Dani asks: how does cyber fit into modern warfare strategies? How have cyber strategies evolved in the last two decades, what can we learn from the uses of cyber capabilities in Russia's invasion of Ukraine, and how should the U.S. evolve its cyberwarfare strategy going forward? We will be exploring myths of cyberwarfare strategy - like the escalation of cyber offense into kinetic warfare - and examining where and why cyberwarfare has been effective or ineffective.
Dani asks: how does cyber fit into modern warfare strategies? How have cyber strategies evolved in the last two decades, what can we learn from the uses of cyber capabilities in Russia's invasion of Ukraine, and how should the U.S. evolve its cyberwarfare strategy going forward? We will be exploring myths of cyberwarfare strategy - like the escalation of cyber offense into kinetic warfare - and examining where and why cyberwarfare has been effective or ineffective.
History of Russian Cyber Strategy: https://www.boozallen.com/c/insight/publication/the-logic-behind-russian-military-cyber-operations.html
Hi everyone. This is Danielle. We're recording this episode of Cyber dot RAR on April 19th, 2022. We'll be covering the Russian invasion of Ukraine, a conflict which is very much ongoing; with that in mind, much of what we discussed on this podcast may have evolved by the time you listen to it, but it's still worth the listen. Please enjoy! 📍
Michaela: This is Michaela, welcome to Cyber dot RAR, a podcast by Harvard Kennedy School students. I'm one of your hosts, and today, Dani, one of our resident experts, is answering the question: how does cyber fit into the modern battlefield, especially within the context of the Russian invasion and Ukraine?
Dani: For years, military strategists and cyber scholars have predicted an age of devastating cyber warfare in which adversaries are able to swiftly eliminate critical network infrastructure, leading to massive loss of civilian life and national resources. Russia's 2022 invasion of Ukraine seemed like a likely arena for demonstrating this kind of warfare. What actually happened, and how should we interpret Russia's actions in the context of our evolving understanding of the patterns of cyber warfare? How should that inform the U S is strategy of cyber war?
Dani: Hi everyone. I'm excited to be talking with you all about Russia’s cyber actions and Ukraine, and what those actions mean for the future of cyber warfare strategy.
Bethan: Yeah, this is going to be a really great conversation.
Michaela: So maybe to kick it off, Dani, what's the context for US cyber strategy that we need to understand, to interpret Russia's cyber actions in Ukraine and the US’s responses?
Dani: Yeah, I think that's exactly right, Michaela, we have to start by looking backwards, because the US cyber warfare strategy has changed pretty dramatically in just a decade. So, if we look back to 2012, then Secretary of Defense Leon Panetta warned that the nation faced the threat of a “digital Pearl Harbor.” And the idea was that this would be a devastating attack on critical national infrastructure. Panetta would later say he was being deliberately hyperbolic and kind of attempting to shock the American people into understanding cyber warfare was something we needed to take seriously, but whether he was being realistic or hyperbolic, that idea really took root and theories about a digital Pearl Harbor or cyber 9/11 really dominated analyses during the early days of US CYBERCOM. And so, while the US was worried about the sort of sudden and devastating attack, it was also sorting through how to treat cyberspace as a new domain for conflict, knowing that however it chose to arm itself, it would create a global norm for what its adversaries would do. So, we sort of had these two priorities of one wanting to be able to anticipate and defend against these devastating attacks, meaning we'd need to be at the forefront of the field of cyber weaponry and preparedness, but also wanting to avoid the kind of armament and aggressive action that would precipitate this escalation by other nations.
So just a short two years after Panetta’s statement, his successor, Secretary of Defense Chuck Hagel spoke at NSA and CYBERCOM, in 2014, and said that the US would “maintain an approach of restraint to any cyber operations outside of US government networks. The US does not seek to militarize cyberspace.” So, this is a really notable statement that we're going to be deliberately restrained. And that sentiment that the US should avoid the use of cyber as a combatant space would dominate the next few years.
