The Cyber Crucible: Eastern Europe, Russia, and the Development of Modern Warfare
Wesley P. White This is a reprint of Chapter 9 from Perceptions Are Reality: Historical Case Studies of Information Operations in Large-Scale Combat Operations, part of The Large-Scale Combat Operations Series.
The United States Army is unequivocal in its belief in the importance of cyberspace. The first paragraph in Field Manual (FM) 3-12, Cyberspace and Electronic Warfare Operations, states that superiority through indirect means (either through cyberspace operations or other electronic warfare) is decidedly advantageous to all commanders at all levels, and that these indirect means will serve as a critical component to future land operations.1 Though the US Army has recognized the importance of the cyber domain in conflicts going forward, the Russian Federation has delivered a masterclass on the development and integration of cyber capabilities into modern conflicts and seems wholly invested in the idea of cyberspace operations and other indirect actions being a primary means of force projection, rather than a useful (or necessary) pairing with traditional kinetic forces.
In February 2013, General Valery Gerasimov, Russia's Chief of the General Staff (comparable to the US Chairman of the Joint Chiefs of Staff), published an article titled "The Value of Science is in the Foresight," in the weekly Russian trade paper Military-Industrial Kurier. In it, Gerasimov suggested that the "very 'rules of war' have changed," and that in many cases, nonmilitary means have exceeded the power and force of weapons in their ability to effect change on the international stage.2 Gerasimov argues that new technologies have reduced gaps between traditional forces and their command and control, though also noting that "frontal engagements of large formations of forces at the strategic and operational level are gradually becoming a thing of the past."3 The future, Gerasimov suggests, lies in "contactless actions"—made through cyber or other electronic means—being used as the main means of military or intelligence goals. This belief—that traditional military interactions are giving way to newer and subjectively more effective indirect interactions via computers and electronics—has been dubbed by some as the Gerasimov Doctrine.4
The timing of the release and publication of the Gerasimov Doctrine is important. Closely after the release of Gerasimov's article, Russia invaded Ukraine with both tanks and malware. The Russian digital incursion into Ukrainian networks, in tandem with a physical military assault, was something the Russian Federation had been practicing for almost a decade. Targeting Estonia in 2007, Georgia in 2008, and eventually Ukraine in 2014, these attacks used cyber effects, more traditional effects (with mechanized ground units, troops on the ground, and aircraft), or a combination of both. In each of the three instances, Russian force escalated in both scope and complexity. Russia has set forth the blueprint for the training and development of an effective cyber corps, and broadcast to the world how it has effectively integrated cyber operations with traditional large-scale military maneuvers. Moreover, Russia is making it known how they perceive the place of cyber, and other indirect forms of conflict, as shapers of policy.
From a military perspective, Russia's crawl-walk-run progression of cyber operations—enacted through casual disregard for international norms and standards of conduct—has enabled it to develop its cyber corps through real world cyberspace missions. Russian cyber operators have worked in tandem with Russian military operations to find the most effective ways to integrate cyber effects into more traditional military battlespace. This invaluable experience, unable to be fully recreated in training laboratories and exercises, affords Russia the dual abilities of both shaping and better understanding the battlefield of the future.
Understanding the Terms
Before considering the how cyber operations fit into the current understanding of battlespace, one must ensure that he or she understands at least the definitions of baseline concepts within the cyber domain.
