Russia's Approach to Cyber Warfare

Policy Briefing on the Imminent Russian Cybersecurity Threat: The Need For Action Against Russian Cybercrimes

In recent years, Russia has found a reliance on using cyberwar and crimes as a tactic to achieve their strategic goals both in their near-abroad and against Western countries. The United States must be prepared to retaliate against any cyber attack directed at our nation by assessing options to limit and counter the Russians without leading to an overescalation and possible war.

Background:

The frequency with which we hear about Russian hackers hacking into a country’s important information and systems has become more and more regular, and as a result of this it is important to trace back the history of Russian cyber warfare.

The first instance of a large scale Russian cyber attack happened in Estonia in 2007. At the time, tensions were high between Russia and the former Soviet State, and the Kremlin authorized a campaign which targeted Estonian governmental agencies and businesses through use of massive DDoS (distributed denial of service) attacks that shut down countless websites essential to the functioning of these agencies and businesses (Batashvili).

In 2008, Russia coordinated an even larger cyber attack during the Russo- Georgian War.
On August 7, a cyber attack was conducted from Russia against Georgian government and media websites, while at the same time Russian troops were crossing the Georgian border. According to the Report of the Independent International Fact-Finding Mission on the Conflict in Georgia, the attack lead to several Georgian servers and high amounts Internet traffic being taken control of and placed under external control (Batashvili). The offensive persisted through the conflict lasting until ceasefire was announced on August 12. Furthermore, the Kremlin had tested their abilities in the lead up to the invasion, shutting down the official website of the president of Georgia for an entire day on July 10. The Russian cyber attacks affected practically all Georgian government websites, crippling the state’s ability to respond to the conflict. Additionally, attacks targeted Georgian media, business, and other political organizations in order to control them from turning the conflict away from Russia’s favor by making it difficult for information of what was happening inside of the conflict zone to spread out to the rest of the world. According to a report by the US Cyber Consequences Unit, “the primary objective of the cyber campaign was to support the Russian invasion of Georgia, and the cyber attacks fit neatly into the invasion plan”. The attacks achieved their intent, since they “significantly impeded the ability of the Georgian government to deal with the Russian invasion by interfering with communications between the government and the public, stopping many payments and financial transactions, and causing confusion about what was happening” (US Cyber Crimes Unit).

Recent cyber attacks against Ukraine are a worrying signal of a continued use of this strategy. Ukrainian president Petro Poroshenko said that during in the final two months of 2016, Ukrainian state institutions had 6,500 instances of hacking, most directed towards the ministries of defence and finance, in addition to Kiev’s power grid and the treasury. According to the Poroshenko, the operation came at the hand of the Russian security services, following the same playbook as they had in Georgia (Batashvili).

Russian cyber operations are not use solely in tandem with military offensives however, with many also being employed in the wars on information, especially against Western nations. The 2016 American presidential election, while highly publicized is not the only instance in which there is evidence of Russian interference with the 2017 French and German elections also being targeted. Numerous French officials and agencies, including the Defense Minister and DGSE have raised concern over the issue of Russian interference in the nation’s election, citing concern that fake news and cyber attacks were being directed to now President Macron and his party as they were not the candidates the Kremlin believed would be most beneficial to the Russian state interests.

German intelligence agencies have also brought up similar concerns about Russian cyber activities being directed against Germany and its election, with Chancellor Angela Merkel, herself seeing attacks as threatening the foundation of German democracy and the effective functioning of the German state (Delker).

Russian Objectives:

As practiced today, Russian use of cyberwarfare has three common and consistent objectives:

• Capturing Territory Without Resorting to Overt or Conventional Military Force

This was the strategic goal we saw Russia trying to achieve in 2014, when they successfully annexed Crimea. The annexation of Crimea relied on a group of Russian Special Forces operatives known as the “little green men”, who took their directives from a newly created Russian special operations command. The deployment of these highly trained operatives, in coordination with a massive information warfare campaign, as well as the involvement of  local Russian loyalist proxies created the opportunity for Russia to takeover without needing to shed blood as they had forced momentum to shift in their favor allowing for Crimeans in Ukraine to vote for secession from Ukraine (Chivis). In 2008, Russia used similar tactics in its invasion of Georgia, during which they similarly coordinated cyber attacks against essential government computing services while simultaneously operating special operation forces in coordination with Russian loyalists from the Georgian State. A major impact of these tactics has led to a weakened ability to integrate these countries with Western thought.

