Achieving a cyber agreement and the application of international law to cyber conflict have remained problematic
Introduction
As Prussian general and military theorist Carl von Clausewitz advocated, warfare evolves in every age. The 21st century has brought with it an era of enormous complexity, which grows further with globalisation, transnational extremism, the ongoing proliferation of advanced technologies, and resurgent global powers. These modern-day complexities have made clear that seldom is only one element of warfare enough—rather, the ability to combine elements into a multifaceted whole has become the norm.1 This article will focus on Russia’s use of cyber elements to complement its information operations, as seen in Estonia in 2007, Georgia in 2008 and Crimea (Ukraine) in 2014. In particular, it will make the case that Russia’s approach in cyber operations is divided into two parts: information-technical, which aligns with the Western definition of electronic and cyber warfare, centred on technical capabilities; and information-psychological, which resembles the Western concept of strategic communications and psychological operations, centred on influence operations.2 It will then argue that, over time, the development and use of cyber elements has been employed to achieve strategic gain and effectiveness. As seen in the case studies explored below, not only is this element increasingly effective, but the result in using it to complement its information operations is allowing for a more lasting and permanent status quo. This proves that the victors in cyberspace are not the states with the best technology, but those that can effectively combine different elements. It will conclude by emphasising that Russia is likely to continue to use this combined approach in future engagements, and will highlight the shift from periodic attacks to continuous, and from the regions around Russia to global.
Background
The Russian Federation has been promoting its own information security concepts for many years, as its contribution to the development of a global information security doctrine.3 Strategy documents shed light on the Russians’ perception of threats, which highlight the main concerns behind their proposals—information threats coming from the West, primarily the United States and the North Atlantic Treaty Organization (NATO), as potentially interfering with Russia’s internal affairs and targeting the country’s vital interests.4 Russian strategists are particularly concerned with the military and technological advantage of the US and its allies.5 In line with these concerns, Russia first introduced a draft United Nations (UN) resolution on the issue of information security in 1998, a topic which has since been put on the agenda at the UN. Russia’s main worry is that “information security” is a concept under which words might be used as weapons. This supports its reasons behind securing information in human, social, spiritual, and technical (cyber) dimensions—which consider the protection of its population from terrorism and censorship to be fundamental aspects of “information security”.6
However, Western governments push back against this approach, recognising that there is undemocratic thinking behind Russia’s “information security” proposal and claiming that limitations could serve as a justification for extended government control over the internet, limiting free speech and internet freedoms.7 A revised Russian draft “information security” resolution in 2008 called for the establishment of a “group of governmental experts” within the UN that would study cyber threats and “cooperative measures to address them”.8 Numerous efforts have followed, particularly under the Organization for Security and Co-operation in Europe (OSCE), through its formulation of confidence building measures (CBMs); the NATO Cooperative Cyber Defence Centre of Excellence (CCD CoE), through its research related to legal frameworks and norms in cyberspace, which led to the publication of the “Tallinn Manual” and “Tallinn 2.0”; and in the recently established Global Commission on the Stability of Cyberspace (GCSC), aimed at developing proposals for norms and policies to enhance international security and stability in cyberspace.
However, both a cyber accord designed around the idea of “information security” and the application of international law to cyber conflict remain ambiguous. While global experts from all sectors agree that escalating tensions coupled with the ongoing development of cyber capabilities call for a new military paradigm, ongoing cyber activities have left states misguided and confused as traditional kinetic principles do not fit this new wave of warfare.9 In essence, there remains an imperfect legal framework which governs what states can do in this domain and how they should respond to incidents. This makes Russia’s use of cyber elements to complement its information operations even more likely and more worrisome.
