Cybersecurity Expert On Russian Sanctions Within Legal Boundaries

NPR's Ailsa Chang talks with Michael Sulmeyer, who directs the Cyber Security Project at Harvard's Kennedy School of Government, about sanctions against Russia.

AILSA CHANG, HOST:

This week, the Obama administration announced sanctions against Russia after saying it was confident the Russian government interfered in last year's presidential election. The president expanded an executive order from 2015 adding new powers to retaliate against those who disrupt U.S. elections.

Michael Sulmeyer directs the Cyber Security Project at Harvard's Kennedy School of Government, and he joins us from our studios in Washington to talk about this. Thanks for coming in.

MICHAEL SULMEYER: It's a pleasure to be here.

CHANG: Will anything the Obama administration announced last week be an effective deterrent against future cyber attacks?

SULMEYER: The main question about deterrence is deterring who from doing what? And so in this case, it's pretty clear the who, but the from doing what is a little muddled. We've seen the hacking into our election, but we're not going to have election for a little while. We've seen them harassing our diplomats in Moscow, so I think the hope here is by expelling 35 undercover intelligence agents, we deter them from more harassing. And we also see them conducting a broader range of aggressive cyberspace activities against the United States. And here the hope is that publishing this 13-page technical report with a lot of the details and specifics of the Russian operation - by exposing it, we say you're blown. Knock it off in the future.

CHANG: Do you think the U.S. went far enough in this case against Russia?

SULMEYER: It's hard to say. I think the administration's been pretty clear that they were going to undertake some public actions and that they were going to undertake some actions that wouldn't necessarily be so public.

CHANG: Right.

SULMEYER: For public actions, yeah, this is pretty dramatic. I think the question will be does the United States respond to Russian aggression in cyberspace with similar aggression in cyberspace as well and that may be done quietly.

CHANG: Are there legal parameters for what the U.S. government can do or cannot do when it comes to responding to cyber warfare?

SULMEYER: There are not formal rules in as much as we are not in a declared state of war. The question of does the law of war apply in cyberspace? Yes, and a vast majority of the international community agrees. But I think the activity that the United States is likely to see going forward are activities that fall short of warfare. But it's more subtle. It's about holding our critical infrastructure at risk so that on a rainy day in the future, Russia might be able to threaten us or blackmail a future president with that kind of access. How do you respond to that - tampering, hacking, gaining unauthorized access to computers but not breaking anything, maybe not even changing any data? It's hard to call that warfare, but it's certainly not acceptable.

CHANG: What is cyber warfare then?

SULMEYER: Well, it's a concept that sells very well for books - got to have a catchy title - but I tend to think of it as a situation where two or more states are already in war and that war extends not just on land and not just in the air, but also on the internet. But here, we're not - that's not the situation that we're at right now. And it's a very, very difficult problem for policymakers who try to balance between avoiding gross and dramatic escalation. But at the same time, you have to be serious. You have to demonstrate resolve. That's a tough balance to strike.

CHANG: Michael Sulmeyer leads the Cyber Security Project at Harvard University. Thank you so much for speaking with us today.

SULMEYER: It was a real pleasure. Happy New Year and s novym godom to our Russian speakers.

CHANG: (Laughter) Happy New Year to you, too.

Copyright © 2017 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.