Russian Hybrid Warfare
By Susan Landau, Bridge Professor in Cyber Security and Policy at The Fletcher School of Law and Diplomacy at Tufts University
The Russians are coming. What are we going to do about it?
A year and a half past the 2016 U.S. presidential election, it’s clear that that we are not paying sufficient attention to Russian efforts in “hybrid warfare.” Such warfare is a combination of information operations (much like the ones employed during the U.S. presidential election), cyber operations (such as have been carried out against Ukraine), using proxies to accomplish goals (examples include far-right groups in the Netherlands who engineered a public referendum on a trade treaty with Ukraine), undue economic and political influence, and clandestine measures. Russia used such tactics during the Cold War, of course. But in recent testimony to the Senate Armed Services Committee, Christopher Chivvis demonstrated how Russian hybrid warfare tactics are now far greater. Modern communications technologies simplify Russian efforts, enabling not only penetration into other nations’ businesses and governments, but also into the heart of their democratic processes.
Last month, when he was still national security adviser, Lt. Gen. H.R. McMaster calledthis a “critical time,” adding that, “Russia brazenly and implausibly denies its actions, and we have failed to impose sufficient costs.” Natalie Laing, deputy director of operations at the NSA, recently said that the U.S. currently lacks “the political fortitude to say how we’ll strike back.” In failing to adequately respond to the risks, we are increasingly putting ourselves in danger.
In 2013, Russia’s chief of the general staff, Valery Gerasimov, described a new form of conflict that he saw as blurring the line between war and peace. Gerasimov’s description reflected Russian frustration and fear over what it viewed as encirclement by liberal democracies as they helped democratize former satellite countries on Russia’s western flank—and, in some cases, enabled them to join NATO. We all know how Russia responded in the years after Gerasimov’s comments: the annexation of Crimea, the military attacks on Ukraine, the information warfare campaign conducted during the 2016 U.S. presidential election, etc.
Now there are new words from Gerasimov. In a recent speech outlining the military’s high-tech plans, Gerasimov stated that economic and non-military government targets would be fair game in this new form of war. Note those words. Targeting civilian infrastructures is not a new war-fighting strategy. But then tie them together with other Russian actions of the last half decade.
The targets? A recent Senate Foreign Relations Committee minority report lists nineteen nations—Bulgaria, Denmark, Estonia, Finland, France, Georgia, Germany, Hungary, Italy, Latvia, Lithuania, Montenegro, the Netherlands, Norway, Serbia, Spain, Sweden, Ukraine and the U.K.—in addition to the United States.
I want to focus here not on the (lack of an appropriate) U.S. response to Russian aggression, but on cybersecurity and resilience. And so I turn to Ukraine, Russia’s apparent test lab for hybrid warfare and, in particular, cyber attacks.
In 2015 attacks on three power distribution systems in western Ukraine shut off electricity to a quarter million people. The attack began as such attacks do: spear-phishing emails with malware hidden inside attachments were sent to company workers in several Ukrainian power distribution companies. Once recipients opened the attachments, hackers obtained access to the companies’ business networks and acquired credentials that enabled them to connect to the power-distribution networks. Probing those networks, the attackers brought home information about their configurations and then began to experiment.
That’s where the attackers’ skills became evident. Each of the three power distribution networks worked slightly differently, but when the systems were brought down in December 2015, somehow all three failed within minutes of each other. There was more: Having disconnected at least twenty-seven substations, the hackers “bricked” devices that would have allowed the grid operators to use online tools to bring substations back to life. And then the hackers took out backup power supplies to two of the power distribution centers, so that operators were literally working in the dark.
The attackers had developed custom attacks, undoubtedly using a well-equipped lab where they tested methods for bringing down the power-distribution systems. That, plus the particular software used in the attack, points to Russian involvement. Western intelligence services have little doubt that this action was supported by the Russian government.
