Russia’s Hybrid Warfare
By Susan Landau, Bridge Professor in Cyber Security and Policy at The Fletcher School of Law and Diplomacy at Tufts University
It’s hard to imagine that the Russian cyberthreat could be more disruptive than what has been uncovered so far. But the focus on email hacking and possible collusion between the Donald Trump campaign and Russia in 2016 has overshadowed other Russian efforts to disrupt U.S. civil society. In January, when the Office of the Director of National Intelligence confirmed Russian efforts to undermine the U.S. presidential election, the office also confirmed that civil society organizations “viewed as likely to shape future” U.S. policies — think tanks, research institutes, and the like — had been targets of Russian hacking. These organizations are crucial to the function of democracies but generally are very poorly secured.
Elections get headlines. The minutiae of day-to-day governing decisions rarely do, and few citizens have active roles in this aspect of democratic life. Instead, in healthy democracies, charities, activist groups, community organizations, professional societies, religious groups, trade unions, and other nongovernmental organizations serve as go-betweens, connecting citizens and the government. These organizations create a social capital that smooths the inevitable bumps of democratic government.
Each type of civil society organization functions differently. At a local level, for example, community groups may help solve hard problems (where to locate low-income housing or whether to cut school budgets or funding for services for the elderly, etc.). At a national level, civil society organizations can be a conduit between the people and their representatives by lobbying the government or being a trusted source of information regarding government actions. Civil society organizations are social glue. Destroy trust in these organizations and trust in government also erodes.
Consider what happens when civil society organizations — those viewed as “likely to shape” U.S. policies — are undermined. “Climategate” provides a good example. It was the theft and subsequent leaking online of data from 13 years of research — more than 1,000 emails and 2,000 documents, as well as computer code — from the Climatic Research Unit at the University of East Anglia in England. When the theft occurred in 2008, 71 percent of Americans believed global warming was real. In 2009, the Democratic-controlled House of Representatives passed a major bill on climate change. Then emails and other data were posted on various internet sites shortly before the Copenhagen summit on climate change, a meeting that was expected to conclude an internationally binding treaty.
Now recall what happened next: Quoting emails and documents out of context, climate change deniers made it appear that scientists had “cooked the data” to present a story when none existed. This narrative wasn’t true. But public support for legislation on climate change dropped. No bill passed the U.S. Senate. A study examining U.S. attitudes toward climate change found that by 2010, only 57 percent believed such change was happening. Notably, of those who had heard of Climategate, only 47 percent believed global warming was real. Surveys conducted by researchers at George Mason University showed that Climategate contributed to the decline in confidence in a previously trusted scientific narrative. A different alarming trend can be seen in the 9 percent drop from 2008 to 2010 in whether people trusted scientists to speak accurately about global warming. The deeper takeaway is that attacks on civil society diminish trust broadly.
Civil society organizations are the soft underbelly of democracies. The consequences of Vladimir Putin’s Russia targeting them are serious. One set of responses must come from organizations themselves, which need to understand the threat and its implications and then develop technical protections as well as inoculations against damage when they are attacked as some inevitably will be. The other aspect must come from democratic governments, which so far have treated such attacks far too lightly. Russian hacking against democratic institutions has not destroyed physical infrastructure, but that makes them no less dangerous than physical attacks.
***
Civil society doesn’t mesh well with authoritarian regimes. It should be no surprise that the Russians have a long history of disrupting such organizations. The Communist Party did so as it took control of the nation after World War I. The Soviet Union used the strategy in Eastern Europe after World War II.
In Iron Curtain, Anne Applebaum describes how, as the war was ending, the Soviet NKVD trained secret police, who went to work in the interior ministries of their respective countries, carefully targeting political enemies. The Soviets also trained Polish, Czech, and East German communists in camps set up for that purpose. These trusted operatives took over their countries’ radio stations, controlling news broadcasts. From there they moved on to controlling political parties, church groups, even scouting organizations — groups that form the heart of civil society. Once in control, the operatives replaced these entities with communist organizations. Youth groups were a particular focus. Then came arrests of political opponents, journalists, show trials, and forced movements of peoples. The deliberate destruction of native civil society underpinned it all. Within a few years, the Soviet Union effectively controlled the governments of the Eastern Bloc.
