When To Use the ‘Nuclear Option?’ Why Knocking Russia Offline Is a Bad Idea

On Nov. 6, 2018, the notorious Russian troll farm—the Internet Research Agency or IRA—was silent. In an effort to “prevent the Russians from mounting a disinformation campaign” that would “cast doubt on the results” of the 2018 U.S. midterm elections, U.S. Cyber Command conducted a mysterious cyber operation to knock the organization offline. For some, the operation sent a message, but others questioned what that message was and whether it was big enough. The news about the Cyber Command operation prompted suggestions that America should respond to cyberattacks with more drastic measures, with some suggesting the United States could send a stronger signal by disconnecting Russia entirely from the internet.

Because Russia has been the subject of speculation, we’re focused on it here. Certain things about Russia—its nuclear weapons, system of government, and military might—make it relatively unique. But the analysis herein is at times generic and could be applied more broadly.

Finally, it’s important to note that knocking an entire country offline could violate international law. Depending on its effects and other factors, it could rise to the level of an unlawful use of force in violation of Article 2(4) of the United Nations Charter. If not that severe, it could nevertheless constitute a violation of sovereignty. And even if construed as a countermeasure in response to unlawful actions taken by Russia against the United States (a controversial conclusion, given even the United States has not affirmatively stated whether it believes the Russian election interference campaign violated U.S. sovereignty), there would be questions as to whether “knocking the entire country offline” would be a proportionate countermeasure—although, again, that would depend on a fact-specific analysis of the purposes and effects of the operation.

These are serious issues. Moreover, for well over a decade, the United States has tried diligently through the U.N. Group of Governmental Experts (GGE) process to build consensus that international law applies in cyberspace—with at least some success. This type of operation could undermine that work, as well as U.S. efforts to build consensus around norms of responsible peacetime behavior in cyberspace.

But even putting those important issues aside, we write to address a fundamental policy question about this type of cyber operation. Would it even serve the deterrent effect some claim it would?

Really the ‘Nuclear Option?’ 

It’s tempting for proponents of knocking a whole country offline to think of a capability like this as something akin to the cyber version of the “nuclear option”—for use in extreme circumstances in an armed conflict and mostly present as a deterrent.

But the analogy has shortcomings, particularly when it comes to escalation. The only use of nuclear weapons—Hiroshima and Nagasaki in World War II—was an escalation of an ongoing armed conflict. But it was conducted with the dual purpose of crippling an adversary and rapidly de-escalating the conflict. If you drop a nuclear bomb, especially on a country that has similar capacity, you better hope that you destroy their capacity to conduct a retaliatory or second strike. Today, nuclear weapons are intended to serve the function of deterrents. If you have to use them, you’ve already failed.

This leads, naturally, to the question of what one would hope to achieve with the threat and use of a capability to unplug an entire country’s internet. If it truly is the “nuclear option,” one would hope it would serve to cripple the adversary and put a halt to ongoing hostilities. One other purpose—and this is the stated purpose of the more limited Cyber Command operation on the IRA—could be to stop or prevent ongoing attacks (here, we use “attack” in the lay sense of the term, not to indicate an “attack” under the laws of armed conflict). Another could be to create some pressure in response to an attack. Still other possibilities include sending a message to opposing leadership in order to deter future action or destabilize their position domestically.

A cyberattack that knocks Russia offline—generally speaking, one that either (a) overwhelms internet exchange points and servers with traffic requests and thus renders them unable to respond to legitimate ones from within Russia, or (b) manipulates internet routing protocols in order to deny systems in Russia connection to any other systems—is unlikely to serve any of the aforementioned purposes.

In extreme circumstances, an attack should paralyze and demoralize an adversary, giving them little choice but to seek de-escalation of tensions and avoiding escalation of a kinetic conflict. (Again, we are leaving aside for now the issue of whether this would constitute an unlawful use of force.) With a traditional nuclear bomb, it’s difficult to argue for its use, given the massive humanitarian, ecological, and economic toll, if it doesn’t achieve de-escalation. This is one reason why the analogy doesn’t really work. The human toll of disconnecting Russia from the internet, while not zero, pales in comparison to the destruction caused by a nuclear bomb.

