensive approach to defense in both the public and private sectors. Such an approach should strive to get past the distrust between (and within) the two sectors that has been especially strong since the Snowden revelations. It must include the exchange of the information available about the threats both sectors face, as so many are discussing now. It must also seek to set and maintain stronger standards for cyber defenses in ways that are both effective and flexible.

That is a tall order, but it is certainly not impossible to achieve. It gives us is a more certain path to reducing the plague of attacks that both private companies and government agencies have suffered recently than trying to use cyber attacks to deter our opponents.

Attributing Nation-State Cyberattacks: How Do You Know Who Decided and Why?

In January 2011, Secretary of Defense Robert Gates told reporters that he doubted that the Chinese could make a fighter that was truly stealthy. Shortly thereafter, while Gates was in China,scheduled to meet with the Chinese leader, Hu Jintao, the Chinese military tested their new stealth fighter¹Instead, Gates decided to ask Hu Jintao why the test had been made. According to David Sanger:

Hu's  face turned quizzical when Gates mentioned the test.

"Hu turned to the guy next to him and asked if he knew what I was talking about," Gates said. "That guy shook his head no and moved down the line." The pattern continued until they hit the first officer in uniform. He knew all about it. The test, it was reported, had been rescheduled from an earlier date because of a minor equipment malfunction.² 

Curious, Sanger later asked Gates whether Hu actually knew. The secretary replied with a diplomatic 'yes,' but may have had doubts. Still curious, Sanger asked a diplomat and one of Gates' aides why the Chinese made the test. He got two answers. The diplomat said that it was to send a message to the United States and to Gates. Gates' man said it was to send a message--'screw you,' he said--to Hu, who had told the military to patch up their relationship with the Pentagon.

Was the military really acting on its own, contrary to direction from the senior leadership? The truth is, we can guess, but we don't know.

When cyberattacks are attributed to nation-states, as in Estonia in 2007, Georgia in 2008, or with Stuxnet, the assumption is often made that the attack has been approved by the senior leadership. The state is seen as a unitary actor, with all actions coordinated among all the players.

Clearly that is a simplification of what actually happens, but it is true enough, often enough, that this simple assumption is a useful one to make. But the incident Sanger cites tells us that it is not always so, and that it behooves those who make policy in one country to understand how policy is made in the states they blame.

This is often something that policymakers know little about. It is not always easy to understand how decisions are made even in a raucous democracy like the United States or the UK, where the press has access to most of the players and the players want their part known. Sanger's revelations about Olympic Games are a case in point.³ . In authoritarian societies like China and Russia it becomes much more difficult. In an isolated society like North Korea, it is close to impossible.

What this means for the attribution of cyberattacks is that forensics may give us the technical knowledge to attribute an attack to a nation-state. We may know enough about how that state operates in the cyber domain to pin the attack on it.⁴ But the question of motivation can become more complex than the reality of decision-making can allow. That simple assumption that decisionmakers act as one may woefully distort our understanding of how the decision to attack was made. Which leaves us not knowing with certainty who is responsible and why.

In most circumstances, this particular problem with attribution will be of little consequence. Most cyberattacks are not made by states, after all. Moreover, few attacks by nation states require an immediate, direct, and public reaction. Most, in fact, are merely digital espionage and not clear acts of war.

The reality of how decisions are made is, then, one more variable that needs to be added to the equation used to determine the attribution of a cyberattack to a nation-state.

1 David E. Sanger, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power (New York: Crown Publishers, 2012), pp. 370-372. ^↩
2 Sanger, Confront and Conceal, p. 371.>^↩
3 Sanger, Confront and Conceal, Chapter 8.^↩
4 Thomas Rid & Ben Buchanan "Attributing Cyber Attacks," Journal of Strategic Studies, retrieved on 06 January 2015 from http://dx.doi.org/10.1080/01402390.2014.977382 provide an exceedingly useful framework for examining attribution.^↩

A Moment in Time: Russia, Ukraine, and a Road That Might be Taken

Since the Soviet Union collapsed, Ukraine has had two chances to find a road to find a road to freedom, stability, and prosperity. It failed after it became independent in 1991; it failed again after the Orange Revolution in 2004, a decade ago. It desperately needs to succeed this time, despite losing the Crimea and large chunks of the east.