In 2013, Russian Chief of the General Staff, General Valery Gerasimov showed Russia’s current views on such hybrid cyber warfare tactics, stating that in modern conflicts non-military means are put to use more than 4 times as often than are conventional military operations (Gerasimov). This suggests in the future such cyber attacks will be likely, and even at this point many are not being properly identified. In its use of cyberspace, Russia has shown it can find success in achieving territorial expansion goals in a manner that is nonviolent and seemingly peaceful, however there is always the underlying threat of actual military force being used unsparingly.

• Creating a Pretext for Overt, Conventional Military Action

In a similar manner to capturing territory through covert, non-militarial expansion, Russia is also capable of using cyber warfare in order to create a conflict which gives them solid reasoning to use military force in foreign nations (Chivis). For instance, the Russian annexation of Crimea has lead to a reasonable concern that the Kremlin could engage in a hybrid strategy to manufacture a conflict worthy of military action elsewhere, possibly the Baltic states. As it did in Crimea, Russia could try to create tension in a country like Estonia by conducting a campaign which foments discord between the minority Russian population and the Estonians. In creating these sentiments which portray the government of Estonia as oppressive towards the minority Russians, the Kremlin can justify a Russian military intervention their behalf of the Russian minority, as Russian sentiment still sees these people as their own. Conducting an operation of this sort requires the accompaniment of simultaneous cyber operations directed at inflaming attitudes and creating difficulties in executing both national and NATO responses. It would almost certainly be accompanied by efforts to influence broader European and world opinion in ways that favored Russia’s intervention through use of propaganda and opinion shifting which portrays Russia as acting on behalf of a repressed population that seeks its aid. On the ground, it would involve the use of Russian secret agents and proxies, both to act as aid/support for local populations creating tensions, and to coordinate with military forces awaiting instruction and guidance.

• Using Hybrid Measures to Influence the Politics and Policies of Countries in the West and Elsewhere

This last objective is the most pressing for the United States and Western countries out of the near vicinity of Russia. In this objective, the Kremlin seeks to use cyber operations in lieu of military action or war to create tension and distress in Western governments. The goal of this strategy is to influence and create favorable political outcomes in targeted countries to serve Russia’s national interests (Chivis). The countries where these types of operations are most likely to find success are those with high levels of corruption and weak legal systems. However, more stable countries such as the United States and the United Kingdom are similarly susceptible to such operations. Examples of ways the Kremlin can engage in cyber operations to influence an outside nation’s political system include the use of fake “troll” accounts used on social media to spread propaganda and create divides amongst the citizens of that nation. Also the hacking of servers of government officials can provide them with material which they can use to either influence that official through blackmail, or which can be leaked to induce further tension. In creating these narratives, Russia has the ability to influence democracy by planting false information and manufacturing biases against those that act against the interests of the Kremlin.

American Stakes:

The continued use of cyber attacks by the Russian government brings up very realistic threats both domestically and internationally for the United States.

Internationally as Russia continues with their their goals of territorial expansion, the United States is faced with the concern of a wider influence of Russian thought and expansion of pro-Russian policies in areas where the United States has worked to promote democracy and peace. The desire of Russia to reassemble the Soviet Union remains very real, and as seen in Estonia, Georgia, and Crimea cyber attacks can play a key role in these territorial gains. By allowing continued expansion of the Russian state, the United States risks losing the strategic relationships they have developed with these countries as well as the progress they made towards finding them more independence from Russia as democracy began to take its roots in these nations. Furthermore, these attacks can be used by Russia in places like Syria as a way to promote the Assad regime which works in coordination with Russia in achieving other strategic goals, such as the development of an oil pipeline through Syria.

Domestically, Russian cyber attacks can destabilize the US government by creating rifts and tensions amongst the American populace through the spread of false information and fake news.  As seen by the hacks against the DNC as well as the use of trolls during the 2016 Presidential Election, Russia’s use of cyber attacks can undermine American democracy by allowing for a foreign nation to alter the minds of our citizens, feeding them lies and inflammatory material to create disarray in our democracy. This is especially hurtful as Russia can cite American disorder as a reason to not take our example and implement democracy in the American fashion to foreign nations. Attacks by Russia can also cripple the government’s ability to function towards the service of its citizens. 

Government Organization for a Cyber Attack

The 2016 Presidential Policy Directive (PPD) 41 – United States Cyber Incident Coordination –  defines a significant cyber attack as “likely to result in demonstrable harm to national security interests, foreign relations, the domestic and global economy, public confidence, civil liberties, or public health and the safety of the American people.” (PPD 41). Cyber attacks by Russia against domestic communication or critical IT infrastructure fall under this classification.