Case studies
The cyber domain has enabled the use of affordable, easier and quicker tactics for strategic gain in warfare. Three case studies are analysed to understand Russia’s use of cyber elements to complement its information operations. The overall Russian effort has grown to be a strategic and destabilising campaign. It has shifted from periodic attacks to continuous, and from the regions around Russia to global. In the case studies below, it is seen that the degree and effectiveness with which cyber is used increase with every incident. Aligned with the claim in 2013 of the so-called “Gerasimov Doctrine” of the erosion of the lines between war and peace, a synchronisation of elements is employed to achieve strategic effectiveness. The 2008 wave of attacks against Georgian targets share characteristics with malware employed during operations against Ukraine in 2014. These attacks, which caused temporary disruption of internet services, can be financially costly, as demonstrated by the denial of service (DoS) and distributed denial of service (DDoS) attacks against Estonia in 2007. All three cases—Estonia in 2007, Georgia in 2008 and Crimea (Ukraine) in 2014—are explored below.
A. Estonia, 2007
Estonia is a country that regained its independence and has been free to promote economic and political ties with the West since the fall of the USSR in 1991. It joined both NATO and the European Union in the spring of 2004, formally joined the Organization for Economic Co-operation and Development (OECD) in late 2010, and adopted the euro as its currency in January 2011. It is a multi-ethnic country with a 24.8 percent Russian minority residing within its borders.10 In April 2007, cyber-attacks started in parallel with rioting on the streets in response to the moving of the Soviet Second World War “Bronze Soldier” statue from the centre of the capital city, Tallinn, to its suburbs. The attacks are said to have occurred in two different phases. The first was from 27 to 29 April—assessed as being emotionally motivated since the attacks were relatively simple, with coordination mainly occurring on an ad hoc basis. The second phase lasted from 30 April to 18 May—longer and more sophisticated, as there was the use of large botnets and noticeable professional coordination.11
Attacks during the first phase primarily consisted of DoS attacks, while the second phase included online discussions about how to fund the rental of server farms and botnets for DDoS attacks. At one point, 58 online sites were shut down at once, primarily government websites (including official government communications channels) and banks.12 To make attribution more challenging, attackers used global botnets, routing their efforts through proxy servers in 178 other countries, some of which were NATO member states.13 In all, the cyber-attacks against Estonia included DoS, DDoS, defacement of websites, attacks on Domain Name System (DNS) servers, and large amounts of comment and email spam as means to encourage further attacks.14 As a result of this incident, cyber defence—which was part of NATO’s political agenda after the Prague summit of 2002—remained a key focus and was further developed.15 The attacks had both direct economic and societal effects—it woke the West up to the possibility of aggressions on this scale and influence achieved through the cyber domain. Overall, it was a short-term loss but an operational win, given that Estonian cyber capabilities now surpass many other nations and NATO’s CCD CoE was later established in Tallinn.16 Although this incident is not directly attributed to the Russian Federation, a central component in its foreign policy—centred on the theme of national greatness and past glory—stimulates Russian minorities and sympathisers to act aggressively against any attempt to taint Russia’s history or image.
B. Georgia, 2008
Tensions in South Ossetia have persisted since it became de facto independent from Georgia during the 1991 Georgian-Ossetian conflict. In August 2008, however, tensions escalated when Georgian forces launched a surprise attack against Russian-supported separatist forces.17 This initiated a Russian military operational response and subsequent invasion into Georgian territory, under the national obligation to “protect Russian citizens abroad”.18 Before the Russian invasion of Georgia began, cyber-attacks were already being launched against a large number of Georgian government websites, and these continued after military operations were ended by a ceasefire agreement on 12 August 2008.19 The cyber-attacks primarily consisted of defacement of public websites; the launch of DDoS attacks against numerous public and private (financial and media) targets—methods similar to those used the year before against Estonia; distribution of malicious software; and the use of e-mail addresses for spamming and targeted attacks.20 This is one of the first known incidents of a cyber element being used during a conventional armed conflict.21 It also impeded the ability of the Georgian government to communicate with its public and beyond, by making it difficult for information to reach the outside world.