So, for example, domestic war gaming showed that the U S military was really reluctant to deploy cyber-attacks or counter attacks out of concern that the conflict would escalate including into kinetic, even nuclear attacks. And the US showed this in its foreign policy responses. It persisted in responding to foreign adversaries’ cyber-attacks with non-cyber measures, measures like sanctions, public attribution's indictments.
The one that comes to mind for me is, is China's hack of OPM. And the fact that we didn't respond to that with cyber measures.
Winnona: I mean, but what's the benefit of responding to a cyber-attack with cyber measures when you have all of these other policy options in the toolkit, right? Like just because an adversary did something in cyberspace doesn't mean that the US should needlessly constrain ourselves in the cyber arena.
Dani: Yeah, I think what we were seeing with that strategy was less a commentary on the usefulness or not usefulness of non-cyber actions, and more a reluctance to escalate cyber armament. So I think, I think we've seen various successes and failures with some of those non-cyber tools, but that can occur distinct from whatever our cyber strategy might be.
Sophie: Do you think that will change as we develop our ability to work quickly attribute cyber-attacks? Is it a question of attribution that makes us sort of more reluctant to respond in other domains in cyber?
Dani: Yeah, I think that's spot on, especially because we've seen an evolution in how our national security personnel talk about attribution. One of the common reframes in the early days was it's very difficult to do attribution, so we're reluctant to respond in kind, and that's really shifted in the last few years.
So, despite this policy of restraint, we've had a militarization of cyberspace anyway, especially since that pronouncement about a digital Pearl Harbor. We've seen a stratospheric rise in cyber-crime, as well as increased nation state attacks on private enterprises. An example that our listeners might be familiar with include North Korea’s attack on Sony. And it's really difficult to say whether the US’s strategy of restrain worked. And maybe if we hadn't pursued it, we'd have seen a faster escalation of the use of cyberspace and wondering about that gets us into counterfactuals; but it also may be that our adversaries just didn’t believe we were truly attempting to strike that balance of publicly urging restraint while privately preparing, and that our public actions didn't inform their own behavior. And really it was our private actions to build up our offensive capabilities that spurred the heating up of cyberspace. So, in that sense, the developments of the mid 2010s, aren't actually a good test of does restraint work.
Winnona: And so, when you're talking about restraint, just to frame this conversation a little bit better, you're not referring to, for example, US operations covertly in cyberspace, you're not talking about Stuxnet in here. You're talking more about CYBERCOM take-downs and other forms of actual military operations. Right?
Dani: Exactly.
Winnona: Okay. And so I guess my follow up to that, especially with this model that maybe I've had some problems with, in the last couple of years being in this space, but when we're talking about a cyber 9/11 or a cyber Pearl Harbor, that has so many connotations that fundamentally cyber is not. For example, cyber is not going to shock and awe in a lot of senses and, you know, certain good cyber operations, like Stuxnet, have been very covert where you didn't even realize that there was a cyber component, but maybe that's just my own gripe
Dani: I think that's a really prescient description of what happened. When this domain was new and sort of sexy in the world of national security, that's what we were expecting: a shock and awe attack. And the reality has been kind of much more subtle when we think about where the most effective cyber-attacks have been.
Sophie: Well, it seems like coming back to the question of attribution, Dani, it seems like, no matter what the attribution, the US’s original approach isn't working. So can you talk about how the US has adapted its approach?
Dani: Sure. So, in 2018, the US released a new cyber strategy, and this one emphasized something called persistent engagement. It's basically the idea is the best defense is good offense, and the US needs to be consistently engaged with its cyber enemies and overall enemies. So since then, we’ve shown less restraint and a more proactive defense, including responding to ransomware attacks with counter attacks, deploying forward teams to find and eradicate threats. And we also incorporated cyber-attacks into kinetic actions, which is a really notable shift. So, in 2019, the US responded to Iranian aggression against US drones and international ships with a cyber operation. And then again, in 2019, the US announced had planted malware on Russian electrical grid as a cyber deterrent. So, where we are now, it's sort of testing the boundaries of this new strategy and finding out exactly what kind of response we precipitate in our adversaries with these new actions. So that all being said, yes, we are in a new world of US cyber strategy. But in many ways, we're matching the aggression that's already been shown by our adversaries, rather than moving the goalposts ourselves. So, we still don't have a good test of what happens when the US decides to use overwhelming force in cyberspace.
