Pages

19 February 2021

Russian Cyber Strategy

by Marius Kristiansen & Njaal Hoem

Cyber warfare is often described as an integral part of future wars. But cyber has proven to have a profound impact on our operational reality today. Some states have adapted to this reality already, while others struggle. As this article shows, Russia has implemented cyber as an integral part of its strategic framework, and demonstrated its effectiveness in the attainment of political objectives on several occasions. We argue that Russia has risen from the technological backwaters of the 90’s to become a great cyber-power – challenging state and military capabilities the West has taken for granted. The West, it seems, is on the defensive.

The authors suggest NATO needs to reassert itself in the cyber domain. Technological maturity is no panacea if we are unable to utilize it to create a convincing and functional means-ends chain between cyber and political goals. Russia is still technologically inferior to the West but has hacked the code of translating capabilities to effects. A key argument in this article is that the West must re-focus its attention from technology as a deterministic power, to its utilization for strategic ends. Technology does not win wars – people win wars. And technology is no replacement for strategy and military thought. To this end, Russia has a few lessons to offer.

Introduction – Cyber Warfare and its relevance

When addressing cyber warfare, one often ends up walking a fine line between the current operational environment and technological trends characterizing the narrative of future war.[1] Cyber exists in both. Amid the digital age, we can comfortably state that cyber is as much a “trend” as electricity. The internet is old news, but the exploration and exploitation of associated effects, like Internet of Things (IoT)[2] or artificial intelligence (AI)[3], has merely started. And there is no clear-cut line between future war and the current operational environment. As the 1955 documentary told us: “The Future is now”.[4]

The operational environment and character of warfare will always reflect the most pervasive trends.[5] Technological developments, like cyber, may not change the nature of war.[6] But, just as “simple” inventions like the machine-gun transformed the battlefields of the past, cyber has a profound impact on our current and future operational reality. Of course, technology is not deterministic.[7] Technology does not win wars – people win wars. And technology is no replacement for strategy and military thought. Our potential adversaries, like Russia, acknowledge this.[8]

Thus, we are approaching the problem of our current operational reality. Technological maturity has become the defining characteristic of western military power. Network Centric Warfare (NCW)[9] seems within grasp. In many respects, and in many confrontations, this has served the West well. Still, we have done so with an aim of augmenting existing capabilities, and “interconnection between decision-makers, sensors, and effectors» has been the main effort.[10] Not very novel.

The West has moved fast. Creating new possibilities on the fringes of a system most of us hardly understand. In the process we have become dependent on services of a human-made “organic” system.[11] Others are on our trail and are meticulously looking for possibilities to use the domain to disrupt “the existing westernized world order”.[12] They are applying sound strategic analysis to a domain that is deceptively familiar, but in its complexity still new.

Where the West is attempting to apply outdated cognitive models to create order from chaos, others seek to exploit the chaos to create new strategies. Where the West discusses legislation[13] and what “should be”, they are discussing what “is” and “can be”. The French Service Regulations of 1913 (influenced by the so-called “cult of the offensive”) might had been worded differently,[14] had they not seen new technology through the lens of old dogmas.

China has gone the (cognitive) mile and seems poised to truly exploit the cyber domain.[15] Russia has shown a will and ability to implement cyber warfare as part of their national strategy. And Russia's actions in Ukraine have demonstrated the ability to conduct the Multi-Domain Battle the West is so eager to achieve.[16] Operations we consider reliant on “interdependent networks that also serve as the base for the cyberspace domain”.[17] Ukraine may offer a glimpse of where warfare may be headed.[18]

The purpose of this article is not to analyze Russian actions, nor to fully explore the possibilities offered by cyber and technological development. Rather it offers a snapshot of how one grand power approaches the cyber domain – as a reference for reflection when debating where we should go. Russia and others are taking the lead in shaping our common operating environment. We are becoming reactive. As evidenced by this very article, rather than defining how we will dominate the new domain, we are debating how others have approached it – and how to counter it. We must move past this and shape our own strategies for future war.