With the intention of weakening nations it sees as a threat, Russia is taking aim at civil society in Western democracies. On one level, this should not be surprising. One motive for interference in the U.S. presidential election concerns Putin’s extreme dislike of Hillary Clinton — and his desire to undercut her expected presidency. But that’s a small bit of a larger story. Many in the West saw the 1991 breakup of the Soviet empire as an opportunity for democracy in Russia and the nations on its periphery. Their response was to aid democratization efforts. Western reporters went to the newly organized states; Western NGOs went east to help establish the institutions of civil society. But where Western allies saw themselves supporting democratic processes in the new states, Moscow saw the efforts as isolating Russia and threatening its security. The Balkan wars of the 1990s contributed to this perspective. While NATO viewed its bombing of Bosnian Serbs as a moral act of protecting Muslims against genocide, Moscow considered the NATO action illegal because the bombing had not been approved by the U.N. Security Council (where Russia would have vetoed any such resolution).
As the “color revolutions” later proceeded across then-Czechoslovakia, Georgia, and Ukraine, the West saw democratic uprisings against repressive regimes. Moscow saw the United States and others in the West conspiring against Russian security and government stability. Russian leadership feared that a revolution could occur in Russia itself. Massive government corruption — the reason Karen Dawisha labels the regime “Putin’s kleptocracy” — is why Russian leaders fear the open press and civil society institutions the U.S. government has traditionally supported around the world.
Russia decided to act to protect itself. In 2013, Russia’s chief of general staff, Valery Gerasimov, put forth a strategy of blurring the line between war and peace. U.S. Marine Gen. Robert Neller, who studied Gerasimov’s strategy, described it as “fighting a war without fighting a war.”
Cyberwarfare was Russia’s preferred tool. “Soft power,” Joseph Nye’s theory explaining how a nation uses attraction and persuasion to influence rather than military force, played an important part in the U.S. victory in the Cold War. Nye recently noted that Russia’s version of soft power — pushing nationalism and state sovereignty — has not been persuasive. So Russia has gone in the opposite direction, using what Nye calls “negative soft power,” employing information warfare to disempower enemies.
The Russians are masters at hacking civil society. This year, the Citizen Lab at the University of Toronto uncovered an elaborate hacking incident in which disinformatziaand maskirovka — disinformation and deception — were used to modify stolen documents to undermine the Russian public’s trust in their own civil society. Hackers went after a draft report by American journalist David Satter on Radio Liberty’s investigative reporting effort. (Radio Liberty is a U.S. government-funded broadcast outlet founded during the Cold War that reports news in nations where a free press is banned.)
The Citizen Lab study, “Tainted Leaks: Disinformation and Phishing With a Russian Nexus,” describes how hackers stole the Satter report, doctored it to appear that Russian anti-corruption activists were being funded by the United States, and then published the doctored document on Russian sites. Using “facts” from the falsified report, state media wrote about a CIA-based plot to start a revolution against the government. The feint worked as expected: Anti-corruption activists’ reports of corruption in Putin’s inner circle were discredited.
Citizen Lab discovered similar hacking efforts against the usual suspects: government officials in countries of interest, diplomats and their families, economic targets (such as senior members of the oil, gas, mining, and finance industries of the former Soviet states), and military personnel of foreign nations. But the most interesting group of targets was within Russia: civil society academics, activists, journalists, and representatives of NGOs who were shedding light on Russian government activities. Those seen as a threat to the Putin regime were specifically targeted.
One was Alexei Navalny, who heads the Anti-Corruption Foundation, an NGO that investigates and exposes high-level corruption in Russia. Russian hackers sought to smear him. Hackers broke into the systems of George Soros’s Open Society Foundations — an organization banned in Russia — and posted stolen documents on CyberBerkut and DC Leaks (the latter, a website devoted to publishing leaked documents of U.S. military and government officials, is believed to be run by Russian intelligence). In a somewhat careless turn of events, the posted documents didn’t match: The version on CyberBerkut showed Navalny receiving funds from Open Society; the untainted version on DC Leaks did not. Navalny and Open Society say the CyberBerkut documents have been falsified. But innuendo, even when the allegations are proved to be false, has a way of sticking in people’s minds and affecting public opinion.
The “Tainted Leaks” report lacks a smoking gun directly connecting the Russian government to the hacks and subsequent data modification and posting. But that’s also no surprise. Russia uses proxy actors to conduct its dirty work in this domain. Establishing a connection between the government and the actions described in “Tainted Leaks” requires the resources and capabilities of a signals intelligence organization, which Citizen Lab is not. Still, the report presents convincing evidence that the Russian government is involved in the attacks described.
By the time Gerasimov’s strategy was made public, Russia had already begun using cyberweapons offensively, encouraging — or at least tolerating — citizens attacking websites in Estonia in 2007, when the government removed a Red Army memorial from its capital, and in Georgia in 2008, when tensions erupted in a brief war. Russian websites offered advice and encouragement on how to attack sites in the other nations.
