In 2009, Timothy Thomas, a Russia expert at the Foreign Military Studies Office at Fort Leavenworth in the US warned that “[p]erhaps more than any other country, Russia is alarmed over the cognitive aspects of cyber issues as much as their technical aspects”. This warning, delivered seven years before the hack of the Democratic National Committee in the United States, highlights that Moscow has taken a different, more comprehensive and integrated approach to information security compared to Western capitals’ focus on more technical network-centric cyber security. Outlined explicitly in doctrines and strategies over the past two decades, it is becoming increasingly clear how Russia is implementing this perspective in practice – quite successfully so far, one may add.1
Russia’s focus on the control of information dates back to the Soviet era, when the Bolsheviks sought to use mass media not to inform but to shape and mould the populace.2 In more recent times, the Russian government – as shown in official documents like the 2000 Information Security Doctrine – has linked information security to internal stability, arguing that the state should take a strong role in guarding against external interference.3 The doctrine defines information security as, “protection of [Russia’s] national interests in the information sphere defined by the totality of balanced interests of the individual, society, and the state.”4 Over the years, events like the colour revolutions in Ukraine and Georgia, the Arab Spring, and the 2014 ouster of Ukrainian President Viktor Yanukovych have contributed to Russia’s heightened sense of threat in the information domain and have provided justifications for extensive domestic Internet surveillance and control.
The view that uncontrolled information poses a threat to the government and society has informed Russia’s strategy in international diplomacy on information and communications technologies (ICTs) and in its military doctrine. Since 1998 Russia has put forward resolutions at the United Nations General Assembly on the security implications of ICTs, and in 2011 it partnered with China to develop the International Code of Conduct for Information Security. In its military doctrine, Russia has long considered how to use information as a weapon in addition to exploring using cyber attacks to cause physical damage to conduct information warfare to support its national interests.
In putting its doctrines into practice, one of the ways that Russia stands out is by coopting criminal hackers. Former Soviet states have large populations of highly educated, technically skilled individuals who have few legitimate economic opportunities; this situation leads some to turn to hacking and criminal enterprises. There is a nexus between the state and criminal hackers, founded on a tacit bargain that hackers will not target people within the former Soviet states and that the Russian state will tolerate their criminal activity. This tacit toleration can turn to more proactive deputization when Russian security services require hacking talent.
Examining three significant Russian cyber operations in depth shows how Russia’s views on information security and cooption of criminal hackers have played out in practice. First, the hack of Yahoo is perhaps the clearest example of how Russia’s security services use criminals. According to a March 2017 indictment by the US Department of Justice, two officers in the FSB’s Center for Information Security masterminded a plot to employ two hackers to compromise Yahoo’s networks and email accounts associated with persons of interest to the Russian state.5 One of the criminals, Alexey Belan, was actually on the run from a US international arrest warrant, and instead of arresting him the FSB used him to break into Yahoo, committing the biggest data breach of all time.
The second case, the operation by theInternet Research Agency to influence the 2016 US election via social media, is a classic example of disinformation. The small organisation of “professional trolls” in St. Petersburg demonstrated that by manipulating social media platforms they could fan the flames of partisanship and worsen US political divisions. As described in the Justice Department’s February 2018 indictment, the Internet Research Agency (IRA) conducted a multi-year campaign of “information warfare against the United States of America.”6 By posting highly partisan, inflammatory content and promoting on wide-reaching platforms like YouTube, Facebook, Instagram, and Twitter, the trolls, with funding from the Russian government, aimed to sow discord and cause confusion in the US political system.
Third, the hack of the Democratic National Committee (DNC) and the subsequent release of emails associated with the Clinton campaign synthesised Russia’s political hacking and information warfare strategies. According to a July 2018 indictment, officers in Russia’s military intelligence agency, the GRU, compromised the DNC’s networks and the email accounts of Clinton campaign officials, stole thousands of internal emails, and then released them using pseudonyms like ‘Guccifer 2.0’ and through Wikileaks.7 The hacked emails provided the material for social media disinformation and influence operations aimed at damaging the Clinton campaign.
Moscow’s interference in the 2016 US election was a watershed moment in history. Putting aside its implications for domestic politics in the US and international affairs more broadly, it was an important wake-up call for Western countries to revisit their assumptions about Russia’s view and behaviour with respect to cyberspace. Russia’s explicit focus on information security is not hyperbole or propaganda but a comprehensive approach that views information operations and cyber operations as an integrated concept. With the Internet’s global reach and ability to broadly influence political discourse, Moscow can achieve its intended effects remotely and at scale. As a consequence, Russia’s aggressive pursuit of its interests in cyberspace using hacking and information warfare poses a unique set of practical challenges for policymakers in Western capitals.
1. Parts of this are based and includeextracts from “Russia: Information Security Meets Cyber Security” by Tim Maurer and Garrett Hinck, in Confronting an “Axis of Cyber?” edited by Fabio Rugge, ISPI, October 25, 2018, 39-58.
3. Timothy Thomas, “Nation-state Cyber Strategies: Examples from China and Russia,” in Cyber powerand National Security, ed. Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz (Dulles, VA: Potomac Books, 2009), 486.
5. Indictment at 2, United States v. Dokuchaev et al., No. 17-CR-00103 (N.D. Ca. filed February 28, 2017),https://www.justice.gov/opa/press-release/file/948201/download
6. Indictment at 6, United States v. Internet Research Agency et al., No.-1:18-cr-00032-DLF (D.C., filed February 16, 2018),https://www.justice.gov/file/1035477/download
7. Indictment at 1, United States v. Netyksho et al., No. 1:18-cr-00215-ABJ, (D.C., filed July 13, 2018),https://www.justice.gov/file/1080281/download