Russian cyberattacks have antagonized, bullied, and supressed neighbors and countered Western influence. The time has come for NATO to adopt a cyber strategy that incorporates active defense.
During the past decade, Russian government cyber actors have pressed the legal and ethical boundaries of cyberspace, testing the limits of what the international community would accept—often finding none. Moscow has pushed to see if there would be a proportional response from its cyber victims, and the answer usually was no, except to repair or limit the damage. If this increased cyber activity and presumed cyber strategy have revealed anything it is this: Russia is emboldened by the lack of international response to its cyber attacks, and it will continue to escalate the sophistication and lethality of this attack vector to antagonize, bully, and suppress Russia’s neighbors and counter Western influence.
There is international reluctance to establish governing rules for nation-states in cyberspace. In the absence of cyber governance, Russia is conditioning the world to its norms. The following cyber attacks have been attributed to Russian actors:
April 2007 – Estonia: Russian distributed denial of service (DDoS) attacks against government websites as well as the websites of banks, universities, and newspapers in response to the removal of a Soviet war monument in Tallinn.1 This attack is considered the first nation-state cyber attack against another nation-state.
August 2008 – Georgia: Russian hackers using DDoS attacks were able to cripple communications, finance, and government websites as Russian conventional ground forces, operating with Abkhazian and South Ossetian separatists, defeated the Georgian military. The DDoS attacks disrupted Georgian government communications, which enabled a swift invasion by Russian mechanized forces.
This event was the first coordinated cyber/conventional attack in modern history.2
March 2014 – Ukraine: In a second coordinated cyber/conventional attack, Russian cyber operations affected websites, telecommunications, and Internet and mobile services as a prelude to annexation of Crimea.3 In this operation, Russia maneuvered conventional forces while achieving cyberspace effects to shape the battlefield.
Late 2014 – German Steel Mill: A blast furnace at the ThyssenKrupp AG steel mill was physically damaged by malware tied to Russian espionage activity. This was the most effective industrial control system cyber attack since the Stuxnet attack against Iran’s nuclear centrifuges in 2010.4
July 2015 – Pentagon: Russian hackers were credited with compromising an unclassified Joint Chiefs of Staff network. Access was gained through a spearphishing email campaign, one of the most common and effective methods to circumvent network defense-in-depth measures.5
November 2015 – Swedish Air Traffic Control System: Russia reportedly was able to ground flights at multiple airports in Sweden over a period of five days. Swedish authorities attributed the attack to an advanced persistent threat (APT) group associated with the Russian Military Intelligence Agency (GRU).6
December 2015 – Ukrainian Power Outage: A suspected Russian attack caused a power outage to roughly 225,000 customers. Security researchers say it is the first known instance of a power blackout being linked credibly to the actions of malicious hackers.7
May 2016 – U.S. Democratic National Committee (DNC): Using forensic analysis, the cybersecurity company Crowdstrike attributed the compromise of a DNC computer network to the Russian cyber intrusion sets known as Cozy Bear (APT 29) and Fancy Bear (APT 28).8
May 2017 – French Presidential Election: New York-based cyber intelligence firm Flashpoint attributed the release of nine gigabytes of French presidential candidate Emmanuel Macron’s emails a day and a half before the election to APT 28.9 This attack was the second cyber information operation aimed at affecting democratic elections in a Western country in less than a year.
Each of these attacks marked a critical milestone in the advancement of a diverse Russian playbook for offensive cyberspace operations. In less than a decade Russia has demonstrated the capability to influence populations, conduct advanced hybrid warfare, execute nonkinetic “kills,” deny freedom of maneuver, cripple infrastructure, and meddle in democratic elections. Analyzed as a whole, these incidents underscore a well-developed cyber playbook and order of battle.
The gradual escalation of its cyberspace prowess could not come at a better time for Russia. The country’s gross domestic product has stagnated, and prices for its oil and gas exports remain low (approximately $50 per barrel and $3 per thousand cubic feet as of June 2017). Russian exploitation of cyberspace is a cost-effective means to project influence and impose costs on its adversaries.
Flexing its conventional capabilities, Russia now maintains an alert presence along the Russia/Ukraine border and supports an expanding deployment in Syria to assist the Bashar al-Assad regime against opposition forces and the Islamic State of Iraq and Levant (ISIL). Russia deployed its only aircraft carrier, the Admiral Kuznetsov, into the Eastern Mediterranean in late 2016 and, on several occasions, fired land-attack cruise missiles from surface ships and submarines at targets in Syria. The expansive deployment of troops and equipment into Syria has given Russia a military “proving ground” to test everything from weapons to special forces to carrier operations. With the increased operational tempo of its conventional forces and a well-developed cyber order of battle, Russia is primed to initiate another hybrid warfare conflict. This point has not been lost on the Baltic states.