Russia needed to gear up for action under the Gerasimov doctrine. It’s apparently been doing so. The New York Times reported late last year that since 2013 the Russian Defense Ministry has been hunting for coders and is willing to hire even those with previous involvement in criminal activities. Nearly every government in the world has interest in acquiring cyberoffensive expertise. But how is such expertise deployed? U.S. military doctrine does not allow deliberate targeting of civilian artifacts. Experience indicates that Russia’s strategy is to directly aim at these targets.
***
The implications for democracy are vaster than generally acknowledged. Reports on interference in the U.S. election focused on whether tallies had been tampered with (it seems unlikely). But the Russians also sought and obtained access to voter registration lists.
Manipulating vote tallies might seem more disruptive. But that presumption misunderstands the nature of what’s at stake. By destroying people’s trust, disenfranchising voters has an arguably more deleterious effect on a democracy than manipulating a vote tally would. That’s an excellent way to subvert a democracy. The New York Times reported this month on anomalies with the lists in some key voting districts. Voting and voter registration are controlled by the states and are not a federal issue; the Times stated that U.S. intelligence agencies did not appear to have investigated whether Russians had tampered with voter registration lists.
But Russia is emboldened by its success in 2016. As former National Security Agency Deputy Director Richard Ledgett observed in an interview this year, “Nothing that happened since 2016 to them [the Russians], I believe, provides them any disincentive to do it again.” Tactics Moscow uses against Russian civil society organizations are likely to be used against Western organizations. And such attacks could become increasingly damaging.
The internet and digital systems make some destructive deceptions remarkably easy. Once inside an adversary’s system, an attacker not only could steal contents from or destroy the system but also could modify data on the system. It’s likely that operatives may try a favorite Russian method: kompromat, or using compromising material to tarnish a rival. This can make it more complicated for those who have been hacked to refute apparent evidence — and for organizations to even discover that their information has been changed.
Consider the potential implications: Will a journalist know if an email from a source has been slightly changed, perhaps making the source’s account of an issue inaccurate? Or if an AFL-CIO report on, say, factory wages in Wisconsin is off because the data in the union’s computers has been modified? Or if the sources for a recommendation from the American Cancer Society turns out not to exist because the final version of a document was doctored? There are few limits to the ways a technically sophisticated adversary, once in a system, can alter an organization’s information.
Russian attacks on Western civil infrastructure have already happened. In 2015, TV5Monde, a 12-channel network that is France’s equivalent of the BBC, was off the airfor three hours after a cyberattack. A fast-thinking technician disconnected a problematic server and prevented the attack from being much more severe. While the station was off the air, its Facebook page was hacked to display the identity cards and résumés of relatives of French soldiers participating in efforts to fight the Islamic State. The attackers claimed to be from the “Cyber Caliphate,” but no such organization is known to exist.
The attack was traced to Russian hackers — but not linked to a government operative. A solicitation of this sort is unlikely to be done in ways that leave electronic fingerprints. The level of resources devoted to the attack was particularly interesting. Much like the 2015 cyberattack that shut down three power distribution companies in western Ukraine, the attackers of TV5Monde had conducted extensive reconnaissance and testing. The technical aspects of the strike were worked out beforehand. Motivations have not yet become public, but the current guess is that the culprit was practicing for a future attack against a different opponent.
***
This is a new type of warfare. At some level, of course, disrupting another nation’s civil infrastructure during peacetime is not new. Whether seeking to influence the public for better trade deals or planting stories to influence elections, many nations — including the United States — have acted similarly in the past. What has changed is the scale of the effort. The internet and the digital revolution enable a vast increase in scale at low cost. There’s a consequent difference in the type of disruption that Russia, or any other nation with technically sophisticated capabilities, can cause. What happened with the U.S. presidential election last year and similar Russian efforts in the French presidential election this year reflect a new normal. And the West is largely unprepared for this war.
Because civil society organizations are critical to the function of democracies and tend to be poorly secured, they are particularly ripe targets in such a war. Security investment depends on the type of threats entities expect. Certain organizations — including ones likely to be targets of domestic adversaries (think Planned Parenthood or the Southern Poverty Law Center) — have undoubtedly invested in serious cyberprotections. Those groups can probably defend against a determined civil opponent who objects to their aims. But these organizations could not withstand an attack from a technologically sophisticated adversary with the capabilities of a state behind it.
And other groups are in significantly worse shape. Most civil society groups are small; almost all have low budgets. What kind of cyberthreat could the Audubon Society, the League of Women Voters, or the National Association of Biology Teachers expect? Civil society groups, like other organizations, should incorporate good cyberpractices: two-factor authentication for access to systems and email, default encryption for files on the system, and secure backup. Such protections will work against run-of-the-mill hackers using packaged tools. But they’ll have minimal impact against a determined adversary armed with the resources of a sophisticated nation-state.
