Dealing with Russia's brazenness in cyber space
Western governments recently attributed to Russia a massive cyber-attack against Georgia. In this and other situations, the brazenness of the attack was seemingly a goal in itself. But Russia is not the only cyber threat. Structural political incentives for better security practices and international solidarity and assistance are needed
Originally published on balcanicaucaso.org
This is the case not only because Russia and Georgia have been entangled in conflict for a long time, but also because Russia has apparently been willing to use cyber attacks against its neighbours at least since the mid 2000s, or for as long as the Internet has been widespread in these countries. Major examples include attacks against Estonia in 2007, against Georgia in 2008, and against Ukraine in multiple occasions since 2014 (see in particular this book chapter by Piret Pernik for more details). Even if evidence is not conclusive in each of these cases, some (or a lot of) evidence exists in all of them; consistent, alternative explanations not involving Russian actors are hard to come by.
Needless to say, many other countries have engaged in cyber espionage and cyber attacks; as Nicu Popescu put it , “that Russia is very active in cyber espionage should be a source of concern, but certainly not indignation”. And yet, there is reason to be particularly concerned about Russia’s behaviour in cyber space.
Russia is different
Two elements make Russia’s approach stand out: its willingness to conduct attacks that are very public, and its readiness to use cyber tools to damage physical infrastructure or have direct consequences offline. Both violate unspoken rules that have characterised - with few exceptions - cyber activity by state actors in the cyber space. For example, China has long engaged in cyber espionage against economic and political actors in the West, but has used exfiltrated materials in more traditional fashions: to give advantage to its own domestic economic actors and for intelligence gathering. It has not used them to hijack the political conversation by publicly embarrassing political actors in other countries, as Russia has done in the case of the US Democrats at the time of the 2016 presidential elections.
The US did conduct targeted cyber attacks against physical infrastructure, most famously (with Israel’s cooperation) against Iran’s nuclear enrichment facilities with its Stuxnet worm , but efforts were taken to minimise side effects. On the contrary, for example, a Russian cyber attack has caused partial shutdowns of the Ukrainian electric grid , intentionally letting hundreds of thousands of civilians in the dark. Intentionally or not, the NotPetya malware - attributed to Russia, more details about it below- has caused damages around the world in the order of magnitude of billions of dollars, disrupting airports, logistics, and even hospitals : it was never meant to remain secret. In contrast, even the US global espionage programme exposed by Edward Snowden was meant to remain secretive, and indeed may have remained unknown to the public if not for this single whistleblower.
In the case of at least some of Russia’s attacks, the brazenness of such actions and the implausible deniability that followed was likely the main point of the attacks. Demonstrating its own offensive capabilities, and its willingness to use them without much concern for the consequences, is likely the main goal of actions such as the cyber attack against Georgia in October 2019.
Who is to blame, however, is only part of the problem, and the more pertinent question may be what to do in order to mitigate the risk that such events happen again. Finding ways to dissuade the perpetrator as well as to work on the vulnerabilities that made the attack possible are both be important and necessary. Let’s look at both aspects, starting from a basic question: is it really Russia?
Is it really Russia?
As long as the question refers to some of the most well known scandals such as the ones mentioned above, the answer is most likely a resounding “yes”. Trusting the intelligence services of countries such as the US and the UK may well be difficult for independently-minded international observers; after all, these are the same organisations and governments that legitimised the invasion of Iraq in 2003 with false claims about weapons of mass destruction in that country.
