Vectors of Kremlinbacked cyber-warfare

Edward Lucas analyses the advantages Kremlinbacked hackers have over the West in what he calls the ‘New Cold War’, and considers how Western governments might counter the threat.

When I wrote my book, The New Cold War, in 2007, the idea that a serious conflict between the Kremlin and the West was under way was contentious. That the Internet would be an important battleground in that conflict was even less understood.

Though some commentators still quibble with the phrase ‘New Cold War’, nobody disputes that East-West relations have sharply deteriorated. Russia has descended into autocracy at home, and presents a serious problem for its neighbours.

It is also becoming clearer that Russia is a far more formidable adversary online than on more old-fashioned battlefields. Russia has a California-sized economy, rickety infrastructure and a declining population. Its institutions are weak and corruption rampant. Its military and foreign-policy successes under Vladimir Putin owe far more to division and miscalculation in the West than they do to a real revival of Russian capabilities. Where Western countries stand up to Russia, as the European Union did on energy liberalisation in the past ten years, the Kremlin quickly crumbles.

Yet when it comes to conflict involving computers and networks, Russia’s disadvantages largely disappear. There are four vectors involved. The first is information warfare – using the anonymity, ubiquity and immediacy of the Internet to project Russian views in the Western media space, and to drown out and discredit dissenting voices.

The second, related to the first, is the combination of hacking and leaking, exemplified by the attacks on the election campaigns of Hillary Clinton and Emmanuel Macron. Crude hacking tools are used to gain private, politically sensitive information. This is then leaked using a mixture of anonymously run websites and media allies in order to foster mistrust and political chaos.

A third kind of attack is cyber-espionage, using sophisticated tools to gain secret information from adversary governments. Principal examples of this are the AgentBTZ and Uroboros attacks.

The fourth and final kind is a disruptive cyber-attack, ranging from the swamping of national information systems in the Distributed Denial of Service (DDoS) attack on Estonia in 2007, to the disabling attack on Ukraine’s power networks in 2015.

In all four of these, Russia has big advantages. Attribution is hard. If the Kremlin had sent soldiers to destroy Estonian government communications in 2007 to punish the authorities there for moving a Soviet-era war memorial, it would have risked an all-out conflict with NATO. Under Article 5 of the Atlantic Charter, Western countries are treaty-bound to respond to an armed attack on any member with commensurate force. That would be a daunting prospect for Russia, which is militarily much weaker than NATO.

The DDoS-attack on Estonia had a similar effect, briefly paralysing government communications and the financial system. But it went largely unpunished. Russia simply denied involvement. Even the much more sophisticated and extensive attacks in 2017, on the American and French political systems, were largely cost-free. In a surprisingly short space of time, the idea that Russia can manipulate the political systems of other countries has become accepted as normal or even inevitable.

Russia also exploits a weakness in the Western media mindset, in which truth gives way to a lazy-minded moral equivalence, masquerading as fairness. Russian interference in its neighbours’ affairs is portrayed as nothing more than a counterpart to Western efforts to promote democracy in the former Soviet empire. Bombastic and flimsy denials – for example over the shooting down of a Malaysian airliner by Russian forces in Ukraine in 2014, are given underserved credence. As well as denying Russian misbehaviour, Kremlin-sponsored disinformation outlets also invent and assert stories which undermine confidence in the integrity and competence of Western institutions, politicians and public life.

Russian “trolls” – paid propagandists – run Twitter feeds and Facebook pages, which ostensibly belong to genuine individual users, but in fact exist only to promote Kremlin propaganda. Russian-sponsored commentators also distort public opinion by posting comments on articles in the mainstream online media.

Other Russia-linked outlets smear and intimidate anti- Kremlin commentators in the West. Russia also uses money to buy favourable coverage from nominally independent but cashstrapped media outlets, whose advertising-based business model has collapsed because of the growth of online competitors.

The playing field is a bit more even when it comes to cyberespionage. Western agencies such as America’s NSA and Britain’s GCHQ have formidable advantages to deploy against Russia, not least because most of the world’s biggest technology companies are based in the West.

But Russia still has some cards which the West cannot match. In particular, the overlap between public, private and criminal online activity is more blurred. Russian hackers can work for all three kinds of client, even deploying the same tools and techniques, in a way that would be impossible in rules-bound Western countries.

The West’s response to these attacks from Russia is still incoherent.

One problem is that the Internet’s legal framework is still in its infancy. If someone damages you in the real world, you can sue. If the behaviour is sufficiently bad, the criminal justice system gets involved. But courts and cops mostly stumble and bumble when dealing with online malfeasance.

Another is that threat perceptions still vary widely. Nordic countries are in a state of high alert over Russia’s online capabilities. Yet in other parts of Europe, views differ sharply, and policy-makers are much less aware of the importance of the Internet.

Russia’s victory in the online new Cold War is not inevitable. The West can deal with its own weaknesses, and counter-attack. Anonymous speech on the Internet, for example, need not have the same privileges as authenticated speech. The Kremlin has plenty of vulnerabilities too – not least its dependence on the Western financial system.

The West’s greatest problem is not weakness of means, but weakness of will. We have an array of legal, financial and political instruments which, if we chose to deploy them, would constrain, unsettle and undermine the Putin regime.

Building on the success of the so-called “Magnitsky sanctions” (named after a murdered Russian whistleblower). We could go after bank accounts, shell companies and real-estate holdings. We could restrict the ability of senior Russians to travel to the West. We could catch and deport Russian spies in a blaze of publicity, and prosecute the people they have bribed into collaborating with them. We could put pressure on our technology companies to stop sheltering Russian spammers, bot herders and troll factories. We could accelerate efforts to break Russia’s grip on the energy supplies of neighbouring countries, and speed the integration into our Euro-Atlantic institutions of former captive nations such as Georgia and Ukraine. None of these measures is particularly expensive in financial terms. All they require is will-power.

Edward Lucas is a senior editor at The Economist, responsible for Espresso, its daily news app. He also writes obituaries, book reviews and leaders. He has more than 30 years’ experience dealing with the countries of central and Eastern Europe, with postings including Berlin for the BBC in 1988, stringing for The Economist in communist-era Czechoslovakia and later in the Baltic States, and being editorial director of the Economist Intelligence Unit in Vienna. He is the author of Cyberphobia: Identity, Trust, Security and the Internet, Deception: Spies, Lies and How Russia Dupes the West and The New Cold War: Putin’s Russia and the Threat to the West. He is Senior Vice- President at CEPA, a thinktank in Washington, DC.s