It was the first of a series of serious cyber attacks that Ukraine was to suffer. The next big one to hit the press was NotPetya. Cleverly disguised as an update to tax-filing software used across Ukraine, the malware quickly spread across Ukraine on June 27, 2017, occuring the day before a national holiday celebrating the approval of the Ukrainian constitution. ATMs stopped working; computers at the Chernobyl nuclear plant failed, leaving workers to monitor radiation levels by hand; systems at the post office and various Ukrainian ministries froze. Government workers resorted to pen and paper.
The attack spread past Ukraine’s borders—Maersk, the Danish container shipping company and Merck, the U.S. drug company, were among the many non-Ukrainian systems affected. But these companies seemed to be collateral damage. The focus of the attack was clearly Ukraine, formerly a part of the Russian empire and now trying to face West. The attack was part and parcel of what Ukraine has been experiencing over the last several years. In December 2016, Ukrainian President Petro Poroshenko claimed the country had suffered 6,500 separate attacks in the previous two months.
The Russian government feels threatened by Western democracies, both directly through sanctions and indirectly because free press and civil liberties expose Russian government corruption. The Senate Foreign Relations Committee minority reportobserved that Putin
has made it a priority … to attack the democracies of Europe and the United States … He has used the security services, the media, public and private companies, organized criminal groups, and social and religious organizations to spread malicious disinformation, interfere in elections, fuel corruption, threaten energy security, and more.
Ukraine, situated on the edge of the former Soviet empire, poses a particular threat and thus it has been the subject of attacks for over a decade. During Ukraine’s 2004 presidential election, the candidate the Kremlin opposed, Viktor Yushchenko, fell ill with dioxin poisoning; blame for the attack was laid, albeit without full proof, on Russia. In 2013, Ukraine was close to finalizing an “Association Agreement” with the EU—an important step to full membership in the bloc—but Russia applied pressure against doing so. Ukraine’s President, Viktor Yanukovych, moved away from the agreement. After street protests broke out in Kyiv, Yanukovych fled to Moscow. But Russia struck back against Ukraine, invading Crimea and eastern Ukraine. Other assaults happened as well, including the cyber attacks discussed above.
But—and this is the important lesson for the West—Ukraine is not the only focus of such attacks. During the same year that the Ukrainian power grid was attacked, there was a similarly sophisticated cyber attack against TV5Monde, France’s global television station. As with the attack against the Ukraine power grid, the hackers entered the computer systems months before the actual attack. As with the Ukrainian attack, the assault itself was then done with precision and speed, evidencing significant experimenting before the attack was launched. According to the BBC, the attackers “carried out reconnaissance of TV5Monde to understand the way it broadcast its signals. They then fabricated bespoke malicious software to corrupt and destroy the internet-connected hardware that controlled the TV station’s operations—such as the encoder systems used to transmit programmes.”
Using seven different points of entry, the attackers hid their tracks. They sought to lay blame on the “Cyber Caliphate”—a previously unknown group—but multiple intelligence agencies reached consensus that Russia was behind the attack attack was by the Russians. And that’s what makes the attack particularly disturbing. There is no obvious reason for TVMonde to be in Russian gunsites. More likely the cyber attack was a “proof of concept,” successfully trying out new tools. French intelligence ultimately placed blame for the attack on Fancy Bear, one of the the Russian groups said to be responsible for the hacking the Democratic National Committee.
There are also other disturbing portents. In 2016, Russian hackers penetrated the U.S. power grid. There is evidence that they have the ability to sabotage U.S. power systems much as they had done in Ukraine.
Now go back and consider Gerasimov’s recent statement describing how future warfare would involve the targeting of civilian infrastructures. The attacks on the Ukrainian power grid were not a one-off effort. Wired reported that since the 2015 attack against the Ukrainian power grid, “Ukraine’s pension fund, the country’s treasury, its seaport authority, its ministries of infrastructure, defense, and finance” have all been under attack.
Russia’s brazen attack on Sergei Skripal, a former Russian spy who turned for the British, and his daughter demonstrates the Russian government’s remarkable willingness to go well beyond its former borders and conduct assaults anywhere in the world. The assassination attempt was intended not only to kill Skripal and intimidate others from taking similar actions, but also to send a message to other governments about Russian readiness to violate international norms. Russia’s decision to conduct highly disruptive cyber attacks against other nations while not at war is another example of this.