Historic context – Technology and competition between the Soviet Union/Russia and NATO

«Iron cannot fight» - Russian proverb[19]

Cyber offers unique possibilities. Most are hitherto unknown. But implementation and exploitation of technology is no novelty, and far from deterministic. Although we are currently discussing near-peer adversaries, the “peerage” does not equate to equal organization, technology, doctrine, or strategy.[20] As the Russians are well aware, there is no “one-size-fits-all” solution.[21] There are several paths to creating comparative advantages, and where the West has often focused “on issues of technology and system integration” – the Russian mentality has been different.[22]

Russian economic moderation has translated into an emphasis on the degree of utilization for technology implemented. Although Russian military theory is not unequivocal on the question of technology and modernization, the so-called “modernists” now seem to dominate.[23] This involves a willingness to “trade manpower for technology” and responding “asymmetrically to the Western technology challenge”.[24] This would entail being smart, where the resources and economy of the West allows “brute forcing” technological advantage. Russia has focused on “niche capabilities” where they have found a strategically sound logic and where we have been neglective.[25]

Since the fall of the Soviet Union (USSR) in 1991, Russia has tried to regain its position as a global superpower.[26] At the same time, the only true superpower demonstrated how technology played a big part in the US (and NATO) military dominance in the early 1990’s,[27] and into the new millennium.[28] And we are still going strong. As of only a few years ago it was widely accepted that “the technology gap between Russia and Western producers, especially in advanced systems, continues to grow”.[29]

As an example of the difference in the pace of technological development and utilization, look at drones. As early as the 1990’s DARPA developed the Global Hawk and the Predator – primarily for ISR and to support accurate targeting information with real-time feed.[30] And at the turn of the millennium, armed drones would soon become prioritized and a favored tool of warfighting. This is not mentioning the plethora of tactical UAVs made available for ground troops. The “rest” were scrambling “to match U.S. drone capabilities”.[31]

In Georgia 2008 we saw a Russia lacking in “information technology, unmanned aerial vehicles and precision-guided munitions”.[32] This motivated focus on Russian C4ISR-capabilities,[33] and Russia’s “extensive use of UAVs in Ukraine and Syria provides a case study of how a problem identified in the 2008 Georgia campaign was resolved”.[34] On their way, they had to go outside to acquire technology and inspiration, but once a concept was identified they moved from a couple of systems to over 2000 sets in a matter of few years, and has demonstrated its successful application extensively in Syria[35] and Ukraine. Although Russia might still lack an armed drone equivalent to the Predator,[36] in general some argue “the capabilities introduced outstrip their Western equivalents”.[37]

This is a prime example of how Russia has analyzed the operational environment, and (re-)focused on capabilities that offer competitive advantage – not only through technology but its employment. Russia has not been able to keep up with the West’s development of technology, but still has “greatly improved its high-technology capabilities” in prioritized areas.[38] The West has been the early adopters, with a “cult of technology” dominating choices. This might prove wise, but risks challenging the balance between short-term and long-term effects through “lock-in” in the early stages of development.[39] Hedging bets, committing when effects are demonstrable for the ends one wishes to achieve is the blueprint for success.

Russia has been, and still is, forced to think more thoroughly when it comes to what links exist between technology, military operations, strategy, and political outcomes.[40] Russia has taken a different path to technological development – focusing more on strategy and military thought than the technology itself; excelling in their ability “to foresee the broad impact of technology on the battlespace”.[41] The need to modernize is obvious, but due to monetary restraints[42] how, why and to what end seems more carefully deliberated. And it is perhaps within the cyber domain this has become most evident. “Everyone” is connected; able to communicate close to anywhere and at any time, using a vast array of options. The communications environment has changed,[43] and Russia is poised to capitalize on it.

Russian Grand Strategy – Mother Russia actually has one!

To rebuild its reputation after the Cold War, Russia started creating and implementing a new Grand Strategy – in a classical sense.[44] A grand strategy can be seen as “a political-military, means-ends chain, a state’s theory about how it can best ‘cause’ security for itself. […] A grand strategy must identify likely threats to the state’s security, and it must devise political, economic, military, and other remedies for those threats”.[45] Unlike others, Russia can subordinate all “remedies” to the “same political goal”.[46]

Under Putin, Russia has formed “a vision of Russia’s role in the world” with a grand strategy that will “restore Russia’s status as a major player on the world stage”.[47] Russia’s grand strategy “is aimed at promoting multipolarity” and Russia applies the necessary means to its ends.[48] Through this Russian elites “have a vision, and a story they tell themselves about the ‘why’ in Russian foreign policy”.[49] The most obvious threat to this vision is the perpetual opponents of US and NATO, and their competition for influence over regional actors.[50] Taking on NATO directly is a bridge too far, even for Putin. A core task of Russia’s grand strategy is therefore to dislodge NATO, by undermining or defeating NATO’s own strategy of deterrence.[51]

To this end, Russia has gone far in re-organizing core elements of the state, but also put a new emphasis on its military forces. From 2008 and until today, there have been massive changes in the Russian armed forces, from a higher level of technological sophistication to more professional soldiers.[52] In parallel, Russia has developed new concepts and introduced both conventional and unconventional means to influence security dynamics domestically, regionally, and globally.