There are new faces in the government that give grounds for hope, as a recent article in the New York Times pointed out. Yet the odds remain steep. Through most of the former Soviet Union, old habits die hard. More often than not, corruption rules. The social underpinnings required by democracy are weak. In Ukraine, desperation has led to the strengthening of reactionary forces.

But desperation may yet produce a new outcome. There are forces at play that are not new. They existed before 2004. They surprised me when I saw them first hand in 1989. Until recently, I had forgotten about that time, when the Soviet Union was opening up after 70 years of Communist dictatorship.

The spring of 1989 was the heyday of the Gorbachev era, a time of Perestroika, of restructuring. In March of that year, for the first time since 1917, the Soviet Union held elections that were open, contested. They produced the Congress of People's Deputies, a new legislative body.

I came to the country for a conference two months later, a member of a delegation from the Forum for U.S.-Soviet Dialogue, an organization dedicated to the proposition that dialogue between the two superpowers had value. The American delegation included scholars and students, executives, journalists, military officers, and even a jazz singer. The Soviet delegation was of similar status, but less varied. Two members came from a institute attached to the International Department of the Communist Party that had entertained no Western visitors until we entered its gates in Moscow.

Two incidents on that trip showed me that Ukrainians and Russians were eager to have a government more effective and more democratic than the authoritarian Soviet government they had known.

The conference itself took place on a hydrofoil that skimmed the Dnepr River from Kyiv to the Black Sea and Odessa. It was a floating testament to dialogue and optimism, cordial and serious, despite wide differences in outlook between the two sides.

The first incident took place when we stopped in Zaporozhye, a city in the center of Ukraine, only 120 miles from Donetsk. Our delegation was greeted warmly and divided into two groups to be addressed by local officials.

Those of us who were there to discuss political, legal, or cultural issues, were led to an auditorium. Filled with more than a hundred local citizens.

What happened then left me astonished. Several senior party officials spoke to us about the state of affairs in Zaporozhe and the country at large. They were laughed at. Not by us, but by the locals. The officials were not used to this and did not expect it. A lawyer from Moscow--a member of the Soviet delegation to our conference--asked a question about irregularities in the election that had just taken place. The official responded by complimenting him on his Russian. Clearly, he believed that no Russian would ask such a question.

The laughter showed that the audience was not prepared to accept falsehood and pablum. By their reactions, the officials showed that they were not prepared to be taken to task. This in a country that had sent people to die in the Gulag for less only a generation before and still found dissent difficult to deal with, as the next two years would show.

After we left the hydrofoil in Odessa, at the base of the Potemkin steps, we flew to the Crimea, where the second incident took place. During our stay in Yalta, the Congress of People's Deputies held its first session. it was extraordinary, and televised in the lobby of our hotel. A crowd that included some of our delegates and a number of hotel workers stood around watching it.

I remember one maid in particular. She was blond and dressed in her hotel uniform. Her eyes were focused intently on the screen.

The session at the Congress had been going on for some time. It had reached the point of electing a president. Everyone knew it would be Gorbachev, General Secretary of the Communist Party. But we watched as Alexander Obolensky, an unknown delegate from Leningrad--and not a member of the party, complained about the privileges that senior officials enjoyed. He then nominated himself for president, wanting to set a precedent of competition for office.

When he finished, the maid--like others around us--said quietly: 'Molodets!' 'Good lad!' 'Well done!'

 The odds against democracy are steep in both countries--more in Russia than Ukraine, where the unsettled state of things may make change possible. But when we read about the efforts to make Ukraine democratic; when we hear of the strong support that Putin gets for Slavophilic, Russo-centric aggrandizement, we should keep that 'Molodets!' in mind. There is more going on in both countries than we know. The road not yet taken remains open.