For a long time, we have viewed the cyber threat as bifurcated. Low-level actors would create noisy, but ultimately not seriously damaging, attacks (think Sony Pictures). Nations would develop attacks that would be used as part of the action during major hostilities. The recent Russian actions—and Gerasimov’s words—indicate a different and chilling scenario. The blurring between war and peace may include highly damaging attacks on cyber-supported infrastructure from a nation-state quite capable of conducting cyber attacks that cause serious harm and disruption.
So far the U.S. response to Russian cyber warfare has been as if the world were still in the mid-2000s, when attacks could be relatively easily handled. But that is far from what Russian attacks on Ukraine have been. Our neglect of security, including our continued willingness to run unpatched systems, our neglect of the use of secure authentication systems (e.g., less than 10 percent of Gmail users employ second-factor authentication), and our lack of attention to resilience, puts us at great risk. If we are not to provide our enemies with the rope by which to hang us, we need to respond to the changed environment in three critical ways.
First, the United States should respond forcefully to the Russian cyber attacks whereverthey occur in the world. As the national security establishment has been arguing, we cannot afford to continue to ignore these violations of norms. They are every bit as critical as—and potentially far more dangerous than— the attacks on the Skripals.
Second, the government should develop a far more robust cybersecurity posture. Yes, we’ve been talking about this for decades. But we had a failure of imagination: We did not anticipate the “blurring between war and peace” in which Russia is now operating. Our thoughts about cybersecurity were largely focused on protecting against assaultson critical infrastructure, and not on society writ large. The Russian playbook on Ukraine tells us we must think differently.
That is extraordinarily hard. While corporations, civic infrastructure, and civil society may be slowly learning that they must protect themselves against cyber attacks, it is a far harder task to protect against the actions of a technically sophisticated nation state. Indeed, it is not feasible for a Sony Pictures to do so. That’s why the Obama White House was entirely correct in calling the attack on Sony a “serious national security matter.” Doing so draws a clear line that says nation-state attacks on the U.S. private sector risk a U.S.government response. At the same time, while a response that says that the U.S. government “has your back” is necessary, but certainly insufficient. There are organizations—such as the Freedom of the Press Foundation and Citizen Labthat provide thoughtful guides for security (see this and that respectively), but these are no substitute for rigorous in-house secure systems, security updating, VPNs, and the like. And the U.S. government has the responsibility to convey to various communities—industry, civil society, the press—quite the risks they all face. The threat model has changed substantially, and while the intelligence community understands this well, most of society does not yet. The Russian threat was not simply to the 2016 U.S. presidential election. It is an ongoing, serious threat that will grow worse, and our nation must therefore respond accordingly.
The threat is broad. It is tempting to view it as centered on industries that the Russians view as crucial to the U.S. economy, but consider how the NotPetya attack occurred: The hackers did not directly attack governments ministries, banks, and other critical parts of the Ukrainian economy but instead targeted tax software. Because this particular software was widely used across Ukraine, this was a highly effective strategy. This attack represented a new kind of threat, but in another sense, it was a strategy we’ve seen employed many times. Attackers often don’t directly target the power plant or corporate entity, but go in through a small vendor who is likely to be less well-protected. That’s what happened in the 2013 breach at Target in which the payment records of 41 million customers were taken.
Third, the U.S. must develop increased cyber resilience—that is, the ability to function effectively despite the disruption inflicted and the perpetrator being within your own computer system. One of the interesting issues in the attacks on the Ukraine power grid was that electricity was restored within hours. The hackers’ tools had overwritten the computer firmware at 16 of the electrical substations, so no remote controls could turn them back on. But the systems still had manual controls—and for a long time after the attack, that’s what the operators of the distribution networks had to use. This system was less efficient, but it worked in the face of destruction of the control systems. This lesson was not lost on the U.S. Department of Homeland Security, which now sees this type of physical backup as an important aspect of resilience.
