U.S. lawmakers say Russia’s use of social media in the 2016 presidential election amounts to cyberwarfare.
Senators Dianne Feinstein of California and Angus King of Maine both used that term this week to describe Russian accounts and advertising that sowed division among Americans by promoting fake news and even protests.
“This country has to have some kind of cyberwarfare deterrent capacity,” King said at an Intelligence Committee hearing. “Right now, there’s no price to be paid for meddling in our democracy.”
But there’s no explicit definition or legal framework in the United States for what constitutes cyberwar.
So far, there are no reports of physical injury as a result of the Russian campaigns. Two protests organized by Russian trolls in Texas were reportedly non-violent. But they targeted American democracy by relying on Facebook and Twitter’s power to share information to large audiences.
Andrea Little Limbago, chief social scientist at the security firm Endgame and former analyst at the Defense Department, says the word “cyberwar” is overused.
“We need to change how we think about this because it’s not helping and we leave everything so vague,” Limbago said.
There are a number of digital tools one country can use to target another: A hack that penetrates computers, ransomware and malware that destroy files, social media manipulation that distributes false information. Sometimes these tools are used together.
Online hacks could have real-life consequences. Earlier this year, NSA director Admiral Michael Rogers highlighted two worst-case scenarios for cyberattacks: Outright destruction of critical infrastructure, such as shutting down a power grid to create chaos, and data manipulation on a massive scale.
NATO could consider cyberattacks a potential trigger for Article 5, the organization’s mutual defense agreement. This means allied countries could respond to a cyberattack with force.
Because there are no rules for how to respond to threats, there’s no clear way to handle certain threats and challenges, Limbago said.
“We should focus on what happened, what the effects were, and what tools in our foreign policy tool belt we have to respond,” she said.
Two U.S. representatives recently introduced a “hack back” bill to make it legal for companies to retaliate against hackers, unrelated to foreign policy regarding cyberwar. Security experts agree the bill could have serious negative consequences, such as accidentally targeting innocent third-parties.
In 2016, King co-sponsored a bill, the Cyber Act of War Act, to define what constitutes cyberwar. It didn’t pass, but it would have given the president the power to determine when the effects of a cyberattack are equal to those of a traditional war with conventional weapons.
In August, the U.S. approved sanctions on Russia following election interference and human rights violations. Some experts said the response was inadequate.
Actions could include publicly attributing groups or individuals behind the attacks, increased sanctions against the country, and formally charging members of intelligence agencies who played a role in the actions, according to Eric Rosenbach, director of Harvard’s Defending Digital Democracy Project and former chief of staff to the Secretary of Defense.
“You could work your way up to even more aggressive [moves] such as a counter-cyberattack,” he said. “But you’d have to think about that very carefully.”
“We definitely aren’t doing enough,” Rosenbach said.
From Washington to Silicon Valley, experts say Russia’s actions in the 2016 election are not a one-time activity. Hackers targeted this year’s French election, and Spanish media reported on Russian influence in the run-up to the Catalan independence referendum on October 1.
Lawmakers want to make sure it doesn’t happen again.
“The U.S. needs to take leadership in how to counter this kind of weaponized information across the board,” Limbago said. “There are plenty of other governments copying what Russia is doing.”