Cyber-espionage is business as usual for most great-power governments - so why the growing storm of indignation directed at Russia's cyber activities?
The foreign secretary of the United Kingdom Jeremy Hunt and the National Cyber Security Centre recently accused Russia of ‘reckless and indiscriminate’ cyber-attacks. Just last week, the Dutch authorities announced that they caught and expelled (last April) four Russian hackers with diplomatic passports attempting to snoop on the Organisation for the Prohibition of Chemical Weapons. The French Foreign Ministry’s policy planning staff and the official think tank of the French Ministry of Defence published a major report a few weeks ago on Russian cyber and disinformation campaigns in France. And the United States continue their official investigation of Russia cyber operations designed to shape the 2016 presidential elections there and issued a third round of indictments against Russian cyber-operatives in recent days.
While the chorus of voices accusing Russia of cyber sins is loud, quieter – but no less widespread – sceptical mutterings are questioning the wave of indignation itself: is Russia really so special? Are not the Chinese, the Americans or the French involved in similar activities? Why is there less indignation with China’s cyber activities than with Russia’s? And ultimately, why are we so sure Russia is to blame at all?
Is Cyber-Russia so special?
If one is to understand if and to what extent Russia’s cyber activities are different from those of China or the US, let us start by making a distinction between three related, but distinct phenomena: cyber-espionage; (dis)information campaigns that draw on cyber-espionage; and cyber-attacks with real life consequences (in the physical world).
That Russia is very active in cyber-espionage should be a source of concern, but certainly not indignation. The American, Chinese, French, British, Iranian or North Korean governments are among the most active cyber-spies in the world. And Russian cyber-espionage is not a recent phenomenon. The first known example of cyber-espionage activity initiated from Moscow against the West was in 1986, when some West German hackers – paid in cash and cocaine – hacked into several hundred US military computers in search of documentation related to then-president Ronald Reagan’s Strategic Defence Initiative, otherwise known as ‘Star Wars.’ A Berkeley University system administrator who discovered the hacks, Cliff Stoll, wrote a book about it and was questioned by the US Congress in 1989.
However, Russian behaviour in cyberspace has been different from that of other cyber powers on two different accounts. One is related to how Russia has been feeding the fruits of cyber-espionage into (dis)information campaigns. Here, the contrast with China is quite striking. It is quite possible that China has even more access to sensitive political, security, technical or business information from the entire world, and is quietly passing what is relevant to its companies, manufacturers, or the military. But China has been doing it quietly, relatively under the radar, and has kept this information mostly to itself.
Russia has opted for an approach different to that of China's. It also hoards significant amounts of information, to be sure, but in addition has been releasing it on a massive scale in its attempts to shape North American or European politics in ways and to an extent that China or North Korea have not done. Dumping leaks ahead of US or French elections, using trolls and bots to spread the word about such leaks, and advertising these ‘cyber-findings’ on its media outlets like RT or Sputnik sets Russia apart from other cyber powers. The issue here is not just the cyber-attacks per se, but how cyber-attacks feed the integrated cycle of activities designed to throw off-balance domestic politics in NATO countries. Neither China nor the US or, say, France have practiced such cyber-information-warfare on a massive scale.
The other dimension which sets Russia apart is the effect of its cyber-attacks in the physical world. Its cyber-attacks on Estonia in 2007, Georgia during the 2008 war, and Ukraine in the last few years have targeted – on a massive scale and quite indiscriminately – critical infrastructure: state institutions, banks, and power plants. NotPetya, the world’s most damaging ever cyber-attack was also most likely developed in Russia to attack Ukrainian infrastructure, but hit banks, shipping companies and cosmetics factories not just in Ukraine, but across the entire world.
Russia is not alone in having designed cyber tools that have real world effects. But no other cyber player has applied their tools as indiscriminately and destructively as Russia has. One of the most known cyber-viruses with real world effects, Stuxnet – most likely developed by US and Israeli intelligence – was tailored narrowly and specifically to target Iran’s nuclear centrifuges, not random Iranian banks or legitimate power plants. The difference between purpose-built viruses and massive and indiscriminate DDOS attacks and targeting of critical civilian infrastructure is like the difference between smart weapons used in limited quantities against specific homes, and thousands of dumb bombs dropped on entire cities.
How do we know it is Russia?
Covering tracks, false flag operations, and plausible deniability are all easier on the internet than on a real-life battlefield. Misattribution is possible, and it happens. So, it is possible that not all malicious cyber activities attributed to Russia have not been initiatives by the Russian state as such. But even admitting that the Russian state is not to blame for everything it is accused of, there is still plenty direct or circumstantial evidence that points at Russia.
Besides a wide array of techniques for attribution of cyber-attacks, there are of course the detailed US indictments of Russian intelligence personnel and supposedly independent operators that give specific names, actions and locations of Russian cyber operatives. There are photos of cyber operators posing in front of the White House with ‘Happy Birthday’ banners for their commanders in Moscow. Then there is the example of the Dutch law-enforcement agencies which caught red-handed Russian military intelligence operatives performing a ‘drive-by’ hack into the Organisation for the Prohibition of Chemical Weapons: they parked a car near the building and set up antennas designed to compromise the Wi-Fi network and intercept logins in that building. Allegedly, Dutch intelligence also hacked the computer networks and closed-circuit TV cameras of Russian military intelligence’s hacking unit known as Cozy Bear, or APT 29, which allowed them to monitor in real time several Russian cyber-attacks against the US.
Even Russian denials are almost-admissions of such practices. Russian president Vladimir Putin is known to have admitted that ‘patriotic hackers’ from Russia might target election campaigns abroad. And within just weeks after the US formally accused Russia for cyber interferences in its presidential elections, Russian intelligence arrested a head and a deputy head of a unit working on cyber issues in the FSB for allegedly being CIA spies. Accidental or not, the timing of the arrests has all but confirmed that highly placed Russian cyber-operatives have been leaking information to US intelligence.
So where does this all leave us? Certainly, Russia is a cyber threat. In the long term it might not necessarily be a more dangerous one than other hostile cyber powers like China, but in the short run it is choosing more aggressive and more high-profile cyber strategies than other cyber powers. By doing so, Russia is pushing the US and big European cyber players to up the game and move from quiet cyber-espionage into more assertive behaviour: aggressive communication campaigns, indictments, public naming and shaming, but also more hack-backs and leaks. The near-leaking of personal data of 305 employees of the Russian military intelligence service seems like the opening salvo in a new phase of future cyber hostilities. One in which blows are traded, not just absorbed. This is done to partly contain Russia, and partly to discourage others from adopting and mimicking too eagerly the Russian cyber-know-how. And so, the days of quiet cyber-espionage seem to be fading, and most cyber players, including Russia, might regret that sooner rather than later.
The European Council on Foreign Relations does not take collective positions. This commentary, like all publications of the European Council on Foreign Relations, represents only the views of its authors.