First, this chapter will eschew the term "hacker." "Hacker" is a loaded, ill-defined word; its position as a ubiquitous catch-all for bad actors "on the internet" necessarily means it should be excluded from a more granular discussion of cyberspace operational development. Because the concepts dealt with herein deal more with nations and nation-states, the term "attacker" is more appropriate. There are two types of actions to delineate for the purposes of this chapter: cyber-attack and cyber-warfare. A cyber-attack must aim to undermine the function of a computer or computer network and must have a political or national security purpose.5 A generic end user being infected with malware from a bad website is not a cyber-attack. Further, state or non-state actors may propagate a cyber-attack. Richard A. Clark, former member of the US National Security Council, defines cyber-attacks as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption,"6 and Michael Hayden, former Director of the National Security Agency, describes cyber-attacks similarly as a "deliberate attempt to disable or destroy another country's computer networks."7
On a larger, purely nation-to-nation scale, is cyber-warfare. Cyber-warfare will also always meet the benchmarks of a cyber-attack, though not all cyber-attacks are cyber-warfare. A cyber-attack rises to the level of cyber-warfare—that is, the "level of an armed attack justifying self-defense under Article 51 of the U.N. Charter"—when the attack results in physical destruction comparable to a conventional, kinetic effect.8 If an attacker launches a denial-of-service attack against a telecommunications provider or datacenter, for instance, this would not rise beyond the definition of cyber-attack; however, if the attacker unleashes malware which destroys stored data, device firmware, or information back-ups, those events would be more in-line with "cyber-warfare."
With that said, where else should the Gerasimov Doctrine—a doctrine of increased belligerence and warfare through indirect means and "contactless actions"—be eventually aimed but at the North Atlantic Treaty Organization (NATO), Russia's trans-Atlantic menace which too often stands in the way of Moscow's Russo-centric policies?
NATO is based on the concept of collective defense that enhances its strategy of deterrence. Through formal agreements and long-standing and extensive collaboration, NATO sends a strong signal that member states will stand together in the face of threats to deter aggression against its members. NATO exists to preserve the peace and to make sure that changes to the status quo in Europe occur through political processes that lead to the spread of democracy, the rule of law, and adherence to international norms.
To achieve its varied Russo-centric objectives, Russia opted to pick a course of action not to defeat NATO, but to defeat NATO's strategy. By presenting the Western alliance with actions that produce minimal death and initially minor physical destruction, Russia has attempted to shift the responsibility of escalation onto NATO, attempting to goad the defensive alliance into launching a pre-emptive attack in order to keep the status quo.9 If, through ambiguously legal actions, Russia could goad NATO (or simply a NATO-aligned country) into a traditional, military response, Russia could claim to be the wronged, vulnerable defender now suffering an act of aggression—merely because there is no concrete international understanding of when and where a military response is appropriate for a cyber-attack.
The Russian attack on Estonia was a two-phase offensive. Initially, the attackers engaged in little more than electronic vandalism, such as hacking into the website of the political party that led Estonia's coalition government. On the website, the attackers posted a fake letter of apology from Prime Minister Andrus Ansip, who had overseen moving the Bronze Soldier, a controversial Soviet World War II war memorial. In the second phase, the attacks escalated into a full-scale campaign. The aim was to overload Estonia's computer servers with massive volumes of message traffic causing them to crash, leveraging bot-nets—large networks of computers which have been taken over by malware and which are controlled from one or more central locations—to bombard the targeted Estonian systems with millions of fake messages. Some estimates suggest that one million computers were co-opted or otherwise employed globally for this Distributed Denial of Service (DDoS) onslaught on the servers of a country of 1.3 million inhabitants.10
Cyber-attacks on Georgian systems were already under way before Russia invaded in 2008. On the day the ground attacks began, sites such as stopgeorgia.ru posted lists of Georgian targets to attack as well as instructions on how to launch those attacks.11 While Moscow baited Georgia with troop movements on the borders of the breakaway provinces of Abkhazia and South Ossetia, bot-nets were already on the attack, degrading Georgian websites, including the pages of the president, the parliament, the foreign ministry, and news agencies. Banks, which were also targets of cyber-attacks, shut down their servers at the first sign of attack to pre-empt identity or monetary theft.12 This was the first (recognized) time Russian cyber and traditional military attacks were performed in coordination.13
Target surveys, targets, domains, and instructions were ready to go and posted to the internet in accompaniment with the initial Russian incursion into Georgia. This was not a fly-by-night operation set up by helping hacktivists; rather, the timing suggests this was a state-sponsored, military-ordered cyber incursion specifically designed to be launched in tandem with the military operation.