Furthermore, regardless of how the cyber operation was executed, many of the effects of disconnecting a country from the internet likely would be reversible, unlike the dropping of a nuclear bomb. But it’s precisely for that reason that this cyber “nuclear option” wouldn’t have the desired effect. 

For someone viewing the internet through the American lens, it could seem—given the importance of the internet to, well, everything—that knocking a country offline could be crippling militarily, akin to a nuclear strike. This just isn’t the case in Russia, and in the future, it will be even less so. Russia is executing on its domestic internet plans to isolate the country from the global web. Russian cyber elements can and do operate from outside of Russia. And knocking Russia offline may neither impact its military communications nor hinder the country’s ability to retaliate in other domains (e.g., with an actual nuclear weapon). In this light, it’s hard to see how knocking Russia offline would be crippling (even economically, as we discuss below).

Possible Objectives 

Knocking Russia offline could potentially serve two purposes: active defense—that is to say, preempting or stopping an ongoing attack—and deterring future attacks.

Active Defense

A justification for disconnecting an entire country from the internet could be to stop attacks from that country in their tracks. As one U.S. official described the much smaller counter-IRA operation, the purpose could be to “throw a little curve ball, inject a little friction, [and] sow confusion.” As Jay Healey notes, the IRA counter attack was:

Not about ‘deterrence’ or ‘signaling’ but a specific counter-offensive op to counter a specific adversary from conducting a specific activity during a specified window of high-vulnerability. It was part of [a] campaign specifically approved by the president. Jim Miller, former Undersecretary of Defense and Cipher Brief expert, calls this ‘kicking the knife out of the hand’ of attackers.

To kick the knife out of the hand of attackers, targeted operations against specific entities, their command and control servers, and their devices would be effective—without taking a dramatically larger action like knocking the country offline. If Cyber Command is confident enough in their attribution to say that the Russian government is either executing, ordering, or encouraging an ongoing or soon-to-be attack, you better bet that the U.S. government knows quite a lot about who the operators are and what equipment or infrastructure they’re using. Even putting aside the potential illegality of removing a country from the internet, this begs the question: why try to disconnect an entire country when you can go straight to the source of the malicious cyber activity?

Further undermining the effectiveness of a complete disconnect is the now-documented fact that Russian intelligence services have set up front companies in other countries from which they base some of their cyber operations. There’s little reason to think that knocking Russia offline would disrupt these activities.

Deterrence and Compellence

Alternatively, and as has been suggested, such an action could be meant to have a deterrent effect. Deterrence theory, as well as its application to cyberspace, has been mulled over by some of the greatest minds of the 20th and 21st centuries, and we are distilling that work into a few paragraphs, so bear with us. We focus here specifically on the deterrent or compellent effectiveness of punishment—a dubious motive during peacetime and one that international law would frown upon—and the ways forcing an entire country offline might fit into that paradigm.

Forced disconnection could be used, as many have suggested, as a means to punish Russia in response to an attack. Punishing an adversary (or the simple act of threatening punishment) can serve to compel an adversary to change its behavior or deter it from certain behaviors. In order to effectively punish, or message punishment, it’s important to understand both how much pain a potential punishment would cause and the pressure points of the adversary.

Let’s start with the amount of pain this might induce in Russia.

As of 2016, 76.4 percent of the Russian population was online, and as of 2017, 60 percent of Russian internet traffic was reportedly handled by foreign servers. Today, the television still serves as the primary medium through which people get their information, not the internet. According to NetBlocks, a day-long total shutdown of the internet in Russia would cost approximately $307 million, or about .02 percent of Russia’s annual GDP.

That may sound like a lot, but in terms of the raw number it’s comparable to places like Finland (also $307 million), Mexico ($336 million), and Thailand ($335 million). It’s far less than places like Austria ($510 million; .12 percent of GDP), Poland ($555 million; .11 percent of GDP), and even Venezuela ($403 million; .08 percent of GDP). It also pales in comparison to the cost of a shutdown in what Russia would like to think of as its peers: the U.S. (over $7.3 billion; .04 percent of GDP), the UK ($2.2 billion; .08 percent of GDP), India ($1 billion; .04 percent of GDP), and China ($5.9 billion; .05 percent of GDP).

