Russian Cyber Capabilities and Doctrine
Tensions between Russia and the west have been rising in recent years. Countless provocations have caused the liberal western world to reevaluate the security risk posed by contemporary Russia. The Russian invasion of Georgia in 2008, the ongoing conflict in Ukraine and interference in the 2016 United States Presidential election are all examples of increased Russian aggression that has rekindled the adversarial mindset akin to the cold war. Great power rivalry has come back to the forefront of the American security agenda. The dangers posed from a more aggressive Russia has become an increasing concern to many politicians, scholars and even to the public.
Russia has increasingly been testing the limits of the international community to see where, or if, a red line will be drawn, and it has done so in many ways thanks to the increased utilization of its cyber forces. Russia has been testing its cyber capabilities and integrating them into a broader overarching information operations strategy. Recent transgressions perpetrated by Russia, such as the widespread use of false information and “fake news” that was distributed throughout the US presidential election of 2016, it’s only fitting to realize that the English word disinformation is borrowed from the Russian word dezinformatsiya (Дезинформация). The term was reportedly coined by Joseph Stalin and includes all actions aimed at the deliberate distribution of false information intended to mislead public opinion.
Cyber operations undertaken by contemporary Russia are an extension of the large-scale information operations undertaken by the Soviet Union throughout the 20th century. These ‘active measures’ are forms of political warfare that go beyond conventional espionage, but still rely on non-military tools to actively try to effect change in a targeted community. The purpose of this paper is to explore the role of cyber operations in the contemporary Russian way of war, and to what extent have those operations been effective? This paper will provide a brief overview of cyberspace and cyberoperations, followed by an analysis of cyber activities by the Russian Federation and where cyber is placed in operational doctrine. Following that will be an analysis of the evolution of Russian cyber strategy by looking at case studies in Estonia, The Russo-Georgian war, and finally the crisis in Ukraine.
Looking at all the case studies, it is apparent that the Russian Federation is actively updating and upgrading its cyber capabilities and becoming increasingly effective at integrating it into a broader coherent strategy, including military operations. The evolution of attacks can be seen from low-level crowdsourcing of patriot hackers to cause disruption in Estonia, to a coordination of cyber-attacks with kinetic military operations in Georgia, all the way to technologically sophisticated attacks that target critical infrastructure, such as a power station in Ukraine. The world is becoming increasingly networked and cybersecurity needs to be taken seriously on the battlefield of the future, not just for physical, kinetic operations but also in the information environment.
The Russian Federation believes it is under constant attack from western media and propaganda and has retaliated with a large disinformation campaign of its own. Overview of Cyber Operations Cyberspace defined Before Russian cyber capabilities are analyzed, a cursory look into the basic characteristics of the cyber realm is warranted. There are many competing definitions that try to define the complexity of cyberspace; for the purpose of this paper Daniel Kuehl’s definition will be used: “[Cyberspace is] a global domain within the information environment whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange, and exploit information via interdependent and interconnected networks using information-communication technologies.” Outside the purview of that definition, there are certain characteristics that further describe attributes of the cyber realm.
Cyberspace requires man-made objects to function, it is by itself not a physical place but requires physical objects to operate. The internet is a vast network of fiber optic cables, router, servers, computers and hubs that permits the nearly instantaneous transmission of information across the world. There is a low cost of entry into cyberspace; recent technological innovations have made access extremely cost effective, which in turn has led to an increase in the actors that now participate in cyberspace. Cyber can also be constantly replicated, shutting down a website or server does not cause permanent damage and it can be replaced with little effort. Furthermore, once computer code is developed, it can be easily copied and distributed. Offensive and defensive cyber activities are not created equal.
In the cybersecurity realm, offensive actions have the advantage, meaning it is much harder to defend against a cyber-attack than to perpetrate one. The downside to using a sophisticated offensive cyber-attack is the capability of an adversary to adapt to that type of attack. Eric Gartzke explains that offensive cyber weapons are ‘use and lose’ meaning that once they are unleashed, or threatened to be used, an adversary can adapt to that vulnerability and mitigate further damage from the same type of attack. Types of activities in Cyberspace Most forms of cyber activities can be placed in one of the following subcategories of computer network operations (CNO).
The first is a computer network attack (CNA), which are deliberate cyber actions that are destructive in nature with an aim to alter, disrupt, deceive, degrade or destroy an enemy computer network. The second identifiable type of activity is computer network exploitation (CNE). Opposed to a CNA, CNE is nondestructive and aimed at exfiltrating confidential information without alerting the user and without any form of destruction. Due to the covert characteristic of CNE operations, they are commonly associated with espionage and intelligence operations. The final type of activity is computer network defense (CND), which is actions that defend against CNA and CNE attacks. For the purposes of this paper, a cyber-attack means either a CAN, CNE or a combination of both.
The types of CNA most commonly used in the case studies analyzed are distributed denial of service (DDoS) attacks and SQL injection. DDoS attacks attempt to block the use of a computing resource through brute force or semantic attacks. A brute force DDoS attacks occurs when the computing system receives a huge amount of internet traffic which exhausts the system’s resources, thus rendering the server and system unavailable to use. A semantic DDoS attack is one that uses a flaw in the programming or system to prevent legitimate use of the system. One final CNA that is most commonly used is a SQL injection attack, which manipulates the text field of a website to gain access to the back-end server, providing access to the content of the website, including credentials and other valuable information that can be exploited.