Russia is using Ukraine as a perpetual cyber-war testing ground, or as Wired described it in a lengthy and detailed report on the matter last year, "a laboratory for perfecting new forms of global online combat."14 A digital army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, and energy. Seemingly unstoppable intrusions deleted data, destroyed computers, and in some cases paralyzed organizations' most basic functions.15 There is no way to know exactly how many Ukrainian institutions have been hit in the escalating campaign of cyber-attacks, and any count is liable to be an underestimate. For every publicly known target, others have not admitted to being victimized. Still more have not even discovered the intruders in their systems.
The attackers' intentions can be summed up in a single Russian word: polygon, translated loosely as "training ground." Even in their most damaging actions, the attackers never seem to go too far; the attackers could have knocked out Ukrenergo's transmission station for longer or caused permanent, physical harm to the grid, but instead settled (repeatedly) for blackouts.16 The attacker never seem committed to full destruction of their targets in Ukraine. Instead, the attackers cease before delivering irreparable damage, playing their cards close to their chest as if reserving their true capabilities for some future operation—one can almost think of it as game planning during a pre-season football game.17
The attacks on Estonia, Georgia, and the Ukraine, while highlighting the fusion of cyber-effects with more traditional military operations, should also serve as a wake-up call to military and security circles in NATO nations on both sides of the Atlantic and to highlight questions in need of thoughtful consideration: namely, what are the lessons to take away from the Russian Federation's increased utilization of the cyber domain in their combat operations, and how does this help to shape the battlefield of the future?
The cyber domain offers an increased latitude of action for commanders in the modern battlespace in part due to the fog of uncertainty that surrounds the proportion, suitability, and overall effectiveness of responding to a cyber-attack. An attack on a base which wounds and kills opposing soldiers or physically destroys infrastructure may invite a response in kind, where a communications system that has been denied service or otherwise degraded may not elicit a physical strike in retaliation. Cyberspace operations serve as an excellent avenue of force projection without putting soldiers in harm's way; these operations have increased the latitude for action in the same way that the development and fielding of the Unmanned Aerial Vehicles (UAVs) did. A UAV can be sent on a mission that may be deemed too hazardous or not important enough to send soldiers into the field to risk life and limb to accomplish. The same concept applies to a cyberspace operation—rather than send a team into a known hostile area to physically retrieve and return intelligence from an enemy's digital devices, it is easier (and may make more sense) for the commander to approve a cyberspace operation to electronically retrieve the same intelligence.
A cyberspace operation also does not require the complex partnerships that a mission with soldiers being transported via airplanes, helicopters, ships, or ground vehicles may require. Where a traditional mission may require the use of an airfield in a partner country, or the use of another country's airspace or other violation of territorial sovereignty for the delivery and retrieval of soldiers and effects, a cyberspace operation is not constrained in the same way. Cyberspace operations may also require significantly less deconfliction to perform than a traditional military operation. There is a far smaller chance of collateral damage coming from a cyberspace operation than through the launching of missiles or dropping of bombs; with that decreased chance of sparking an international incident through harming or killing citizens or soldiers of a different country, an increased utilization of cyberspace operations would allow a commander more avenues to prosecute their target or objective.
The ability to launch a cyber-attack changes the face of a large-scale combat operation because the efficacy of the operation can be wildly out-of-proportion to the risk of damage or loss. When a few strokes on the keyboard—from dozens, hundreds, or thousands of miles away—can turn an enemy's power off, disable their communications, or turn their transportation systems into a chaotic, unmanaged mess, and the cost in lives, equipment, and resources is negligible, then a commander finds him or herself in an advantageous position from which to launch further attacks (cyber or otherwise).
