“The Russians are top notch.”
Chris Finan is a former director of cybersecurity legislation in the Obama administration, an ex-director at DARPA for cyberwar research, and a former U.S. Air Force pilot and intelligence officer. When it comes to explaining Russia’s place in the evolving world of cyberwar, he ranks the world’s nations and firmly declares Russia’s place in the top tier.
“They are some of the best in the world,” Finan, now the CEO of the security firm Manifold Technology, says. “We’re not talking North Korea or even China, who are really sloppy. The Russians are really good at covering their tracks.”
Sometimes the best way to explain war is the language of sport. Cyberwar is no different. So we talk about who is best, worst, and most improved—everything short of handing out a trophy. We try to predict the future geopolitical games that seemed impossible yesterday and inevitable today.
In a flurry of action over the last decade, Russia has established itself as one of the world’s great and most active cyber powers.
The focus this week is on the leak of nearly 20,000 emails from the Democratic National Committee. The culprit is alleged by many, including Democratic Party officials, to be Russia. The evidence—plainly not definitive but clearly substantial—has found support among a wide range of security professionals. The Russian link is further supported by U.S. intelligence officials, who reportedly have “high confidence” that Russia is behind the attack.
“Everyone steals secrets. Everyone. The difference is the dumping of them in ways designed to influence elections of foreign powers.”
The blame and the proof for the DNC hack will be debated for weeks and months beyond. Attributing cyberattacks is notoriously difficult, doubly so when the adversary is among the best in the world.
“To definitively attribute the breach at the DNC to a Russian actor is next to impossible,” Leo Taddeo, former special agent in charge of the FBI’s NY cybercrime division and now the chief security officer of Cryptzone, explains. “Unless we have a window into their side, we’ll probably never definitively attribute this to Russia.”
Beyond the forensic evidence that points to Russia, however, is the specter of President Vladimir Putin. Feeling encircled by the West and its expanding NATO alliance, the Kremlin’s expected modus operandi is to strike across borders with cyberwar and other means to send strong messages to other nations that are a real or perceived threat.
This is not unique to Russia. The United States is extremely active and effective in the cyberdomain. The Americans spend billions of dollars annually to launch hundreds of cyberattacks every year. Furthermore, Washington has a long history of interfering in foreign elections and politics. And U.S. actors are often the chief suspects in unrest when the evidence is less than clear.
The most poignant such episode began in 2011, when protesters took to the Moscow streets to speak against Russian elections they deemed flawed or fixed—elections that put Putin into his third term as Russian president. You didn’t hear much about it in the American press, but Putin accused then-Secretary of State Hillary Clinton of giving “the signal” and trying to “set the tone” that led to the demonstrations—an open charge of American politicians interfering in Russian elections.
To understand Russia’s decade-long rapid rise in cyberwar, you have to look at Russia’s number one perceived enemy: The West’s North Atlantic Treaty Organization alliance and its slow but steady creep eastward toward Moscow, the capital city that the NATO alliance was originally built to defeat.
Sixteen years can seem like an eternity when it comes to the international sport of war.
“Russia is part of the European culture,” Putin said 2000, the year he rose to the presidency. “And I cannot imagine my own country in isolation from Europe and what we often call the civilized world. So it is hard to visualize NATO as an enemy.”
The newly minted head of state sought “more profound integration” with NATO, he said, including the possibility of joining the alliance if Russia “is regarded as an equal partner.”
Whatever warmth existed between Russia and NATO disintegrated over the next few years. The Western alliance took in a dozen new member states since the end of the Cold War, a move seen by Russian leadership as an openly broken promise meant to take advantage of Moscow’s post-Soviet weakness.
Russia’s western-facing cyberwar exploded onto the world stage a decade ago when, in 2007, it smashed neighboring Estonia’s national internet during nights of deadly riots sparked by disputes over the country’s Soviet-occupied history and a bronze statue in Tallinn, Estonia’s capital, that embodied it.
This Russian cyberattack opened a new era in war. Estonia, one of the world’s most connected countries, was hit with a hammer that cut down the websites and servers of the country’s leading newspaper, banks, police, parliament, national ministries, and the national emergency number.
“Attacking us is one way of checking NATO’s defenses,” Ene Ergma, speaker of the Estonian parliament in 2007, said. “They could examine the alliance’s readiness under the cover of the statue protest.”
The answer to that check: The alliance was not ready.
In an attempt to fix that failure, Estonia is now home to the cyber defense headquarters of NATO.
Despite the cyber defense center’s existence, however, there’s little feeling or evidence the Western alliance has a coherent and effective strategy against aggressive action from their Russian rivals.
After a massive amount of behind-the-scenes work and very public diplomatic efforts, China and the U.S. seemed to reach a detente that cooled an ongoing cyberwar between the two great powers. No such success has visited American–Russian relations.