As part of the political-military means-ends chain there is an integrated cyber warfare element.[53] In Russian strategic thinking the belief is that this is a core element in the initial phases of a conflict, to undermine their defined security threat’s strengths.[54] Russia sees information superiority as pivotal, as this can be used to subvert military or political will, ability or resolve to fight.[55]

The cyber warfare element is intended to be used as part of a multi-domain effort, in concert with other elements of influence, and used to shape the political course of a dispute.[56] Russian cyber warfare is “an organic element of a long- standing approach to political warfare and information operations (IO)”,[57] to be “employed as part of a whole of government effort”,[58] or even together with kinetic military operations.[59] Combining these efforts allows Russia to achieve "information superiority"[60] at all levels – and thereby continuously shape the operational environment in “all stages of conflict”.[61]

The Russo-Georgian War of 2008 and the ongoing conflict in Ukraine illustrate Russia’s geopolitical interests and its intentions, as part of its grand strategy. They were fought differently, but the logic remains the same. What we are seeing the outlines of now is a Russia who is purposefully pursuing key technological developments they believe caters to their strategic objectives. Not to how they have traditionally fought, or how we fight, but allowing technology to find its natural place in achieving our own objectives and negating ours. And we should be careful, not to think that Russia thinks “like us”. This may prove dangerous.[62]

In a way, what are our strengths – advanced technology and connectivity – might emerge as our Achilles heel. Russia is not trying to mirror us (they neither can, nor will), but to exploit the same technological advancement differently (and more coherently) to negate the effects we are trying to achieve. Nowhere is this more evident than in the cyber domain, where they have made a grand entry into a territory many believed to be our own.

Russia is conducting continuous preparations of the “cyber environment for future contingencies”,[63] and has already proven capable of thinking differently, being patient, and successfully leveraging cyber actions for political gains. Cyber has become an ever-changing battlespace[64]. We will not have the luxury of seeing Russia’s cyber capabilities paraded over the Red Square, but that is less important. We must decide what place cyber should have in our grand strategy – and to that end, it might be valuable to glimpse at someone who has made a choice.

An example: Russian Cyber warfare in Ukraine

For Russia, cyber is seen as a “legitimate tool of the state in peacetime as well as wartime”, to ensure dominance of the information landscape.[65] Especially since there is no “hard-and-fast distinction between peace and war”, rather a perpetual state of conflict that legitimates continuous operations “by deploying all the instruments of state power globally to enhance its security and interests”.[66] The ideal is to achieve strategic results without committing to physical battle.[67]

Our increased use and dependence on internet and social media create an opportunity for “mass manipulation across the information spectrum”,[68] and caters to any opponent cyber ambitions. The modern level of connectedness allows a potential opponent an unprecedented access to all levels and sectors of a government and society. The ability to utilize this access in concert with other means (when needed) to reach strategic objectives is what should separate our digital age- “peers” and “near-peers” from the rest. Russia has demonstrated and refined this ability over time.

Although they probably started earlier, Estonia (2007) is often cited as the first example of Russia’s exploitation of cyber on a large scale. Their actions were rather brute, but effective and (should have) served as a “wake-up call for NATO”.[69] And, to some extent it did, with the establishment of The NATO Cooperative Cyber Defence Centre of Excellence. Although interdisciplinary and including “strategy” as a task, the focus of the center is “to support member nations and NATO […] in the field of cyber defence”.[70] This does not chime grand strategy.

Meanwhile, in Georgia (2008), Russian mastery of information operations and cyber had improved – employing more sophisticated control over information through e.g., extensive use of (cyber) proxies in concert with conventional assets”.[71] Although “the overall impact of the cyberattacks was minimal”, it was also “the first known instance of wide-scale offensive cyber operations being mounted in conjunction with conventional military operations”.[72] The combination of effectors demonstrated the ability to “organically integrate” several domains towards pre-defined objectives,[73] also indicating a well-planned and organized operation.[74] Cyber and kinetic events were synchronized throughout the duration of the conflict.[75]

In Estonia Russia demonstrated the use of cyber-disruption or pressure to affect outcomes, communicate dismay or to reprisal unwanted actions.[76] In Georgia they moved further up the ladder, with so-called “cyber-enabled” military operations,[77] thereby exhibiting a closer integration between the means of the state for a political goal. Half a decade later Russia’s actions in Ukraine proved they had climbed even further up the cyber-ladder.