Russia’s annexation of Crimea was achieved through the skillful combination of internal Ukrainian dissidents and insurgents working with Moscow’s special forces, and it demonstrated Russia’s successful integration of hybrid warfare, kinetic operations, and information operations—including cyberspace operations.
Cyberspace operations normally are “binned” into the nonkinetic spectrum of warfare with information operations. As billions of mobile and networked devices become interconnected to form the Internet of Things (IoT), the aperture for cyberspace operations will extend from the nonkinetic into the kinetic spectrum. Russia’s continuous, unchecked escalation in the cyberspace environment eventually will lead to physical, kinetic effects in a future conflict. The damage to the German steel mill and the Ukrainian power outage in 2015 demonstrated Russia’s intent and ability to achieve physical effects on industrial control systems. These capabilities are a considerable deterrent for any nation or company considering confronting Russia in cyberspace.
Cyber incidents are dealt with differently depending on the attacker, target, and assessment of damage. A global cybersecurity industry, estimated to be valued at more than $200 billion by 2021, has emerged to discover and patch commercial-sector network vulnerabilities and analyze cyber threats from nation-states, hacktivists, criminal organizations, and terrorists. Governments have aligned funding and organizations to defend networks and thwart attacks. As an example, NATO established the Tallinn-based NATO Cooperative Cyber Defence Center of Excellence (CCDCoE) in 2008 to provide for the collective cyber defense of NATO networks.10 Despite these efforts, Russia continues to subvert defense-in-depth measures by sending (spear)phishing emails with embedded malicious code. Because of the number of methods for attack and the evolving malware sophistication, some network administrators concede that no network is safe from cyberattack. Cyber experts can do their best to deter attacks or detect and fix them after the fact, but the collective of the European Union and NATO—including the United States—needs to confer on a proportional response to the next cyber incident.
The cyberattack on Sweden’s air traffic control system forced the grounding of hundreds of planes at multiple airports for five days. How can a nation’s commerce and transportation be affected to this degree with no repercussions? How would Russia respond if flights were grounded in Moscow for five days? What if 500,000 electric utility customers lost power in the winter in Saint Petersburg for a day? What would the response be if someone penetrated the industrial control system network of Russian aluminum company RUSAL to cause physical damage to the equipment and possibly injure or, worse, kill workers? Of course, Russia would move swiftly to attribute the attacks and execute what Moscow considered a proportional response.
According to the Department of Defense’s 2015 Cyber Strategy, “cyberattacks are assessed on a case-by-case and fact-specific basis by the President and the U.S. national security team.”11 Analyzing cyberattacks on an individual basis is the normal practice of all nations that have become acclimatized to persistent Russian cyber operations. This is akin to counting the trees and ignoring the forest, and as a result ,offensive cyberspace counteroperations are tightly reserved and to be used only when significant interests are attacked or threatened. Russian cyber aggression is analyzed constantly to determine whether each activity rises to a certain threshold. It is difficult to justify retaliation when these instances are separated. It is time to develop a case that aggregates Russia’s cyber body-of-work and tips the threat in the opposite direction.
Citing Russian cyberattacks collectively, NATO could make the case that Russia has triggered Article 5, Collective Defense, of the North Atlantic Treaty. This article was invoked for the first time in its history after the 11 September 2001 terrorist attacks against the United States. Declaration of Article 5 would allow for a shared responsibility among NATO countries to defend against and retaliate proportionally against Russian cyber aggression.
James A. Lewis, a cybersecurity and technology expert at the Center for Strategic and International Studies, cites several reasons why a cohesive offensive cyberstrategy for NATO is difficult. His list of obstacles includes: lengthy planning periods and processes for gaining access to targets and executing offensive cyber operations, sharing of cyber threat intelligence and offensive cyber capabilities among allied nations, and the bureaucratic process of developing a cohesive response plan in response to a cyber incident.12
Each of these complexities is valid, but NATO, on the frontline of this battle, should consider developing an active defense strategy. NATO’s Cooperative Cyber Defence Center of Excellence should continue to focus on cyber defense, but also should establish an active defense cell under the strategy branch—or a completely separate branch—with a continuous focus on adversary cyber targets. As part of this plan, NATO should develop a concept of operations plan to outline clearly desired effects for cyberspace operations in response to Russian cyber aggression. If analyzing these incidents on a case-by-case basis continues to be the modus operandi for NATO, then a shortened decision cycle for a response will be necessary—hours versus days, weeks, months, or years. NATO’s CCDCoE could be responsible for planning and coordinating a joint targeting list approved by NATO authorities for prosecuting a cyber target to achieve desired effects. NATO members could bring their cyber tools to support the mission as is current practice in traditional kinetic operations.