Should such an attack actually occur, the National Cyber Response Group would lead the defensive response as an arm of the National Security Council (PPD 41). The Secretary of Defense, in tandem with the directors of our Intelligence agencies would be responsible for managing incoming threats, and coordinating any strategy or movement that would require active military response. In the event that the telecommunications systems of the National Security and Emergency Preparedness sector fail, the National Coordinating Center for Communications would be tasked with re-establishing communications. Furthermore, PPD 41 stipulates that if an operation with clear attribution is found to have occured, the Cyber Response Group shall assemble a team of qualified and skilled cyber personnel to respond to the cyber incident. This response team shall have experience together in the form of practice sessions and war games.

U.S. Strategic Responses

After addressing the immediate effects of a Russian cyber attack, it’s imperative the United States consider its options of strategic and tactical responses. One option for the United States is response through non-military means such as indictment, diplomacy, or sanctions (Bate). A lower-level military and intelligence strategy that could possibly be employed by the United States is the use of counter-surveillance intelligence operations,  non-attributable cyber or conventional attacks, or attributable cyber or conventional attacks (Herb). These operations would target Russian military, civilian, or critical infrastructure systems.

Since NATO classifies cyberspace as the fifth operational domain, it is likely that if the United States identified a significant cyber incident against its citizens as originating from Russia, their response would come in the form of aggressive cyber tactics. The possibility of conventional military expeditions may be explored, however the risk of further escalation makes it more likely that the United States respond only through cyber operations.

Low-Level Attributable Cyber Intrusion

One possible response the United States could utilize in retaliation to Russian cyber attacks is low-level cyber intrusion, distributed across a array of cyber incidents that could not be collectively categorized as a major attack. This intrusion would appear as a result of what is called “loud cyber weapons”, which are tools that can be traced back to the U.S military (Herb). The US military would send these weapons, embedded with encrypted codes, into Russian networks. The United States would then publicly provide the encryption key to end the intrusions caused by these weapons as a way to claim responsibility for the attack. The purpose of taking credit for the attacks is a key paradigm shift in U.S military strategy, now emphasizing attribution as a key aspect of a successful operation, and public knowledge as vital for deterrence. The United States also has the option of conducting more basic cyber attacks against Russia’s network, including by not limited to: alteration of government websites, disruptions of Internet service, interferences and disablements of communications, or the spreading of propaganda (Department of Defense Law of War Manual). In the aftermath of the hack of the DNC, senior officials weighed options for counter attacks on the Russian Federal Security Service (FSB) and the Main Intelligence Agency (GRU), including the use of the NSA’s TreasureMap tool, which tracks all global connections to the Internet, and can be utilized to install malware in targeted Russian computer systems with the purpose of intelligence gathering and future cyber-assaults (Bamford).

Medium-Level Cyber Attack -No Immediate Casualties

 The United States also has to ability to employ the use of “logic bombs” in cyber operations targeting both military and non-military targets in Russia. “Logic bomb” are codes developed with the purpose of overloading a computer’s system rendering them incapable to operate by presenting them with an endless amount of logic questions to answer. Sending these “logic bombs” into computer systems critical to Russia’s infrastructure will lead to the United States causing dramatic economic and operational damages to the Russian government and its people (Sternstein). The United States has invested a large sum of money into the development of these “logic bombs”, with initial investment coming back in 2014 when U.S. Cyber Command offered a $460 million contract to develop a “computer code capable of killing adversaries.”(Storm).

High-Level Cyber Attack – Possible Casualties

The United States could use logic bombs or other cyber intrusion methods to attack Russian critical infrastructure in a more serious fashion, leading to a larger potential for loss of human life or safety. These attacks include targeting systems such as those of a dam above a populated level where a  hacking could lead to floodgates being opened onto Russian citizens, or disabling air traffic control services leading to air safety where planes pose a threat to each other and the land beneath them. These options, particularly if they are easily traceable, have the potential to escalate quickly into further intensified conflict.

Military-Level Cyber Attack – Escalatory

The United States also has the ability to use similar cyber operations to directly attack Russian military targets, with possible targets including the shut off of power at a nuclear facility or an airfield, which will lead to the cause of serious casualties. These attacks will most definitely lead to a triggering of a notable escalatory threshold of response by the Russians. It is significant that many Russian industrial networks run computer systems operating Windows XP, and in some cases even older systems, while maintaining connections to the Internet. Not only are these dated systems particularly vulnerable to attack, as evidenced by the United States already demonstrating its ability to break into these systems. In November 2016, the United States reportedly penetrated Russian military systems, leaving behind malware to be activated in retaliation in the case of Russian interference of U.S. elections (Dilanian et. al). This demonstrated both confidence in the success of the malware implant, and political willingness to trigger a consequential conflict given Russia attacks the United States in a serious manner (Bernish).