Would a shutdown cause Russia some pain? Sure. But not as much as many might think, and Russia’s plans to establish a domestic internet to isolate its internal systems from the global network will serve to further diminish Russian reliance on the global internet.

That leads to the question of whether—given that a disconnect would not cause a great deal of pain—it would cause pain in the right places. In Russia, the pressure points are clear: the Kremlin itself, the intelligence services and the siloviki (members of the security services and the military), and the inner circle of oligarchs. Those with means—whether through wealth or personal connection—are the least likely to be drastically affected by a sweeping internet disconnection. Targeting them and their assets more precisely would surely elicit greater strain. 

Furthermore, knocking Russia offline, rather than weakening President Putin, may actually serve to strengthen his position domestically and in Russia’s limited sphere of influence. As Keir Giles unpacks in his recent book, Mr. Putin thrives on presenting himself as a legitimate equal and foil to western—particularly American—power. The U.S. blacking out Russia’s internet could serve to galvanize support and solidify anti-American sentiment in the broader population in Russia and stoke Kremlin narratives about American evil. It also would reinforce Kremlin foreign propaganda in their near abroad, lending further fuel to the notion that the internet is a great destabilizing force that needs greater state control.

Thus, as important as it is to assess the potential effectiveness of an action like the one in question here, it is equally important to look beyond what’s immediately in front of us and assess the way knocking a country offline impacts U.S. interests more broadly.

Undermining Other U.S. Interests 

In direct and indirect ways, knocking Russia offline could also impact the spread of digital authoritarianism. The Kremlin’s purported reason for establishing its own domestic internet is an “aggressive” U.S. cybersecurity strategy and the threat of a potentially crippling cyberattack. Even though this is top cover for protecting and projecting authoritarian governance on and through the internet, other countries are following suit or considering following suit. This copycatting is borne either out of a desire to protect their own authoritarian regimes in the digital age, or because they believe the narrative that tightly controlling the internet is necessary for cybersecurity. Knocking Russia offline would lend weight to this narrative that countries need to cut off and control their domestic internet to protect themselves in cyberspace. And as we’ve previously written, the fragmentation of the global internet is not in the interest of the United States or our democratic partners and allies.

Further, knocking Russia offline would remove at least one of the Kremlin’s inhibitions about really destabilizing the global internet ecosystem: Russia’s own (albeit limited) reliance on it. Russia is already, arguably, one of the leading contributors to cyber instability. If completely disconnected and put in a position to respond to the malicious action of an adversary, there’s little to suggest that the Russian government would hold back from wreaking serious havoc by tampering with fundamental internet elements that impact traffic routing everywhere—like Domain Name System hierarchies or the Border Gateway Protocol (the latter of which Russia manipulates already)—or going on the offensive against systems themselves, launching distributed denial of service (DDoS) attacks that knock out American internet services or ransomware attacks that wreak havoc on a global scale (as with NotPetya, for instance).

Finally, there is the matter of escalation. To date, cyber belligerence has almost always been met with either cyber responses (like with U.S. Cyber Command’s operation against the Russian IRA), economic responses (like with U.S. sanctions against the Russians and Iranians), or law enforcement responses (like with U.S. indictments of PLA hackers). This paradigm has been challenged within the context of an ongoing armed conflict—the Israeli Defense Forces recently bombed a cyber operations facility of Hamas. But largely, cyber conflict has not escalated into kinetic conflict when there wasn’t one between the relevant actors already.

Disconnecting an entire country from the internet, however, would represent a marked step up on the ladder of escalation. It could, due to its potential physical effects and effects on ordinary citizens (e.g., impacting hospital functionality), even risk escalation that could perhaps spill over into physical domains of warfare. In most situations, this is not in the interest of the United States.

IMAGE: Cyber-warfare specialists serving with the 175th Cyberspace Operations Group of the Maryland Air National Guard engage in weekend training at Warfield Air National Guard Base, Middle River, Md., Jun. 3, 2017. (U.S. Air Force photo by J.M. Eddins Jr.)

 

About the Author(s)

Robert Morgus

Senior Policy Analyst with New America’s Cybersecurity Initiative

Justin Sherman

Cybersecurity Policy Fellow at New America, and a Fellow at the Duke Center on Law & Technology. Follow him on Twitter (@JShermCyber)