For all the new and exciting avenues open to a commander on the offensive, the introduction of cyberspace operations should also be of great concern. Much of the modern battlespace is shaped by timely—if not instantaneous—communication, and it is exactly that communication which would be targeted by a group waging a cyber-attack. Unfortunately, the best and only surefire way to defend a machine with any sort of connectivity is to disable or unplug it; otherwise, a determined attacker will eventually gain access. He or she only needs to wait for an end-user of that machine or equipment to make the fatal mistake which grants the attacker access. Defensive cyber operations have their place but, due in part to the ever-present risk of human error, serve primarily as a delaying action. What this practically means is that the best defense is a good offense, and that energy should be focused on assaulting any enemy's (digital) position with such overwhelming force and violence that the same force and violence cannot be offered in return. Scenes from Hollywood, with defenders running to and fro, typing on this terminal or that keyboard to fend off some sort of cyber-attack have no basis in reality; once a machine has been compromised or degraded, it should be effectively considered out of the fight (until properly remediated). Not only has the commander lost that piece of equipment, but now the attackers who had been focused on the now out-of-commission equipment can redouble their efforts against a different target. In a persistent cyber-attack scenario which a commander would find him or herself in a large-scale combat operation, the losses cascade together like so many dominoes, failures and defeats compounding exponentially until the enemy attacker has control of the systems and freedom of movement within.
The binary choice of offense or defense, at least with regards to modern cyber battlefield operations, is an anachronism. The new commander should seek to deny, degrade, or destroy the capabilities of the enemy with whom he is engaged as expeditiously as possible, understanding that his or her enemy is seeking to do precisely the same thing at precisely the same time.
A crawl-walk-run approach through Estonia, Georgia, and Ukraine has lent the Russian cyber-arm a smooth, well-oiled quality; at the same time, the Russian ability to conduct real world operations, absent effective international intervention, external defense, or interdiction has allowed a honing of tactics, techniques, and procedures (or TTPs) and tools to greater obfuscate Russian presence and activity.18
Estonia, the initial victim, was a low-key affair, or the crawl: cyber-attacks launched, without being paired with military intervention, which in retrospect can be viewed as a proof-of-concept. Georgia, a step beyond Estonia, was the walk: pre-formed bot-nets sending pre-formed packets, in a larger-scale denial of service attack, but now paired with an incursion of troops and tanks and a traditional military movement into the South Ossetia area. Through postings on various internet forums and sites, paramilitary cyber activity seems to have been, if not encouraged, but also not discouraged—which only served to swell the ranks of those conducting cyber-attacks on Russia's behalf. Finally, Ukraine, was the run: large-scale cyber-attacks paired with military incursion and occupation. Simultaneous attacks occurred on media firms; an attack on the Central Election Commission's website triggered the announcement of an ultra-right-wing candidate as winner of the election; and an incursion took over the networks which connected and controlled the systems for entire power grids. Once the desired levels of denial, degradation, and destruction had been achieved, the attackers destroyed the firmware for the network cards in the machines, leaving administrators and responders unable to fix the issue remotely.19
It is perhaps best to think of the ongoing cyber activity in Ukraine as Russia's Combat Training Center, or CTC. The purpose of a CTC is to provide realistic collective training for soldiers, leaders, staffs, and units according to Army and Joint doctrine, simulating as closely as possible the rigors and stresses of combat.20 The CTC ensures soldiers, units, and leaders are well prepared for current and future operations; no other means of training provides the Army with the ability to maintain the consistently tough and realistic training environment that combatants require for success in warfare.21 Though cyberspace is a tested domain at both the National Training Center (NTC) and at the Joint Readiness Training Center (JRTC), there is not a dedicated electronic or cyber CTC with which to train US Army (or military at-large) cyber actors.22 This leaves cyber-training to be conducted in more traditional, lab-based environments, the limitations of which are clear: training networks can only be so large; the trainer can only provide the types of operating systems that he or she has access or license to provide; and the vulnerabilities and/or exploitation vectors provided to train a cyber-actor are limited to what the training facilitator can think of (or knows about) at the time he or she is putting together a network. In the case of Russia, however, adventurism in Ukraine has served to offer a holistically complete training environment for the Russian cyber-forces—state-sanctioned or otherwise. Russian forces will find a width and breadth of computers and operating systems, in a variety of patched and unpatched states, administered by both the lazy and hyper-vigilant. Russian cyber actors can train against medical, transportation, banking, power, or education systems, take note of what works and what does not, and then take that real-time, operational data back to the coders and developers to manipulate their cyber toolkit on the fly, increasing their efficacy for the next round of attacks.