Organizations can also take security steps beyond basic good digital practices. For example, after Sony Pictures Entertainment was hacked in 2015, employees realized that certain communications are best if they are ephemeral rather than immortalized in digital media. In other words, they rediscovered the telephone. In the aftermath of the 2016 election, Barack Obama, Hillary Clinton, and Donald Trump staffers began using Signal, a communications app providing “end-to-end encryption,” thwarting theft of mail and, as a side benefit, eavesdroppers. The Senate sergeant-at-arms approved Signal for Senate staff use this year as well. Adapting these changes improved security. (Russian attacks on wide swaths of society provide a strong argument why U.S. security depends on broad use of end-to-end encryption.) If an organization is willing to sacrifice convenience and efficiency — not having, say, all information at one’s fingertips at all times — then there are additional ways to secure data (see, for example, Jonathan Zittrain’s Lawfare post).
A more fundamental change will be critical for civil society groups: It involves fully understanding what business they are in and what constitutes their most serious threat. Such analysis may appear obvious. But such clarity wasn’t easy for Sony. Before it was hacked, the company acted as if it were in the movie business. All movies are digital, though, and the company’s value was in the bits it produced. Sony learned its lesson. Many organizations, civil society and otherwise, have not yet realized that their main assets are digital.
For some civil society organizations, protecting the privacy of their members’ records will be most important (think NAACP v. Alabama, a 1958 Supreme Court case fought over whether the organization had to release its membership rolls to the state; the court ruled that it did not). For others, the integrity of information they provide the public will be their most important asset; such entities and groups must determine how to protect that data and how to respond if such information is compromised. Understanding what information is most at risk within an organization is a first step toward protecting it. Equally critical is having a plan for what happens if that information is stolen or modified. In the end, no organization is safe from cyberattack by a really determined adversary. Organizations must assume they will be attacked and prepare accordingly. The cost of attacks should be commensurate with value; few adversaries will go to the expense and effort, say, of the attack against the Iranian nuclear facility in Natanz.
As Juliette Kayyem observes in Security Mom, developing resilience is key. That hasn’t fully been figured out. The campaign of then-French presidential candidate Emmanuel Macron went on a counteroffensive as staffers saw Russian attempts to get into the campaign’s computer accounts. They created false email accounts, fake documents, and spurious emails. When the inevitable document dump occurred in the final days before the election, the published material was full of verifiably false documents. The information release didn’t have the same impact on the French electorate as the publication of Democratic National Committee emails and messages from Clinton campaign chairman John Podesta did in the United States. (It also helped that French law requires a news blackout in the two days preceding the election.) That’s one form of resilience. It was effective. But such strategies are not always possible or plausible.
Bots — small programs performing repetitive tasks — amplifying so-called fake news played a large role in the U.S. election campaign; how to diminish their impact is still being studied. The problem facing civil society organizations is more complex, both technically and sociologically. Most organizations simply do not have the resources to protect themselves.
***
At the moment, the United States and other Western nations appear outgunned. That is not necessarily because Russia’s technical capabilities are better. Rather, it’s because of Russia’s willingness to deploy cyberweapons against civilian infrastructure during a time of “peace”; the United States and its allies have so far not been willing to respond in kind. With the threat of Russian cyberattacks unlikely to diminish anytime soon, and in the absence of credible response, threats against Western civil society organizations are likely to grow.
Nonetheless, this situation isn’t quite checkmate. For one thing, the economies of the United States and other Western nations dwarf Russia’s. What about serious sanctions? These would affect Russia far more than the United States. There are other tools, too, including cybercapabilities, that nations can employ. The United States largely tied its own hands last fall even after the federal government realized the extent of Russian attacks. As the investigation into Russian hacking proceeded, the mood in Washington changed. As the potential for future Russian interference has become clearer, what should the response be? Should the United States and other nations change their stance regarding willingness to attack civilian targets? Do the Russian attacks, and the likelihood of more of the same, change the U.S. government’s willingness to negotiate on the use of cyber-exploits?
Democracies don’t work without a vibrant civil society. It’s unlikely that purely technical responses to Russian mischief against Western civil society organizations will suffice. Nonetheless, until diplomatic solutions exist for this critical problem, agreed upon by adversaries who fully comprehend the damage that each can visit upon the other, civil society organizations must use all technical means possible to protect themselves. This may require a change in government posture and organizations’ response, with an increased government effort in providing security solutions for the private sector. But securing civil society organizations is crucial. Anything less threatens democracy itself.
This piece was republished from Foreign Policy.