Strategic Considerations for U.S. Decisions

In response to a Russian cyber attack, the United State’s strategic responses should be a result of its classification of the attack as being non-significant, significant, or an act of war. State Department Cyber Coordinator Chris Painter said the United States would respond to incidents on a case-by-case basis in testimony before the House Subcommittee on Information Technology and National Security in November 2016, saying that retaliation “could be through cyber means. It could be through diplomacy. It could be through indictments and law enforcement actions.”(Pellerin).

Some of these responses require action while others do not; the path taken must be dependent on actual and anticipated effects of a cyber attack, including damage, injury, and death. Painter testified that, “cyber activities may in certain circumstances constitute an armed attack that triggers our inherent right to self-defense as recognized by Article 51 of the U.N. Charter”(Hearing on “Digital Acts of War: Evolving the Cybersecurity Conversation”). The United States could also identify a cyberattack as being an infringement upon its territorial integrity and political independence, per Article 2(4) of the Charter. However, recent political happenings indicate that the United States would be hesitant in invoking Article 51, regardless of whether a Russian cyber attack lead to nominal death, injury, or damage. Instead, the United States could limit its declarations and address the attack as a “significant cyber incident,” invoking the full support of the U.S. military while avoiding over-escalation. Furthermore, even though NATO justifies military response in the realm of cyberspace, the lack of precedent means that the United States actually has more options in responding to Russia if it were to employ use of cyber means, that may or may not lead to conventional consequences. The United States would need to decide between conducting a covert or overt counter-cyber attack. The tactical considerations noted above show that hidden, non-attributable cyber attacks do not fall within the Department of Defense’s deterrence strategy, and would not be treated as a suitable strategy. In the aftermath of the 2014 Sony Pictures hacking by the North Korean government, the United States didn’t respond with a public cyber operation, and it was “unclear how the United States may have retaliated against the North in secret, if it even did so.”(Sanger). The lack of a publicly noticed retaliation as well mild economic sanctions now seems ineffective as punishment. A situation could come up that would give the United States the opportunity to execute an immediately observable cyber attack or a preparatory attack (logic bomb), with the target being either a Russian military or civilian infrastructure. Similar to Russia, the United States should also avoid directly targeting a military structure in order to avoid escalation to full-scale war. As a result of this, the United States should choose to deploy a cyber weapon against critical Russian infrastructure, leading to conventional consequences being faced by Russia. Even the use a medium-level choice in terms of retaliation, would require global ramifications to be taken into account.

Even still, it is my recommendation to engage in a retaliatory strategy, which employs the use of both a combination of an observable cyber attack through use of “loud cyber weapons” and “logic bombs” against significant parts of the Russian infrastructure. The United States cannot allow Russia to attack them and take global credit for the attack without retaliating in some way to show dominance over Russia. “Loud cyber weapons” are particularly suitable for retaliation that the public is aware of and will show the world that the United States is not only willing to retaliate, but is better skilled in cyber war and confident enough in its abilities to retaliate swiftly. “Logic bombs” targeted against non-military sites that still hold significant value to Russian infrastructure will be the second leg of the suggested attack. The crippling of essential infrastructure will both warn the Russians that an attack on us will be met with an attack that hurts their citizens and keep them from being able to retaliate back since they will not have the resources to come back at the United States.

Works Cited

Batashvili, David. “Russia’s Cyber War: Past, Present, and Future.” EUobserver, 15 Feb. 2017, euobserver.com/opinion/136909.

Delker, Janosch. “Germany Fears Russia Stole Information to Disrupt Election.” POLITICO, POLITICO, 28 Jan. 2018, www.politico.eu/article/hacked-information-bomb-under-germanys-election/.

The Military Doctrine of the Russian Federation, approved by Russian Federation presidential
edict on February 5, 2010 (translated). Accessed at http://carnegieendowment.org/files/
2010russia_military_doctrine.pdf.

Understanding Russian “Hybrid Warfare” and What Can Be Done About It (2017) (testimony of Christopher S. Chivvis). Print.

US Cyber Consequences Unit. (2009) ‘Overview by the US-CCU of the cyber campaign against Georgia in August of 2008’

Valery Gerasimov, “The Value of Science is in the Foresight: New Challenges Demand  Rethinking the Forms and Methods of Carrying out Combat Operations,” Voyenno-Promyshlennyy Kurier, February 26, 2013.