"Russia is not only pushing the limits of its technical abilities," says Thomas Rid, a professor in the War Studies department at King's College, London, "but also feeling out the edges of what the international community will tolerate."23 The Kremlin meddled in the Ukrainian election and faced seemingly ineffective repercussions; Russian and Russia-aligned actors continue to wreak havoc across the country in a variety of necessary and national-security-level industries, including turning the power off and on in Ukraine with impunity.24 Then, full of confidence from their eastern European triumphs, Russia tried similar tactics in Germany, France, and the United States. Russian government cyber actors have targeted "government entities and multiple US critical infrastructure sectors," including those of energy, nuclear, water and aviation, according to an alert issued by the Department of Homeland Security and Federal Bureau of Investigation (FBI).25 Critical manufacturing sectors and commercial facilities also have been targeted by the ongoing "multi-stage intrusion campaign by Russian government cyber actors."26 A joint analysis by the FBI and the Department of Homeland Security described the intrusions as extremely sophisticated, in some cases first breaching suppliers and third-party vendors before hopping from those networks to their ultimate target.
Rid suggests that Russia is testing out boundaries and trying to map out red lines; if Russian actions are rebuffed in one area, or an effect that they have produced draws too much attention or creates unacceptable consternation, then Russian forces simply move on to the next target or the next intrusion. However, without significant ramifications—or even merely effective international reaction—Russia may not feel significantly at-risk and, lacking necessary external push back, might continue to the "next step" for their targets.27 What the escalation of Russian attacks truly suggests, however, is a cyber-war will not be waged at some abstract point in the future; it is happening, at least the initial stages, now, throughout the world, propagated (at least in part) by a seasoned corps of Russian veterans.
Every so often in the history of warfare a sea-change occurs which affects the way militaries function and how combat is conceived. Stone gave way to metal, bows to gunpowder and bullets. Automatic weapons eventually offered commanders a multiplicative increase in firepower and destructive capability. The advent of airpower opened up an entirely new domain on the battlefield, and now the advent of weaponized cyberspace has done the same. The Russian Federation's stepped-inclusion of cyber operations into their military campaigns serves as a proof of cyber operations' utility and benefit to a commander in the modern battlespace. The lesson of Russia's success is not how the Russian Federation developed their program. Instead, having seen the effectiveness that cyber operations can have both in shaping a battlespace and in offering a decided tactical or psychological advantage over an enemy, the lesson is that cyber operations must be more fully integrated into modern combat. Peer and near-peer adversaries alike are fielding cyberspace capabilities and integrating those same capabilities into their operation plans; Russia just happened to display their progression and development on the world stage. With the latitude of action it affords commanders on the ground, the ability to degrade or deny the communications of an opposing force, and the psychological aspect of an effective cyber-attack on the armed forces of an adversarial country (in addition to the population), the cyber domain truly is the next evolution of battlespace. The United States must fully embrace and work to seamlessly integrate cyberspace operations into their plans for combat operations, both large-and small-scale. As has been demonstrated by the Russian Federation's military adventurism through the past decade, the adversaries of the United States fully intend to do just that.
- Department of the Army (FM) Field Manual 3-12, Cyberspace and Electronics Warfare Operations (Washington, DC: 2017), 1-1.
- General Valery Gerasimov, "The Value of Science Is in the Foresight New Challenges Demand Rethinking the Forms and Methods of Carrying out Combat Operations." Military Review, January/February 2016, 23.
- Gerasimov, 23.
- Molly K. McKew et al., "The Gerasimov Doctrine," POLITICO Magazine, September/October 2017, accessed 27 April 2018, https://www.politico. com/magazine/story/2017/09/05/gerasimov-doctrine-russia-foreign-policy-215538. For the opinion that the Gerasimov doctrine is not necessarily "real," see Roger N. McDermott, "Does Russia Have a Gerasimov Doctrine?" US Army War College Quarterly Parameters 46, no. 1, 103.
- Oona A. Hathaway and Rebecca Crootof, "The Law of Cyber-Attack," 2012, Faculty Scholarship Series Paper 3852, 836-837.