While some of the most notable characteristics of the conflicts in 2007 and 2008 was the overt use of cyber, in the early days of the Ukrainian conflict there was a “near absence of a perceptible cyber war".[78] Based on the precedence of the former conflicts, many had expected to see more attacks on information infrastructure in Ukraine.[79] With the investment in cyber capability and strategy since 2007, many would have expected an early showcasing of the classical forms of cyber-attacks: attacks on critical infrastructure and attacks on defense systems.[80] This was not as evident early on.

There are, of course, many reasons for this. Firstly, Russia already controlled or could quickly physically secure critical infrastructure when the conflict erupted.[81] One could therefore argue that there was little incentive to disrupt it digitally.[82] This does not mean it could not have been done digitally. Rather, it seems physical control was better suited for the message the Kremlin wanted to send at this point in the conflict. Creating a fait a compli is perhaps (yet) more challenging in cyber, than in the more tangible domains.

At a later point in the conflict, Russia obviously saw reason to showcase their strategic reach through cyber-attacks on the Ukrainian power grid. On the 23rd of December 2015 230.000 Ukrainians lost electricity. This was the first “publicly acknowledged [cyber] incidents to result in power outages”.[83] By doing so, Russia showed three things: (1) they had the capability to reach critical infrastructure without physical access – leaving everyone wondering what more they could do. (2) They had the technical and structural capability to “perform long-term reconnaissance operations required to learn the environment and execute highly synchronized, multistage, multisite attacks”.[84] (3) Russia was willing “to expand the scope of its cyber operations into the kinetic effect realm.[85] Moving past the “supporting” cyber activity seen previously. Russia followed up the power grid attack with attacks against targets like airport control systems and the financial sector, through access gained as early as 2014. The most damaging attacks in 2017 “disabled 10% of computers in Ukraine and inflicted financial costs amounting to 0,5% of Ukraine’s GDP”.[86] Russian attacks were extremely costly for Ukraine.

Through actions like the power grid attacks Russia demonstrated a capability to do harm – “emplaced to deter adversaries from acting against Russian interests” – but in a way and to an extent that demonstrates their finely tuned ability to balance “deterrence and compellence by cyber means”.[87] Russia combined these cyber-maneuver with targeted actions against “Ukrainian officials and other high-level targets” that allowed Russia to “identify Ukrainian military strategies” in advance.[88] And as these actions were taking place towards pre-defined targets, Russia worked relentlessly on constructing and disseminating their own narrative through social media and all other available information channels. The sum of these actions show how Russia was able to shape and exploit the information landscape, putting pressure on the opponent when needed – while maintaining a coherent narrative.

The Russian narrative of protecting “ethnic Russians”, and the freedom of choice for the Ukrainian separatists[89] might be one of the main reasons more extensive attacks on Ukrainian defense systems did not occur. A more blatant attack on Ukrainian armed forces could perhaps signal a message that would deviate from the chosen narrative. Second, with the limited strategic aim of the Ukrainian intervention, there was no need to go to this extent of attacks to fulfill its objectives. The limited military operations necessary initially were targeted actions by Russian Special Operations Forces (RUSOF) taking control of key nodes in Crimea.[90]

However, on the tactical level – somewhere between cyber and electronic warfare – Russia has been highly active in Ukraine. Their use of cyber and EW capabilities to disrupt adversaries’ use of high-tech capabilities like drones, constitutes “one of the most direct and immediate ways of implementing cyber power to achieve an immediate real-world effect”.[91] From jamming drones and spoofing GPS signals, Russia has also used “SMS messages to text Ukrainian frontline troops to demoralize their frontline forces – which even includes references to their wives and children”.[92] By doing so, Russia is showing information dominance to an extent where the individual soldier feels personally targeted. Russia is thus able (to some extent) to both target individuals and the system digitally in a coherent matter – synchronized with military and political action.[93]

Still, in the bigger picture, the “pure” cyber operations conducted by Russia in Ukraine have been of a supportive nature. It seems like the cyber operations mainly have supported the Russian information operation. Through, cyber espionage;[94] hacking of Ukrainian politicians' telephones;[95] trolling;[96] Denial of Service (DoS) towards Ukrainian telecommunications infrastructure;[97] Distributed Denial of Service (DDoS) attacks towards TV-stations;[98] breaches and insertion of Malware in the Ukrainian elections systems[99]; social media based narrative focused attacks,[100] and, DDoS attacks in Kyiv, Poland, the European Parliament, and the European Commission,[101] Russia implemented its cyber strategy to support the information operation. And the nature of the attacks was “more aligned with a broader IO campaign plan than the reactive, crowd-sourced approaches employed by hacking groups”.[102]

