The Russians are coming. What are we going to do about it?
A year and a half past the 2016 U.S. presidential election, it’s clear that that we are not paying sufficient attention to Russian efforts in “hybrid warfare.” Such warfare is a combination of information operations (much like the ones employed during the U.S. presidential election), cyber operations (such as have been carried out against Ukraine), using proxies to accomplish goals (examples include far-right groups in the Netherlands who engineered a public referendum on a trade treaty with Ukraine), undue economic and political influence, and clandestine measures. Russia used such tactics during the Cold War, of course. But in recent testimony to the Senate Armed Services Committee, Christopher Chivvis demonstrated how Russian hybrid warfare tactics are now far greater. Modern communications technologies simplify Russian efforts, enabling not only penetration into other nations’ businesses and governments, but also into the heart of their democratic processes.
Last month, when he was still national security adviser, Lt. Gen. H.R. McMaster called this a “critical time,” adding that, “Russia brazenly and implausibly denies its actions, and we have failed to impose sufficient costs.” Natalie Laing, deputy director of operations at the NSA, recently said that the U.S. currently lacks “the political fortitude to say how we’ll strike back.” In failing to adequately respond to the risks, we are increasingly putting ourselves in danger.
In 2013, Russia’s chief of the general staff, Valery Gerasimov, described a new form of conflict that he saw as blurring the line between war and peace. Gerasimov’s description reflected Russian frustration and fear over what it viewed as encirclement by liberal democracies as they helped democratize former satellite countries on Russia’s western flank—and, in some cases, enabled them to join NATO. We all know how Russia responded in the years after Gerasimov’s comments: the annexation of Crimea, the military attacks on Ukraine, the information warfare campaign conducted during the 2016 U.S. presidential election, etc.
Now there are new words from Gerasimov. In a recent speech outlining the military’s high-tech plans, Gerasimov stated that economic and non-military government targets would be fair game in this new form of war. Note those words. Targeting civilian infrastructures is not a new war-fighting strategy. But then tie them together with other Russian actions of the last half decade.
The targets? A recent Senate Foreign Relations Committee minority report lists nineteen nations—Bulgaria, Denmark, Estonia, Finland, France, Georgia, Germany, Hungary, Italy, Latvia, Lithuania, Montenegro, the Netherlands, Norway, Serbia, Spain, Sweden, Ukraine and the U.K.—in addition to the United States.
I want to focus here not on the (lack of an appropriate) U.S. response to Russian aggression, but on cybersecurity and resilience. And so I turn to Ukraine, Russia’s apparent test lab for hybrid warfare and, in particular, cyber attacks.
In 2015 attacks on three power distribution systems in western Ukraine shut off electricity to a quarter million people. The attack began as such attacks do: spear-phishing emails with malware hidden inside attachments were sent to company workers in several Ukrainian power distribution companies. Once recipients opened the attachments, hackers obtained access to the companies’ business networks and acquired credentials that enabled them to connect to the power-distribution networks. Probing those networks, the attackers brought home information about their configurations and then began to experiment.
That’s where the attackers’ skills became evident. Each of the three power distribution networks worked slightly differently, but when the systems were brought down in December 2015, somehow all three failed within minutes of each other. There was more: Having disconnected at least twenty-seven substations, the hackers “bricked” devices that would have allowed the grid operators to use online tools to bring substations back to life. And then the hackers took out backup power supplies to two of the power distribution centers, so that operators were literally working in the dark.
The attackers had developed custom attacks, undoubtedly using a well-equipped lab where they tested methods for bringing down the power-distribution systems. That, plus the particular software used in the attack, points to Russian involvement. Western intelligence services have little doubt that this action was supported by the Russian government.
It was the first of a series of serious cyber attacks that Ukraine was to suffer. The next big one to hit the press was NotPetya. Cleverly disguised as an update to tax-filing software used across Ukraine, the malware quickly spread across Ukraine on June 27, 2017, occuring the day before a national holiday celebrating the approval of the Ukrainian constitution. ATMs stopped working; computers at the Chernobyl nuclear plant failed, leaving workers to monitor radiation levels by hand; systems at the post office and various Ukrainian ministries froze. Government workers resorted to pen and paper.
The attack spread past Ukraine’s borders—Maersk, the Danish container shipping company and Merck, the U.S. drug company, were among the many non-Ukrainian systems affected. But these companies seemed to be collateral damage. The focus of the attack was clearly Ukraine, formerly a part of the Russian empire and now trying to face West. The attack was part and parcel of what Ukraine has been experiencing over the last several years. In December 2016, Ukrainian President Petro Poroshenko claimed the country had suffered 6,500 separate attacks in the previous two months.
The Russian government feels threatened by Western democracies, both directly through sanctions and indirectly because free press and civil liberties expose Russian government corruption. The Senate Foreign Relations Committee minority report observed that Putin
has made it a priority … to attack the democracies of Europe and the United States … He has used the security services, the media, public and private companies, organized criminal groups, and social and religious organizations to spread malicious disinformation, interfere in elections, fuel corruption, threaten energy security, and more.