- Richard A. Clarke, Cyber War (New York: HarperCollins, 2011), 6.
- Tom Gjelten, "Extending the Law of War to Cyberspace," National Public Radio, 22 September 2010, accessed 15 February 2018, https://www.npr. org/templates/story/story.php?storyId=130023318.
- Hathaway and Crootof, "The Law of Cyber-Attack," 841.
- Clarke, Cyber War, 34.
- Robert Mandel, Optimizing Cyberdeterrence: A Comprehensive Strategy for Preventing Foreign Cyberattacks (Washington, DC: Georgetown University Press, 2017). See also Franklin D. Kramer and Melanie J. Teplinsky, "Cybersecurity and Tailored Deterrence," Atlantic Council, 3 January 2014, accessed 20 February 2018, http://www.atlanticcouncil.org/publications/issue-briefs/cybersecurity-and-tailored-deterrence.
- More than likely, these instructions amounted to having the interested user download a tool such as the low-orbit ion cannon, which lets a user opt for their box to be coopted and controlled as part of a larger Denial of Service or Distributed Denial of Services intent bot-net.
- John Markoff, "Before the Gunfire, Cyberattacks," The New York Times, 13 August 2008, accessed 13 February 2018, http://www.nytimes. com/2008/08/13/technology/13cyber.html.
- David J. Smith, "Russian Cyber Strategy and the War Against Georgia," Atlantic Council, 17 January 2014, accessed 20 February 2018, http://www. atlanticcouncil.org/blogs/natosource/russian-cyber-policy-and-the-war-againstgeorgia. This is more along the lines of what the Rand Corporation was defining as a cyber-attack—computer-based occurrences paired with actual military movements and force.
- Christopher Miller, "What's Ukraine Doing to Combat Russian Cyberwarfare? 'Not Enough,'" RadioFreeEurope/RadioLiberty, 8 March 2018, accessed 22 February 2018, https://www.rferl.org/a/ukraine-struggles-cyberdefense-russia-expands-testing-ground/29085277.html.
- Andy Greenberg, "How an Entire Nation Became Russia's Test Lab for Cyberwar," Wired, 20 June 2017, accessed 14 February 2018, https://www. wired.com/story/russian-hackers-attack-ukraine/.
- Greenberg. "A power company responsible for operational and technological control of the Integrated Power System (IPS) of Ukraine and electricity transmission via trunk power grids from generating plants to the distribution networks of the regional electricity suppliers," About Us, accessed 7 March 2018, https://ua.energy/about-en/.
- The author says "absent effective international intervention" because if the international intervention had been effective, then the cyber-attacks, which still ravage Ukraine, would have been stopped.
- Greenberg, "How an Entire Nation."
- "Combat Training Center Directorate (CTCD)," 8 July 2014, accessed 27 April 2018, https://usacac.army.mil/organizations/cact/ctcd. See also: US Army, "Combat Training Center (CTC) Program 2009 US Army Posture Statement," accessed 25 February 2018, https://www.army.mil/aps/09/information_ papers/combat_training_center_program.html.
- US Army, "Combat Training Center (CTC) Program."
- "Combat Training Center Rotations Continue to Drive Evolution of Army Cyber-Electromagnetic Activities," Army News, 29 June 2017, accessed 26 April 2018, https://www.army.mil/article/190201/combat_training_center_rotations_continue_to_drive_evolution_of_army_cyber_electromagnetic_activitie.
- Greenberg, "How an Entire Nation."
- "Alert (TA18-074A)," Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors | United States Computer Emergency Readiness Team (US-CERT), 15 March 2018, accessed 21 March 2018, https://www.us-cert.gov/ncas/alerts/TA18-074A.
- Jennifer A. Dlouhy and Michael Riley, "Russian Hackers Attacking U.S. Power Grid and Aviation, FBI Warns," Bloomberg, 15 March 2018, accessed 21 March 2018, https://www.bloomberg.com/news/articles/2018-03-15/russian- hackers-attacking-u-s-power-grid-aviation-fbi-warns.
- Greenberg, "How an Entire Nation."