Resilience, which the government defines as the ability to withstand and rapidly recover from attacks, is a different approach to cybersecurity. It assumes the enemy is in your system and asks, now, how you can secure yourself. You need to fully understand what the essential core of your mission is, and what aspects you must protect—and how to do so despite the insider in your midst—in order to recover quickly. You’re maintaining continuity of operations as effectively as possible despite the threat lying right in the middle of your control systems.
The issue of resilience was also not lost on the Emmanuel Macron campaign during France’s 2017 presidential election. When Russian hackers had made their way into Macron’s campaign computers, staffers created fake email accounts on the systems and then planted fake documents within these. This “cyber blurring” strategy likely impeded the hackers’ ability to cause damage; they didn’t know which accounts were real and which were fake, so the attackers had to stop, verify, and check.
Cyber resilience doesn’t mean getting the systems working as planned; it means getting the work done even if computer systems are corrupted. As with turning on the power distribution systems by hand rather than through computer controls, it can mean using alternative methods to accomplish the task. In Isaac Asimov’s short story “Into the Comet,” a spaceship’s computer fails, and there is no way to calculate an exit trajectory from the comet’s pull. Then someone remembers his great-uncle’s abacus, and convinces the ship’s astronomer that the hand device may enable a solution. Building abaci, they try and succeed, determining an orbit that will bring them within Earth’s radio range.
The precise nature of resilience will vary depending on the type of service an entity is providing. A power company will need the ability to recover quickly from an attack; a news organization will need to prevent its files and websites from being corrupted. These are different needs. Determining what resilience means will take a combination of fully understanding what the most important aspects of the business are—ensuring that drug compounds haven’t been tampered with in the case of pharmaceutical firms, protecting patients undergoing surgery in the case of hospitals—and then enabling those operations to carry on even if computer systems are degraded. Note that I am not saying saying carry on as usual. I am restating the U.S. government credo here: Withstand and rapidly recover.
Organizations that have thrown out their paper and pencils and fully relegated processes to computer control will find the business of developing resilience challenging. Sony management rediscovered BlackBerrys and phone trees in the days after the company was attacked by North Korean government hackers, causing a full shutdown of Sony’s computer systems. We don’t all have to go to abaci. We simply have to develop alternate methods that accomplish the necessary tasks when the computer systems fail.
We don’t have much of a choice in the matter. Ukraine’s situation gives all-too-clear a picture of where the Russian government may be going: The power systems in Ukraine went down not once, but twice, in December 2015 and 2016. The skill of the attackers had improved in the interim; Marina Krotofil, a Honeywell industrial control systems security researcher called the 2015 hackers “a group of brutal street fighters,” while the 2016 attackers were “ninjas.” The Russians are now sitting inside the access control systems of U.S. power plants. At a minimum, there’s a serious threat whenever the U.S. takes actions that Vladimir Putin doesn’t like.
For a long time, the cost of cybersecurity was higher than the cost of attacks. Due to that, and our collective failure to imagine a highly skilled attacker who would target the private sector as a tool of war, we’re behind the eight ball on protecting ourselves. But as Winston Churchill is said to have observed, “Americans will always do the right thing, only after they have tried everything else.”
The Ukraine situation, the varied attacks against the 18 other nations in Europe, Gerasimov’s newest pronouncement, and the interference in the U.S. election make clear that it’s well past time for serious responses to Russian attacks on the private sector (as well as serious responses to any other nations that do so). But such steps are the easier and less critical part of the security equation. It is critical that the private sector—and this includes any company or organization that uses computers—understand that the threats have changed, and that any organization might be a target of an attack from a nation state. Even if, for example, the organization in question might not be directly a target of Russian interest, one of their customers might be. Thus they need to protect themselves lest they be a vector of infection. And companies need to develop the mindset of, and capability for, resilience.
We’ve tried everything else. It is not working. Instead, it is now time for us to do the right thing.
This piece was republished from Lawfare.