“What the president has been able to do to restrain Chinese behavior has been effective,” Finan, who worked on cybersecurity in the Obama White House, says. “Hacking private companies has really dropped off. We haven’t had that kind of progress with Russia. We don’t have the same type of leverage with Russia, and we need their help elsewhere. But [the DNC hack] has raised the stakes.”
A year after Estonia’s networks buckled, Russia’s growing hammer in cyberspace dropped on another neighbor and former Soviet Republic nation it deemed a threat: Georgia.
Georgia ended up in a full blown war with Russia in 2008. But before a single shot was fired, denial-of-service attacks and defacements against targets like the website of the Georgian president—he was compared to Adolf Hitler on his own Georgian websites when hackers took control—set the stage for the traditional war that would begin a month later. Dozens of Georgian government, finance, and communications websites went down in the lead up to kinetic fighting.
“Unless we have a window into their side, we’ll probably never definitively attribute this to Russia.”
When the shooting war began, the cyberattacks continued, marking the first time in history that the two domains of warfare coincided. In contrast to the relatively small on-the-ground fighting, the Russian–Georgian War has been called “quite historic and precedent setting,” as David Hollis wrote in the Small Wars Journal, because Russia attacked Georgia on four fronts: Land, air, sea, and cyberspace.
Georgia is no Estonia, however; it was and is not nearly as connected a nation, so the effects paled in comparison to even the relatively small and contained shooting war. But it mattered.
“As tanks and troops were crossing the border and bombers were flying sorties, Georgian citizens could not access web sites for information and instructions,” journalist Jon Oltsik wrote on Networked World. “From a U.S. perspective, imagine a 9/11 or Hurricane Katrina event if citizens had no idea what to do, emergency responders couldn’t communicate, and utilities were cut off in a 200 mile radius outside of the disaster zone. This is the risk.”
The message became increasingly clear: Cyberwar is a ready and effective tool in Russia’s growing arsenal.
Part of what makes it such a potent tool is, once again, that attribution is difficult. Does this or that attack originate within Russia? That’s often tough to say, but, even when that much is definitive, there remains the trouble of sorting through all the different cyberspace movers and shakers in Russia.
Some of the 2008 cyberattacks against Georgia were linked to a Russian criminal gang known as the Russian Business Network, or RBN. Pinning down the extra level of control and coordination between the Kremlin and the criminals for each specific incident can be a titanic task.
In this particular war, however, the links shined brightly.
Hackers took out Georgian news and government websites exactly in locales where the Russian military attacked, cutting out a key communication mode between the Georgian state and citizens directly in the path of the fight.
“It created panic and confusion in the local populace, further hindering Georgian military response,” Hollis, a veteran of the U.S. Defense Department’s cyberspace efforts, wrote in his 2011 study on the war.
The intimacy between the Russian state, private industry, and criminal underworld is notorious in cyberspace and beyond, to the top levels of Russian government and private industry.
“There is no doubt Russia uses these criminal organizations to mask their state-sponsored intelligence and military operations,” Leo Taddeo, the former special agent in charge of the FBI‘s New York cybercrime division, says. Taddeo began his career in the Bureau focused on Russian organized crime.
“The Russian science and math programs are very good,” Finan says. “They also have a ton of organized criminal groups that are frankly very innovative in their methods. Sometimes the state will outsource their work there.”
Taddeo is convinced that Putin’s ultimate goal in his alleged hack of the DNC is to knock back against NATO, the U.S., and the West in general.
“Putin and his senior leadership believe the main threat to Russia is the perception of a slow but steady encirclement of Russia by the U.S. and NATO,” Taddeo argues. “Throughout the Obama administration, we have moved closer to Russia with advanced missile defense systems and the expansion of NATO bases. As such, the main strategic objective for Putin is to disrupt the U.S./NATO advance to their borders. This can not be overstated.”
In the last year alone, the effects of this apparent agenda have been felt strongly in countries nearest to Russia that are either already in NATO or who flirt heavily with the alliance. After NATO conducted a naval exercise from Finnish territory for the first time ever earlier this year, hackers knocked the Finnish Ministry of Defense’s website offline. Germany accused Russia of a cyberattack against a steel mill that caused “massive” damage.
The steel mill attack stands as only the second known incident in which hackers have caused physical damage. The first is Stuxnet, the American–Israeli cyberattack against Iranian nuclear facilities in 2007 and 2008.
The French television network TV5 Monde was knocked off the air for 18 hours in April 2015. The website was replaced by jihadist propaganda, but French authorities insisted Russian state-sponsored hackers were behind the attack. More to the point, they accused a group called Fancy Bear that American security experts believe is behind this year’s hack of the Democratic National Committee.
When a Dutch commission concluded a Russian weapon destroyed a Malaysian airliner over war-torn Ukraine, Russian hackers targeted the investigation from start to finish.
In late 2015, Ukraine itself was the target of hackers who took control of a western Ukrainian power grid that knocked out power substations and launched a blackout for 230,000 Ukrainians.