Luckily, in many cases of cyber attacks our trust in intelligence services does not need to be complete. This is perhaps most evident in the case of “NotPetya”, a malware that encrypted and made unservable computer systems across continents. The story of the malware has been told in detail in h ighly readable pieces , as well as in a dedicated book , by Wired journalist Andy Greenberg. As the malware itself reached computer systems throughout the world, cyber-security experts from across the globe could analyse its code and technical features . As detailed in an early BBC feature on the subject , it became soon apparent that such an attack took a lot of preparation, and that, even if it resembled a ransomware, it was not made for profit. It was initially distributed through a Ukrainian accounting software used across all business sectors: it was initially targeted at companies operating their business in Ukraine, and it reached the rest of the world through the Ukrainian branches of international companies. ESET, a security company that has worked directly on both the attacks on the Ukrainian cyber-grid and on Not-petya, found distinct features tying-together the different attacks. Attribution is a political act, and security companies prefer to refrain from giving conclusive responses about who is to blame. But they provide abundant evidence that may corroborate or disprove attribution by state actors. In brief, if governments made attributions based purely on political motives, they run the risk of being publicly proved wrong by private companies and experts working on cyber security.
Finally, there are cases when Russian operatives have been caught red-handed. For example, in October 2018 four members of the Russian security services who flew to the Netherlands with Russian diplomatic passports were caught as they approached the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) out of The Hague with advanced cyber-intrusion tools, stacks of cash, and other evidence confirming their affiliation with Russian secret services. In a previous operation, as Russian security services were busy hacking into the server of the U.S. Democrats, they were being observed by Dutch intelligence . In brief, official attribution may well be a political act, but the Russian government has repeatedly given good reasons to reserve a top spot for Russia in any investigation on a cyber attack likely to involve a state actor.
Difficult deterrence
In outlining the UK’s potential responses to the threat of a Russian cyber-attack, Thornton and Miron of the King’s College in London seem to conclude there is no convincing cyber deterrence option on the table. The UK was the first Western country to proclaim publicly its ability to conduct offensive cyber operations, and it may indeed have such capabilities. But without concrete evidence, the credibility of such claims remains limited… which is part of the reason why Russia has been conducting such brazen attacks in the past: its offensive actions may well be officially denied, but its cyber-capabilities are now well known.
Reprisals would likely be both unlawful and immoral; if, for example, a cyber attack disrupting the electricity network of a country could be convincingly attributed to Russia, this could hardly justify taking a similar attack against Russia, as such an operation would ultimately be against the civilian population and may have a substantial human cost. Proportionality would be an issue, as cyber attacks such as NotPetya may cause a lot of unintended consequences, well beyond the intention and control of those who initiated the operation. The risk of escalation would also make them exceptionally dangerous.
Politics needed
Deterrence-by-denial, basically demonstrating that a potential attack would simply not achieve its intended result, seems better. In traditional warfare, this would partly correspond to having an anti-missile system that would make sure any rocket attack is poised to fail. But the military metaphor is misleading, as cyber security cannot be guaranteed by some sort of external shield: while the media buzz may focus on state actors, they do not represent the most common cyber-security threat for most people and organisations. Besides, it is important to highlight that centralised cyber security solutions at state level cannot possibly work: good cyber security practices must be implemented by companies, service providers, and individuals. All of them should be given incentives to do so, as limited awareness of the risks makes people and organisations more risk-prone than they would normally be. Such initiatives would mitigate the threat and reduce the vulnerability, even if they of course cannot make disappear the issue of cyber security.
Political responses are no easier than technical one, but they are no less needed: deterrence should probably rely more on multilateral initiatives, such as the European Union cyber diplomacy toolbox , than on demonstrating offensive or defensive capabilities. A degree of collective agency and solidarity is needed to make sure that parties that are at the receiving end of cyber-attacks are not let to deal with them on their own. In the current context, focused assistance from the EU to Eastern Partnership would not be out of place, also considering the detrimental impact that poor cyber security practices can have on trust in institutions and democratic processes.
And finally, what about Russia? Establishing active dialogue with Russia may be difficult as long as the Kremlin insists in denying any responsibility in such events, but all efforts should be taken to ensure there are open communication channels to reduce the risk of escalation. More transparency by all those involved and public sharing of evidence to the extent that is possible would increase trust in attribution.
Ultimately, however, this remains a case when defense may actually be the best defense. Solidarity and assistance between states, accompanied by incentives for private actors to contribute to the common good by taking better cyber security practices are both be important to have a more secure cyber space.