and future Russian cyber operations rise to the level of armed conflict or function as a component of strategic competition.5 This book will examine actual cyber campaigns and incidents to understand how the Kremlin exploits technical means and legal regimes to evade attribution and retribution. More specifically, it will explain how Russia uses advanced tactics and techniques for intrusion and evasion to prevent detection and verification of its cyber operations. It will also explore how Russia uses deception through proxies and other means to sustain plausible deniability and avoid responsibility for its cyber operations. The book will explain how Russia tests legal criteria for qualification of its cyber operations as neither a wrongful act nor an unlawful attack. The Russians abuse uncertainty in technical attribution and ambiguity in legal classification to elude repercussions inflicted by injured states through lawful use of countermeasures—for example, by cyber means or by a variety of other methods, such as economic sanctions or legal indictments.
In a speech in Poland in 2019, Secretary of State Mike Pompeo proclaimed that “Russia has grand designs of dominating Europe and reasserting its influence on the world stage. Vladimir Putin seeks to splinter the NATO [North Atlantic Treaty Organization] alliance, weaken the United States and disrupt Western democracies.”6 The 2017 US National Defense Strategy asserts that the Russians are using “areas of competition short of open warfare to achieve their ends (e.g., information warfare [IW], ambiguous or denied proxy operations, and subversion).”7 Cyber operations are merely a means for Russia to obtain political goals and objectives. An examination of their use in asymmetric tools, in hybrid warfare, and through IW is warranted to understand their role and results. Russia continues to modernize its armed forces with an emphasis on asymmetric weapons, in particular subsonic cruise and hypersonic aeroballistic missiles, the latter part of a potentially invincible arsenal designed to penetrate and evade limited US antimissile defenses.8 Cyber operations serve in another asymmetric arsenal of nonmilitary methods but achieve the same aim of penetration and evasion of cyber defenses. Russia has employed new models of warfare, the most debatable called “hybrid.” Since the Russian incursion into Ukraine in 2014, the Western strategic community has been “trying to come to grips with the concept of hybridity,”9 although NATO does define hybrid threats as a “type of threat that combines conventional, irregular and asymmetric activities in time and space,” which invariably includes cyber operations.10 Finally, in the arena of competition of IW, Russia prevails primarily by social media exploitation and cyber-enabled information operations (IO) that influence populations and challenge democratic processes.
The first evidence of Russian foreign policy turning to confrontation with the West was Putin’s blunt Munich speech in 2007. In it, the Russian president accused the United States of imposing an unacceptable unipolar world model, characterized by an “almost uncontained hyper use of force” and a “greater disdain for the basic principles of international law.”11 Putin openly demanded that Russia, with “the privilege to carry out an independent foreign policy,” be given a leadership position in making international policy. The following year, Russia exerted this privilege by invading Georgia, using cyber operations as a new component of warfare. Russian hybrid aggression expanded into Ukraine in 2014 and has continued with cyber campaigns that intend to desovereignize the nation.12 Russia has also attempted to influence the public policy of NATO allies, in particular Estonia in 2007 and the United States during the 2016 election. Through use of cyber operations in these and other cases, Russia seeks to advance its national interests, even if it undermines or circumvents established norms for responsible state behavior. US and international responses to counter harmful or wrongful acts by Russia in the cyber domain through methods for cost imposition have not altered Moscow’s behavior. Therefore, in reply to Russian usage of legal ambiguity and technical complexity, this book argues to leverage emerging solutions for resilience to withstand attacks and continue operations. It will examine the adequacy of cybersecurity measures and describe proven capabilities for automated cyber defense. Given continued legal uncertainty that hampers meaningful responses, the book will explore conditions for a technical offset strategy. Specifically, the use of data-correlation technologies in an integrated security operating platform has the potential to diminish Russian advantages through cyber operations, whether they rise to the level of armed conflict or function as a component of strategic competition.
Conceptual Foundations
Russia seeks to restore its status as an independent great power. The long-term ambition of President Vladimir Putin and that of his inner circle is for Russia to resume on its own terms what they decree to be a rightful geopolitical position.13 That position is as one of the two or three most important nations in the world.14 To achieve this obsessive ambition, Russia competes against the United States and its allies and partners.15 Russia competes across “political, economic, and military arenas” using “technology and information to accelerate these contests in order to shift regional balances of power in their favor.”16 The reemergence of long-term, strategic competition challenges the prosperity and security of the United States and its allies and partners. In the decades after World War II, these nations “constructed a free and open international order to better safeguard their liberty and people from aggression and coercion.”17 The Western concept of international order is generally defined by its alliances, institutions, and rules.18 However, today, according to Gen. Curtis M. Scaparrotti, the commander of US European Command, Russia is “engaged in strategic competition” while “pursuing a strategy that undermines the international order.”19 Russia does this “within the system by exploiting its benefits while simultaneously undercutting its principles and rules.”20 Russia perceives itself to already be in conflict with the West, led by the United States.21 This perception drives actions by Russia in a wide range of domains, including cyberspace, and also in disinformation campaigns and military interventions in third countries. The debate is perpetual over whether Russia believes “it is defending itself against an actual and genuine threat from the West or is simply expressing its nature as an unreconstructed expansionist power.”22
Cyber operations have become a central aspect of Russian forms of conflict or competition. Cyber operations are defined as “the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.”23 The domain of cyberspace consists of “the interdependent network of information technology infrastructure and resident data,”24 whereas a cyberspace capability is a “device or computer program, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace.”25 Examples of cyber operations include those operations that “use computers to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.”26 In regard to what is meant by an effect “in cyberspace,” an example would be the deletion of resident data, while an effect “through cyberspace” would be the destruction of connected equipment. A cyber incident is the result of a single cyber operation, whereas a cyber campaign is a planned series of cyber operations, over time, designed to accomplish objectives.27 Russia has expanded long-term strategic competition with the United States and its allies and partners with persistent campaigns “in and through” cyberspace.28
The United States intends to “work with like-minded partners to attribute and deter malicious cyber activities with integrated strategies that impose swift, costly, and transparent consequences.”29 Although the extent of that response is limited by attribution to the responsible state under international law, US military doctrine clearly delineates that “to initiate an appropriate defensive response, attribution of threats [actors] in cyberspace is crucial for any actions external to the defended cyberspace.”30 Furthermore, the doctrine states that “the most challenging aspect of attributing actions in cyberspace is connecting a particular cyber-persona or action to a named individual, group, or nation-state, with sufficient confidence and verifiability to hold them accountable.”31 Russia uses uncertainty in technical attribution and ambiguity in legal classification to evade repercussions for