When looking at how Russia implemented its cyber strategy in Ukraine, it is important to remember what Russia wanted to achieve by doing so: "Information Superiority in Cyberspace,"[103] in support of Russia's overarching goal to defeat NATO's strategy.[104] In sum, Russia was able to utilize a broad spectrum of techniques to “create a general air of confusion and uncertainty regarding the Ukrainian government’s ability to secure its information systems, as well as the integrity of any information being communicated” and “thereby undermining the legitimacy and authority of Ukrainian political and military institutions”.[105] As such, the Russian efforts in Ukraine are perhaps the closest we have come to integration of all available state effectors across different domains to achieve a desired political outcome.[106]

Conclusion – NATO needs to wake up!

Russia is a great cyber-power.[107] Cyber warfare has become an integral part of their grand strategy, they have showcased its effects. Cyber is likely to “play a greater role in Russia's future strategic deterrence framework”,[108] and employed at all levels of the conflict-scale – from peace to war.[109] Russia is investing in cyber, and Ukraine has been a live testing ground from which they will come out even stronger.[110] Russia is likely already positioning themselves digitally in the West to adopt a “hold-at-risk approach” against potential adversaries and threats to their ambitions.[111]

Russia has “won every war in which it has participated since 2000”,[112] and has shown a willingness to influence potential adversaries’ internal political processes even in peace – despite public scrutiny.[113] Cyber has been the enabler and will continue to be so for the foreseeable future; be it strategic subversion or part of conventional military operations.[114] The fog of war has become intertwined with a digital haze,[115] and Russia understands, appreciates and masters this changing context and character of war. If the confrontation with the West escalates, it is possible that “the Russian government would not have any qualms about conducting destructive cyberattacks against the West”.[116]

How should we respond? Firstly, we must accept that the West will not operate freely neither in our current, nor our future operational environment. We must re-establish skills for warfighting in “contested domains”.[117] We must train and exercise for a different reality – exposing ourselves in a controlled fashion against IW and cyber warfare,[118] and see these domains as integral parts of the operational environment.[119] We have already been engaged by Russian information warfare, and we should do our best to understand and learn from it.[120]

Secondly, we should take note of conflict scale perception. We are in a continuous state of cyber warfare. Cyber does not become important when the “real war” erupts. The “real war” may already be lost. Technological development and advancement that are not cyber defensible is not the future.[121] Building tactics and procedures based on drones that will not survive the first cyber-encounter is a waste of tax-payer money. Good ideas that risk leaving a chink in the armor is not worth it. And all our service-members, politicians and decisionmakers connected to the Internet, should take caution not to become that chink in the armor through our digital behavior.[122] No one else will do it for us. Failing to take appropriate actions now (and follow through), will significantly impair our room for maneuver when we need it the most. Living and operating in the digital age offers opportunities, but also obligations.

Thirdly, we should move beyond merely defending ourselves. Russia has shown (part of) its hand, and this has brought cyber to the agenda.[123] We must take active measures, not merely respond. We need to seize the initiative. Russian current advantages “can only be countered by a more strategic shift in policy”.[124] And, it is not merely a question of Russia. The rest are not sitting quietly on their hands waiting. The sum of these actors cannot simply be “overwhelmed” by resources committed to technology. And when facing opponents like China, who “who produces 90 percent of the world’s printed circuit boards”, we might be up against an unprecedented enemy access to even our integrated weapon systems.[125] Coping with this reality requires qualitative thinking.

Russia has found a place in its political-military, means-ends chain for cyber warfare. With a conflict-scale of continuous greys, Russia is unceasingly waging information warfare. Their tools are not different from ours, but their combinations and usage “strongly diverge from Western thinking and practice”.[126] Russia is still technologically inferior to the West but has hacked the code of translating capabilities to effects. “Russia’s strategy and operations in the information and cyber warfare domain continue to confound Western governments and audiences who have yet to devise a compelling strategy with which to meet Russia’s exertions”.[127]

We need to bridge the gap between strategy and geopolitics and cyber.[128] We need to define the role of cyber in our own political-military, means-ends chain. Russia has already “devised a way to integrate cyber warfare into a grand strategy capable of achieving political objectives”.[129] We must move beyond the fascination for technology and/or how this can augment what we already do. It seems we cannot see the wood for the trees. As the Russians we must identify “the links between technology, military operations, strategy, and ultimately political outcomes

No comments:

Post a Comment