Russian planners understood the need for joint cyber-military operations when preparing for the invasion. Although it is not certain whether the two elements of operations were carried out by the Russian military or where the origin of the DDoS or defacement attacks was, it is clear that its effectiveness not only comprised the use of hackers but also needed military kinetic capabilities. What followed this incident was the continued evolution of Russia’s information operations and its engrained familiarity with its use, present in mainstream Russian military thought.22 According to a report by the US Cyber Consequences Unit, “the primary objective of the cyber campaign was to support the Russian invasion of Georgia, and the cyber-attacks fit neatly into the invasion plan”.23 After what could be perceived by parts of the Russian armed forces as a failed “information war” in Georgia, Russia called for the creation of “Information Troops”. This was endorsed at the highest political level with the signing of a decree by Russian President Vladimir Putin in February 2017, creating information warfare troops.24 For Russia, the five-day conflict represented a “total defeat in the information space,” according to Pavel Zolotarev, a retired major-general in the Russian Army who is now a professor at the Academy of Military Sciences.25 Although Russia prevailed militarily, its narrative was overshadowed by the Georgian one. These comments serve as an indication of the value of perfecting these capabilities for future use.
C. Ukraine (Crimea), 2014
The 2008 wave of attacks against Georgian targets has similarities with malware in operations against Crimea in 2014. However, this effective yet concerning event was ultimately an evolutionary process in Russian information warfare theory and practice, exemplifying well-established Soviet techniques of destabilisation and subversion through the use of information manipulation and weakened confidence in sources of knowledge.26 The conflict that took place in Crimea is a complex political situation that has tensions dating back hundreds of years, which resulted in Russia experiencing success through the achievement of information dominance.27 There was a physical handling by unidentified individuals of fibre-optic cabling, which was coupled with the launch by Russian hackers of prolonged DDoS attacks against Ukrainian and NATO media outlets. During and immediately after the annexation of Crimea, pro-Russian hackers disrupted the mobile phones of members of the Ukrainian Parliament. In October 2014, during Ukrainian elections, pro-Russian hackers again launched DDoS attacks targeting election commission websites, effectively eroding public trust in voting mechanisms and the impartiality of electoral officials. To this was added the hijacking of already existing authoritative social media accounts in order to spread disinformation.28
Russia’s annexation of Crimea was shockingly effective—and, for the most part, bloodless. This incident proved Russia’s success in achieving information dominance in its operations through not only its control over broadcast and print media, but also telecommunications and the internet—isolating Crimea from independent news from the outside world.29 Russia’s use of cyber elements to complement its information operations was not seen to this extent in either Estonia or Georgia. Its approach to information operations has evolved towards exploiting the weakened moral immunity to propaganda of Western societies and the lack of confidence in legitimate sources of knowledge. Most alarmingly, however, is the effective synchronisation of capabilities—information, kinetic and special operations—as has been further demonstrated in ongoing operations in eastern Ukraine. This case proves that Russian efforts are strategic and destabilising.
Analysis
As seen in these case studies, Russia divides its methods of cyber operations into two parts: information-technical and information-psychological. Given its growing use, the cyber incidents in Estonia, Georgia and Ukraine suggest that Russia is further honing its cyber capabilities in both areas, not only advancing its technological capabilities but also effectively manipulating and controlling information through the combined use of different elements of warfare—these cyber elements effectively serving as an adjunct to, rather than a substitute for, traditional methods. By 2014, the Ukraine incident saw the further use of this method for effective control and eventual success for Russian strategic objectives in Crimea. The use of virtual elements to complement its information campaigns—achieving lasting political effects—suggests that the application of cyber elements independent of conventional elements will be of tertiary importance in strategic terms. In essence, Russia’s use of cyber elements to complement its information campaigns will continue to grow in effectiveness, allowing for a more lasting and permanent status quo. This is evidence that, in cyberspace, the victors are not the states with the best technology, but those which can effectively combine different elements.