A cyberattack may not always warrant a cyber response. Despite NATO’s reluctance to declare Article 5, the United States took one step forward in December 2016 when then-President Barack Obama amended Executive Order (EO) 13964, improving the United States’ ability to respond to cyberattacks. Citing Russian interference in the 2016 U.S. general election, the amended EO 13964 allowed the President to sanction nine entities and individuals: two Russian intelligence services (the GRU and the Federal Security Service); four individual officers of the GRU; and three companies that provided material support to the GRU’s cyber operations.13 President Donald Trump has taken further action to secure federal networks through his May 2017 executive order “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” In addition to this action, another review of EO 13964 should be conducted to allow for active defense actions—cyber or otherwise—based on the collective evidence of a cyber threat as opposed to the case-by-case analysis and response.
The complexities of the Internet may only be eclipsed by the complexities of bureaucratic infrastructures and their inability to counter a clear and present threat. The Russian cyber problem will not get easier, and it could become more destructive as the cyberattack aperture expands further into the physical world. It is prudent for nation-states to proceed with caution to ensure that cyber operation authorities and capabilities for active defense are safeguarded and controlled at the highest levels. It is also necessary to ensure that decision makers have the flexibility to rapidly respond to a cyberattack and are allowed the latitude to counter directly a threat that repeatedly has attacked and taken advantage of the lack of norms in cyberspace.
1. Jason Richards, “Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security,” International Affairs Review (15 December 2016), The Elliott School of International Affairs at George Washington University, www.iar-gwu.org/node/65.
2. David Hollis, “Cyber War Case Study: Georgia 2008,” Small Wars Journal (6 January 2011), http://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf.
3. “Crimea – The Russian Cyber Strategy to Hit Ukraine,” INFOSEC Institute (11 March 2014), http://resources.infosecinstitute.com/crimea-russian-cyber-strategy-hit-ukraine/.
4. Michael Riley and Jordan Robertson, “Cyberspace Becomes Second Front in Russian Clash With NATO,” Bloomberg Technology, 14 October 2015, www.bloomberg.com/news/articles/2015-10-14/cyberspace-becomes-second-front-in-russia-s-clash-with-nato.
5. “US Military’s Joint Staff Hacked as Officials Point the Finger at Russia,” Reuters in Washington, The Guardian, 6 August 2015, www.theguardian.com/technology/2015/aug/06/us-military-joint-chiefs-hacked-officials-blame-russia.
6. Mary-Ann Russon, “Russia Blamed for Crashing Swedish Air Traffic Control to Test Electronic Warfare Capabilities,” International Business Times, 14 April 2016, www.ibtimes.co.uk/russia-blamed-bringing-down-swedish-air-traffic-control-test-electronic-warfare-capabilities-1554895.
7. Katie Collins, “Ukraine Blackout is a Cyberattack Milestone,” Cnet, 5 January 2016, www.cnet.com/news/cyberattack-causes-widespread-power-blackout-in-ukraine/.
8. Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” CrowdStrike, 15 June 2016, www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.
9. Eric Auchard and Bate Felix, “French Candidate Macron Claims Massive Hack as Emails Leaked,” Reuters World News, 6 May 2017, www.reuters.com/article/us-france-election-macron-leaks-idUSKBN1812AZ.
10. NATO Cooperative Cyber Defense Center of Excellence website (May 2017), https://ccdcoe.org/.
11. Department of Defense Cyber Strategy (April 2015), http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf.
12. James A. Lewis, “The Role of Offensive Cyber Operations in NATO’s Collective Defence,” Tallinn Paper No. 8. (2015), NATO, https://ccdcoe.org/sites/default/files/multimedia/pdf/TP_08_2015_0.pdf.
13. The White House Office of the Press Secretary, “FACT SHEET: Actions in Response to Russian Malicious Cyber Activity and Harassment,” 29 December 2016, https://obamawhitehouse.archives.gov/the-press-office/2016/12/29/fact-sheet-actions-response-russian-malicious-cyber-activity-and.