Another common tool used in CNO is the use of botnets, which is a network of hijacked computers. They allow a hacker to control numerous computers at once by infecting all of them with the same malware, or malicious software and is usually done without the owner’s knowledge. A command and control server is then used to send instructions to numerous individual computer ‘bots’ for various nefarious purposes. Botnets are commonly utilized to propagate spam email, but can also be used to perpetrate brute force DDoS attacks by having the ‘bot’ computers bombard a particular target with more internet traffic than it can handle, forcing it to shut down or severely degrading its capability to operate in cyberspace.
Attribution Problems in Cyberspace One of the major problems with cybersecurity is the ability to attribute cyber-attacks to a specific group or state with a reasonable degree of certainty. Cyber-attacks can be disguised, and even used in cyber false flag operations; where the origin point of the attack is misattributed to a blameless party. Substantial technological advances have lowered the threshold for entry into the cyber domain, where states used to hold a monopoly. Nearly half the world’s population is in cyberspace, and that number is drastically increasing, including the number of devices connected to the internet. With so many actors in the cyber realm, attribution of cyber-attacks become problematic and cannot be based solely on geographic region.
This means that an attack or exploitation that emanated from a certain state does not automatically impute that state. There are a plethora of immoral non-state actors that exploit their access to cyberspace for various reasons. An example of this type of misattribution can be seen back in 2012, where a cyber-attack stole $76 million from JPMorgan Chase Bank. The CNA was originally attributed to the Russian government. but in 2015 a criminal network consisting of two Israelis and an American were identified as the primary culprits. Integrating Cyber into Russian Strategy Cyber as a warfighting Domain Many western states have placed cyber operations in their own operational domain, alongside others such as sea, land, air, and space.
The United States Department of Defense officially designated it as a separate domain in 2011. NATO did the same more recently, in 2016, but also articulated the possibility of invoking article 5, the collective defense clause, if a major cyber-attack was carried out against NATO or its allied countries. Although cyber operations are placed in a separate domain, many western nations still classify CNO as inside the information environment for conceptual purposes. Cyber is intertwined with the other domains and while remaining distinct from them, it is utilized as a tool to support operations in the other domains. Being under the information environment, CNO is situated alongside other activities such as electronic warfare, military deception, psychological operations, and operations security.
The goal of these operations is to utilize and manipulate the information environment to achieve the desired effect and collectively are often referred to as information warfare (IW). While many western states place cyber in its own domain, Russian policy is different. Russian generals rarely reference the term cyber, but rather use the word informatization; doing so reinforces the position of cyber operations inside the framework of the information environment. Since the utilization of cyberspace is primarily used to support a broader strategic information campaign, Russia utilizes CNO mainly as an instrument of IW and thus cyber is not situated in its own warfighting domain, but firmly rooted inside the information domain. The Information environment is increasingly becoming a higher priority in many conflicts.
The Russian Federation directly cited this in its 2010 Military Doctrine, where it outlined the legitimate use of Information operations in war, as well as in times of peace, as a method to achieve political goals without the use of force. At the same time, a secondary objective is to help shape a narrative for the international community that is favorable to the use of military force. Making the distinction that CNO can be used in peacetime highlights the view that Russia has on cyber activities, they do not cross the threshold of armed conflict and are not solely limited to military objectives. CNO and IW operations are the primary tools that Russia uses to try and increase its power and become more dominant in international politics. Placing cyber subordinate to information operations highlights the role that it is utilized.
IW is not intended to generate physical damage but attack the information domain. It can do this by creating confusion for the enemy, thereby increasing the fog of war. When this is accomplished the other warfighting domains can capitalize and generate their own kinetic effects. Russian Cyber Capabilities For many years within Russia, the cyber realm was delegated to the state agencies such as the federal security service (FSB), ministry of internal affairs (MVD) and the foreign intelligence service (SVR). One of the other major players in Russian cyber operations is the GRU (Russia’s military intelligence agency). They have been of increasing concern to the west.
Several GRU officers, including Igor Korobov, the chief of the GRU, have been implicated for interference in the 2016 Presidential election in the United States. The Russian military had a limited capability until recent challenges in combat operations, mainly in Georgia, highlighted the need to revamp information operations inside the military. In 2013, the Russian government announced the creation of a cyber unit within the military with a mandate of offensive and defensive cyber operations. The need for more cyber units in the military has not directly translated into results, however, as issues of retention have arisen in the military.
Potential cyber-warriors have much better job prospects outside of the military, and Russian conscripts only serve a very limited time in the military. Outside of government staffed agencies, Russia has been increasingly reliant on private hacker groups to perform cyber operations. Russian and Eastern European hackers are viewed as some of the best in the world and the Russian government has been capitalizing on the current economic conditions that create a vast pool of talented, skilled and unemployed computer experts. There are several reasons that Russia, as well as other states, have gravitated toward the use of these groups, the first being deniability.
These groups often work without direct links to the government, which makes definitive attribution even more difficult. Cost-effectiveness is also a contributing factor to their use because most of these groups already own the equipment and have acquired the necessary skills to complete certain operations in cyberspace. These groups can also be hired quickly and disbanded as soon as the operation is over. Another cost-effective solution is the utilization of political hacktivists, most of whom work for free. An example being cyber-attacks that took place in Estonia, Georgia and Ukraine; where Russian president Putin attributed the cyber-attacks to “patriotically minded Ukrainians and Russian who want the Crimea to be part of Russia.”