The assault on Estonia was primarily a series of DDoS attacks in response to the physical movement of a statue; in Georgia it was a clear example of a coordinated cyber-domain attack synchronised with major combat actions in the other warfare domains—a more explicit complementarity of warfare elements to achieve strategic gain; and Ukraine was victim of an advance in Russia’s use of elements, which allowed for a more lasting and more permanent status quo. This method was seen again in Russia’s contested information operations and involvement in the 2016 US presidential elections and in the hacking of 2017 French presidential candidate Emmanuel Macron’s campaign.30 There was both an information-technical and an information-psychological blend. Recognising that manipulation in the information sphere through cyberspace is very effective, retired Russian general Zolotarev told The New Yorker that before the internet Russian propagandists had to “throw around some printed materials and manipulate the radio or television”, later adding that “all of a sudden, new means have appeared.”31 This is a clear indication that Russia is likely to continue to use cyber elements to complement, and perfect, its information campaigns in future engagements. Added to this is the relatively recent emergence of cyber as a domain for warfare, which has prevented states from firming up legal frameworks around cyber conflict in international law.
Conclusion
Typically, the Western approach to cyber threats has centred on technical responses to technical threats, in part disregarding the role information warfare through cyber operations can have in a broader sense. Although entirely sufficient for some persistent or background threats, this is not always effective for a broader-based approach, like the one adopted by Russia—particularly when there are no legal frameworks in place that could prevent Russia’s future use of these tactics.32 Keeping in mind that Russian strategic culture dictates the combination of different elements of warfare that justify pre-emptive operations, the West may be well prepared for isolated cyber challenges, but Russia’s use of cyber as an element to complement its information operations shows that it also needs to be prepared for other scenarios. As seen from the case studies explored above, Russia is using the cyber domain as an integral part of its information operations. In fact, it has shifted from periodic attacks to continuous, and from the regions around Russia to global. Later incidents are aimed at turning Western strengths into weaknesses by going after the foundation and pillars of democracies and societies. This article has set out the birth of this campaign and makes the argument that early success has encouraged the widening of efforts against Western actors. Latvian analyst Jānis Bērziņš noted in 2014 that Russian information operations “have reached a point where they can take on strategic tasks”.33 In that context, let us broaden our approach as well.
______
1 Stephen Biddle, “The Past as Prologue: Assessing Theories of Future Warfare”, Security Studies 8 No. 1 (1998): 1–74.
2 Timothy Thomas, “Russia’s Information Warfare Strategy: Can the Nation Cope in Future Conflicts?”, The Journal of Slavic Military Studies 27, No. 1 (2 January 2014): 101–30, doi:10.1080/13518046.2014.874845.
3 Jolanta Darczewska, “Russia’s Armed Forces on the Information War Front: Strategic Documents”, OSW Studies 57, June 2016: 24, Center for Eastern Studies–Ośrodek Studiów Wschodnich.
4 See Russia’s 2016 Information Security Doctrine and the document Basic principles for the Russian Federation’s state policy in the field of international information security to 2020.
5 Darczewska, op. cit., 25.
6 James B. Godwin III et al., “Russia-U.S. Bilateral on Cybersecurity Critical Terminology Foundations 2,” EastWest Institute, February 2014: 11.
7 Tom Gjelten, “Shadow Wars: Debating Cyber ‘Disarmament,’” World Affairs Journal, December 2010, http://www.worldaffairsjournal.org/article/shadow-wars-debating-cyber-disarmament.
8 United Nations Office for Disarmament Affairs, “Information Security Fact Sheet: Developments in the Field of Information and Telecommunications in the Context of International Security”, July 2015, https://unoda-web.s3-accelerate.amazonaws.com/wp-content/uploads/2015/07/Information-Security-Fact-Sheet-July2015.pdf.
9 Priyanka R. Dev, “‘Use of Force’ and ‘Armed Attack’ Thresholds in Cyber Conflict: The Looming Definitional Gaps and the Growing Need for Formal U.N. Response”, Texas International Law Journal, Vol. 50 Issue 2, (2015): 379–99, http://www.tilj.org/content/journal/50/14%20DEV%20PUB%20PROOF.pdf.