Coming amid an ongoing armed struggle in Eastern Ukraine that heavily and continuously involved Russian soldiers and weapons taking and holding formerly Ukrainian soil, it was little surprise when the finger was pointed from Kiev to Moscow.
“The biggest problem in cyber remains deterrence. We have been talking about the need to deal with it within NATO for years now.”
German intelligence backs Ukraine’s blaming of Russia, but, as always, definitive proof remains elusive.
A year prior, just days before a Ukrainian presidential election, self-avowed pro-Moscow hackers crippled the country’s national election commission digitally. Software, hard drives, routers, and backups were decimated.
In the middle of not only a civil war and armed conflict with Russia but also a political drama about the future of Ukrainian democracy, the country’s election authorities being hamstrung and unable to offer real-time results may have sparked doubts about the legitimacy of a vote that was putting a more pro-Western and anti-Russian government in office in Kiev.
Ukraine’s government and military have been the target of numerous cyberattacks since war broke out, putting it squarely on the front line of a new, hybrid conflict with Moscow. And although NATO has spoken about giving resources and defense aid to Ukraine, the progress has been slow so far.
The Kremlin’s response to these accusations echoed their answer to nearly every charge leveled at them in the last decade. It’s “absurd,” Kremlin spokesman Dmitry Peskov said.
“The campaigns being monitored by the BfV [Germany’s domestic intelligence agency] are generally about obtaining information, that is spying,” Hans-Georg Maaßen, who leads BfV, said this year. “However, Russian secret services have also shown a readiness to carry out sabotage.”
“Cyber-attacks carried out by Russian secret services are part of multi-year international operations that are aimed at obtaining strategic information,” Maaßen said, also earlier this year. “Some of these operations can be traced back as far as seven to 11 years.”
It’s called “gray zone” combat, because cyberwar is saturated by such a dense fog that clear understanding or response can feel out of reach.
“The biggest problem in cyber remains deterrence,” Toomas Hendrik Ilves, the Estonian president, said earlier this year. “We have been talking about the need to deal with it within NATO for years now.”
In June, just prior to WikiLeaks public release of emails stolen during the DNC hack, Ilves said his biggest fear was the escalation of cyberattacks. If the DNC proves to be Russian work—or, more likely, if no absolute proof is forthcoming, but the the evidence and context continues to point that way—it won’t be the first time high-level American politicians were hit by Russian hackers.
In 2014, hackers breached the White House’s unclassified servers and accessed some (but not all) emails from President Barack Obama to staffers. The State Department was also breached, though Secretary of Defense Ashton Carter said the breach there was also limited to unclassified computers. One U.S. official called their adversaries “one of the most sophisticated actors we’ve ever seen.”
“The main strategic objective for Putin is to disrupt the U.S./NATO advance to their borders. This can not be overstated.”
Despite the decade-long rise in Russian cyberwar, the DNC hack is seen by many in the West as a blatant escalation beyond what the Kremlin has done previously.
“Everyone steals secrets,” American political scientist P.W. Singer says. “Everyone. The difference is the dumping of them in ways designed to influence elections of foreign powers. It’s akin to Putin’s personal rise, viewing the processes of democracy as merely something to manipulate, not institutions to respect.”
Russian actions on the internet extend beyond traditional hacking. Singer points to the country’s dynamic troll factory system that influences social media; the international propaganda system, centered around Russia Today, aimed at influencing news; efforts to influence European politics and Brexit; and an information war focused on the U.S. election that fuels extremist support of Donald Trump.
“They literally invented [information warfare],” Singer says of the Russians. “They also have set up a wide apparatus to support it, some 75 different organizations, ranging from university programs to military units, studying the issue and operationalizing. Finally, the willingness to look at democracy as merely something to be manipulated gives a wider scope of activity they can do.”
With the DNC breach as the latest cherry on top of what seems to be an endless onslaught of headline-making hacks, the potential responses vary widely.
Financial sanctions are seen by many as the most effective immediate tool to fight Russian action. Singer suggests retaliatory data dumps targeting the bank accounts of Putin and Russian oligarchs.
Acting chair of the DNC Donna Brazile, Trump, and Putin himself take a different lesson: Just don’t use email—it’s horribly insecure. Plenty of security experts agree, though the ubiquity of the medium make it tough to get rid of.
“The DNC breach really hits home on the evolution of the data breach from a sort of petty crime or adolescent act of vandalism to a professionalized tool of global influence being deployed by state-sponsored organizations carefully executing these acts in order to influence national elections with international consequences,” says Danny Rogers, CEO of the security firm Teribium Labs.
It’s the result of these breaches that remains the biggest question mark for Rogers.
“It remains to be seen throughout the election season whether this action is effective,” he says, “or if it’s a desperate attempt where there aren’t stronger levers to pull.”
Correction: Ashton Carter is the current secretary of defense.