January 19, 2017

What the West Needs to Understand About Russia’s Approach to Influence Operations

View shows building of Moscow State University and tower of Kremlin in Moscow
View shows building of Moscow State University and tower of Kremlin in Moscow

Finally, a consensus seems to have been emerged that Russia meddled with the US elections, even though there is disagreement about whether Russia’s actions had any effect on the outcome of the election, namely on the legitimacy of President-elect Donald Trump.

From early spring 2016 Russia’s intelligence services intruded into the computer systems of the Democratic National Committee and other US entities in order to undermine the election process, sow doubt about the legitimacy of election results, and increase the election chances of the Kremlin’s preferred candidate. Since Russia “demonstrated a significant escalation in directness, level of activity, and scope of effort” by its cyber-enabled influence operations in the US and is likely to apply these lessons to future influence operations worldwide, including in the upcoming elections in Europe (the national campaigns in Germany, France, the Netherlands, and Italy, as well as possibly the local elections in Estonia and Finland, etc.) cyber security measures should be hardened.

Indeed, in Eastern Europe, Russia allegedly deploys hybrid warfare methods to prepare the ground for invasion, while in the West it engages in a covert political war to divide, demoralize, and distract. Moreover, Moscow attempts to establish “a kind of moral equivalence” in Western Europe, both by corroding democratic norms and institutions as well as by tarnishing the reputation of politicians. It is in the Kremlin’s interest to portray Western politics and politicians as corrupt and dishonest. Recent case studies demonstrate how Russia has falsified information to reinforce the image of Sweden as corrupt, to weaken its population’s support for cooperation with NATO and for Ukrainian EU integration, and to justify its use of both military and non-military tools as legitimate and necessary acts of self-defence.

Russia’s aims in the West have been summarised as follows:
· encourage divisions between and within EU and NATO countries,
· distract these countries from the Kremlin’s activities in its self-declared “sphere of influence”,
· shock them with the threat of military force (as conveyed by e.g. military and snap exercises, aggressive rhetoric, deployments of military troops and equipment, violations of national airspace).

In regards with cyber operations, in Russia’s understanding, all information media are used as part of a broader information war that encompasses disinformation, propaganda, “heavy-metal” diplomacy, intelligence, cyberattacks, and so forth. On the other hand, cyber operations are part of “active measures”. The purpose of such measures is to undermine trust in governments and institutions, to sow doubt and discord, and to sway public opinion and political decision-making processes in order to further Russia’s political and military goals. In the past the KGB used them abroad to impact events in a target country. They also include the leaking of stolen information and the seeding of falsified material into news websites and social media. Active measures – not different from support operations – consist of objectively true information complemented with a small and directed falsified component. For instance cyberattacks against the websites of the Bundestag as well as a German steel mill, the Finnish ministry of foreign affairs, the French broadcaster TV5 Monde, the Polish stock exchange, and Dutch governmental networks have all been attributed to Russian government-related hackers. It has also been reported that the Kremlin contracts various proxies (e.g. cyber criminals, cyber security companies, and lone hackers) to intrude into foreign countries’ computer networks and develop malware for cyber exploitation. Intelligence shows that Russia also invests heavily in propaganda, and uses state supported and social media, as well as political figures, to convey its narratives and messages.

From an operational point of view Russia’s influence operations blend covert cyber operations with overt active measures by state agencies, state media, third-party intermediaries, and Internet “trolls”. Cyber operations (in combination with informational, political, economic, financial, and other instruments of pressure) are effective in producing political uncertainty and in promoting mistrust, blackmail, and bullying. At the same time they showcase cyber capabilities. First, they impact societal resilience because repeated intrusions into computer systems lead to unpredictability and a sense of vulnerability and lost agency. Second, with successful hacking, the perpetrator demonstrates its status as an equal among those major powers who are able to use high-end cyber means for geopolitical ends. Paradoxically, even when the perpetrator denies responsibility for cyberattacks, its image as a powerful actor might be boosted in public discourse, an outcome that may be part of its overall goal of demonstrating power and impunity.

How well is the West prepared to deter, defend, and respond to such attacks? I would argue that the West needs to understand Russian thinking if it intends to prepare better against influence operations. In the West, cyber security strategies pertaining to the national security domain tend to focus on defending against existential or high-end cyber threats. Cyberattacks falling below this threshold have often been overlooked – even though these types of operations are more commonplace and can have significant repercussions for national security. As a result, policy makers lack the necessary understanding of and guidelines on how to defend and deter against cyber-enabled influence operations that are designed to affect public opinion While the EU, NATO, and their member countries are improving their public diplomacy and strategic communication capacities, as well as their abilities to counter hybrid threats and build up resilience, the emerging strategies and organisations are not well aligned with existing cyber defence efforts – partly because in the West cyber defence has been regarded as merely a technical/IT-issue, neglecting its cognitive aspects.

Therefore, I suggest that policy makers should develop national security and cyber security strategies and responses that go beyond mere technical cyber defence measures. An act of stealing information through intrusion into computer systems (cyber espionage) and leaking kompromat to the public domain constitutes a cyber-enabled influence operation. To protect against cyber operations that aim to yield broad societal and psychological effects, the security community must embrace the relationship between the technical and cognitive dimensions. The usual cyber defence strategies (harnessing baseline security measures, improving intrusion detection and network monitoring capacity, increasing awareness and competence, improving international cooperation, and so forth) will be insufficient to protect against cyber-enabled influence operations.

In order to understand more profoundly the effects of influence operations on national security, and how cyber operations contribute to cyber power, we need more case studies. They will help cyber defenders to understand what national interests (e.g. liberal values, regime legitimacy, democratic order, or free elections) were placed at risk, whom the attack affected, and what was lost. Moreover, in designing response options and defence policies, policy makers need to understand what actions are both permissible under international law and coherent with emerging cyber norms and confidence building measures, as well as with their international commitments and foreign and security policy objectives. They also need to consider if the envisioned retaliatory actions would contribute to deterrence by denial and/or deterrence by punishment. While there is legal analysis on how states may employ countermeasures in response to malicious cyber activities that do not qualify as armed attacks, an examination of the application of these general principles and strategies to real-world cases would help policy makers understand the context and devise optimal countermeasures.