Steam rises from the chimneys of a thermal power plant behind the Ivan the Great Bell Tower in Moscow, Russia January 9, 2018, photo by Maxim Shemetov/Reuters

commentary

(TechCrunch)

July 23, 2019

Cyber Threats from the U.S. and Russia Are Now Focusing on Civilian Infrastructure

Steam rises from the chimneys of a thermal power plant behind the Ivan the Great Bell Tower in Moscow, Russia January 9, 2018

Photo by Maxim Shemetov/Reuters

by Joe Cheravitch

Cyber confrontation between the United States and Russia is increasingly turning to critical civilian infrastructure, particularly power grids, judging from recent press reports. The typically furtive conflict went public last month, when the New York Times reported U.S. Cyber Command's shift to a more offensive and aggressive approach in targeting Russia's electric power grid.

The report drew skepticism from some experts and a denial from the administration, but the revelation led Moscow to warn that such activity presented a “direct challenge” that demanded a response. WIRED Magazine the same day published an article detailing growing cyber reconnaissance on U.S. grids by sophisticated malware emanating from a Russian research institution, the same malware that abruptly halted operations at a Saudi Arabian oil refinery in 2017 during what WIRED called “one of the most reckless cyberattacks in history.”

Although both sides have been targeting each other's infrastructure since at least 2012, according to the Times article, the aggression and scope of these operations now seems unprecedented.

Washington and Moscow share several similarities related to cyber deterrence. Both, for instance, view the other as a highly capable adversary. U.S. officials fret about Moscow's ability to wield its authoritarian power to corral Russian academia, the private sector, and criminal networks to boost its cyber capacity while insulating state-backed hackers from direct attribution.

Washington and Moscow share several similarities related to cyber deterrence. Both view the other as a highly capable adversary.

Share on Twitter

Moscow sees an unwavering cyber omnipotence in the United States, capable of crafting uniquely sophisticated malware like the Stuxnet virus, all while using digital operations to orchestrate regional upheaval, such as the Arab Spring in 2011. At least some officials on both sides, apparently, view civilian infrastructure as an appropriate and perhaps necessary lever to deter the other.

Whatever their similarities in cyber targeting, Moscow and Washington faced different paths in developing capabilities and policies for cyber warfare, due in large part to the two sides' vastly different interpretations of global events and the amount of resources at their disposal.

A gulf in both the will to use cyber operations and the capacity to launch them separated the two for almost 20 years. While the U.S. military built up the latter, the issue of when and where the United States should use cyber operations failed to keep pace with new capabilities. Inversely, Russia's capacity, particularly within its military, was outpaced by its will to use cyber operations against perceived adversaries.

Nonetheless, events since 2016 reflect a convergence of the two factors. While the United States has displayed a growing willingness to launch operations against Russia, Moscow has somewhat bolstered its military cyber capacity by expanding recruiting initiatives and malware development.

The danger in both sides' cyber deterrence, however, lies not so much in their converging will and capacity as much as it is rooted in mutual misunderstanding. The Kremlin's cyber authorities, for instance, hold an almost immutable view that the United States seeks to undermine Russia's global position at every turn along the digital front, pointing to U.S. cyber operations behind global incidents that are unfavorable to Moscow's foreign policy goals. A declared expansion in targeting Russian power grids could ensure that future disruptions, which can occur spontaneously, are seen by Moscow as an unmistakable act of U.S. cyber aggression.

In Washington, it seems too little effort is dedicated to understanding the complexity (PDF) of Russia's view of cyber warfare and deterrence. The notion that Russia's 2016 effort to affect the U.S. presidential election was a “Cyber” or “Political” Pearl Harbor is an appropriate comparison only in the sense that U.S. officials were blindsided by Moscow's distinct approach to cyber warfare: an almost seamless blend of psychological and technical operations that differs from most Western concepts.

Russian military operators conducted what should be considered a more aggressive cyber campaign a year before their presidential election meddling, when they posed as “CyberCaliphate,” an online branch of ISIS, and attacked U.S. media outlets and threatened the safety of U.S. military spouses.

For their part, the Russians made a different historical comparison to their 2016 activity. Andrey Krutskikh, the Kremlin's bombastic point man on cyber-diplomacy issues, likened Russia's development of cyber capabilities that year to the Soviet Union's first successful atomic bomb test in 1949.

The danger in both U.S. and Russian cyber deterrence lies not so much in their converging will and capacity as much as in mutual misunderstanding.

Share on Twitter

Western analysts, fixated on untangling the now-defunct concept of the “Gerasimov Doctrine,” devoted far less attention to the Russian military's actual cyber experts, who starting in 2008 wrote a series of articles about the consequences of Washington's perceived militarization of cyberspace, including a mid-2016 finale that discussed Russia's need to pursue cyber peace with the United States by demonstrating an equal “information potential.”

Despite Cyber Command's new authorities, Moscow's hackers are comparatively unfettered by legal or normative boundaries and have a far wider menu of means and methods in competing with the United States short of all-out war. Russian military hackers, for example, have gone after everything from the Orthodox Church to U.S. think tanks, and they launched what the Trump administration called the most costly cyberattack in history.

In the awkward space between war and peace, Russian cyber operations certainly benefit from the highly permissive, extralegal mandate granted by an authoritarian state, one that Washington would likely be loath (with good reason) to replicate out of frustration.

By no means should the Kremlin's activity go unanswered. But a leap from disabling internet access for Russia's “Troll Farm” to threatening to blackout swaths of Russia could jeopardize the few fragile norms existing in this bilateral cyber competition, perhaps leading to expanded targeting of nuclear facilities.

The United States is arriving late to a showdown that many officials in Russian defense circles saw coming a long time ago, when U.S. policymakers were understandably preoccupied with the exigencies of counterterrorism and counterinsurgency.

Washington could follow Moscow's lead in realizing that this is a long-term struggle that requires innovative and thoughtful solutions as opposed to reflexive ones. Increasing the diplomatic costs of Russian cyber aggression, shoring up cyber defenses, or even fostering military-to-military or working-level diplomatic channels to discuss cyber red lines, however discretely and unofficially, could present better choices than apparently gambling with the safety of civilians that both sides' forces are sworn to protect.


Joe Cheravitch is a defense analyst at the nonprofit, nonpartisan RAND Corporation.

This commentary originally appeared on TechCrunch on July 22, 2019. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.