10 “The World Factbook”, Central Intelligence Agency, n.d., accessed 2 April 2016.
11 Eneken Tikk, Kadri Kaska and Liis Vihul, “International Cyber Incidents: Legal Considerations”, NATO Cooperative Cyber Defence Centre of Excellence (CCD COE), 2010: 18.
12 Jose Nazario, “Estonian DDoS Attacks – A Summary to Date”, Arbor Networks Threat Intelligence, 17 May 2007, https://www.arbornetworks.com/blog/asert/estonian-ddos-attacks-a-summary-to-date/.
13 Tikk, Kaska and Vihul, op. cit., 19.
14 Ibid., 20.
15 Author interview with a senior official in NATO’s Emerging Security Challenges Division, 10 March 2016.
16 “Taking Stock of the Latest Dynamics of Cyber Conflict with Jason Healey”, event at The Fletcher School, Tufts University, 11 April 2016.
17 Council of Europe Parliamentary Assembly, Resolution 1633, 2008, http://assembly.coe.int/nw/xml/XRef/Xref-XML2HTML-EN.asp?fileid=17681&lang=en.
18 “Kremlin bill on using army abroad”, BBC News, 10 August 2009, http://news.bbc.co.uk/2/hi/europe/8194064.stm.
19 Tikk, Kaska and Vihul, op. cit., 68.
20 Jose Nazario, “Georgia DDoS Attacks – A Quick Summary of Observations,” Arbor Networks Threat Intelligence, 12 August 2008, https://www.arbornetworks.com/blog/asert/georgia-ddos-attacks-a-quick-summary-of-observations/.
21 Sean Watts, “Combatant Status and Computer Network Attack,” Virginia Journal of International Law 50, No. 2 (January 2010): 391.
22 Stephen Blank, “Signs of New Russian Thinking About the Military and War,” Eurasia Daily Monitor, February 2014, https://jamestown.org/program/signs-of-new-russian-thinking-about-the-military-and-war/.
23 US Cyber Consequences Unit, “Cyber Campaign Against Georgia in August 2008,” August 2009: 6.
24 Morgan Chalfant, “Russia Adds ‘Information Warfare’ Troops,” The Hill, 22 February 2017, http://thehill.com/policy/cybersecurity/320650-russia-claims-to-add-information-warfare-troops.
25 Evan Osnos, David Remnick and Joshua Yaffa, “Trump, Putin, and the New Cold War,” The New Yorker, 6 March 2017, http://www.newyorker.com/magazine/2017/03/06/trump-putin-and-the-new-cold-war.
26 Keir Giles, “The Next Phase of Russian Information Warfare”, NATO Strategic Communications Centre of Excellence, 2016: 4, http://www.stratcomcoe.org/next-phase-russian-information-warfare-keir-giles.
27 Ibid., 12.
28 Ibid., 11.
29 Shane Harris, “Hack Attack,” Foreign Policy, 3 March 2014, https://foreignpolicy.com/2014/03/03/hack-attack/, accessed 22 November 2016
30 Benoît Morenne, “Macron Hacking Attack: What We Know and Don’t Know,” The New York Times, 6 May 2017, https://www.nytimes.com/2017/05/06/world/europe/emmanuel-macron-hacking-attack-what-we-know-and-dont-know.html.
31 Osnos, Remnick and Yaffa, op. cit.
32 Patrik Maldre (ICDS), “The Many Variants of Russian Cyber Espionage,” Atlantic Council, http://www.atlanticcouncil.org/blogs/natosource/the-many-variants-of-russian-cyber-espionage, accessed 22 November 2016.
33 Jānis Bērziņš, “Russian New Generation Warfare: Implications for Europe”, European Leadership Network, 14 October 2014, http://www.europeanleadershipnetwork.org/russian-new-generation-warfare-implications-for-europe_2006.html, accessed 22 November 2016.
This article was published in ICDS Diplomaatia magazine.