Bethan: So, applying this to what's dominating the news headline at the moment, how have these dynamics played out in Russia's ongoing invasion of Ukraine? And for the record, we're having this conversation in mid-April, just to set the stage for where we are, when this will be released. I'm sure the dynamics will have evolved.
Dani: So, recall, I just mentioned, it's not that the US is moving the goalposts ourselves. We're sort of matching the posture of our adversaries. Russia is one of those adversaries that in the past decade, we've seen be really quite unafraid of potential escalation in cyberspace and quite bold in their use of it as a tool. So, in that sense their cyber strategy has traditionally different from the US and that's why we expected a really dominant show of cyber force during its invasion of Ukraine in 2022. If we look in, especially in its actions in its neighboring areas, we've seen it's unafraid to use those tools. We had hacking and election interference in Crimea in 2014 attack on Ukraine's power grid in 2015, NotPetya attack in 2017. I think one thing that came out recently that I found quite interesting, Booz Allen Hamilton tracked to over 200 attacks by the GRU from 2004 to 2019. They show that in that quite consistently to Russia's published military doctrine. Its last doctrine was published in 2014 and is supposed to run through at least 2020. And what we saw from that in and among what often feels like quite a noisy space of nation state actors, cyber-crime actors affiliated with nation state threat groups, just a lot going on… that when you zoom out and take a big picture view, there is quite a pattern to it. And we see at least the GRU engaging in targets that map to its military doctrine. And I think that's important because it tells us what to expect in future kinetic warfare.
Winnona: I want to foot stomp on that. I can’t believe I just said that. Oh God. I've decided that we're all going to keep this audio into the podcast. Uh, I, I do want to emphasize that because I think it's a really, really good point. I mean, you even see that China's cyber espionage campaigns and how they map almost perfectly to the five-year plan. Like I think there are a lot of misconceptions about cyber and that it can be like a strategic thing, like cyberwar. Thomas Rid has that seminal piece, the cyberwar will not take place, and fundamentally the points that you're making here, and similarly to the points that he makes, is that cyber is a domain and you can use tactics in a domain, and they're going to match up with your overall strategy because you're using cyber as a domain to achieve your strategic goals.
Dani: I think that's really well said. It's not however, what we sort of, were all expecting when this invasion started. It's like we sort of forgotten the last decade of learning, and all of a sudden went back to expecting this digital Pearl Harbor. And we did see some attacks sort of right before the, the kinetic invasion, in particular, DDoS attack on banks, malware wiper attacks on government networks and an attack on ViaSat, a highspeed satellite broadband service, but it wasn't the devastating, critical infrastructure attack that is called to mind when you talk about a digital Pearl Harbor. One really meaningful example of this for me is that President Zelensky was still getting cell phone videos out in waging one of the most successful PR campaigns in recent history, which secured really meaningful resources for his country. And, and that just doesn't happen if the dynamic of cyberwarfare is you land a really devastating first blow that first, you know, 9/11; you sort of don't allow that kind of communication that continue to happen.
Bethan: Right. When you think about what he's been able to get out, I mean, he was at the Grammy’s, he has a full-on PR campaign that's incredibly powerful. And you would think that would be Putin's first priority to take down because President Zelensky has a voice on the international stage and strategically that is something that Putin needs to be considering, and it seems like either he's not, or isn't capable of.
Sophie: Well, it speaks to one of the criticisms that Dani raised, which is that the cyber aspect, even if the cyber aspect doesn't have the sort of shock and awe quality that we may have expected before mid-February, and even if it's taking sort of a back seat to, compared to kinetic activity, it is true that Russian cyber activity is poorly coordinated with other aspects of Russia's war effort. And maybe that's, what's leading to some of these criticisms that are coming out in the popular press and academia. I wonder what your thoughts on that are, Dani?
Dani: Yeah, you're, you're previewing sort of where I've landed on all of this, which is that this isn't the great test case for “what role can cyber warfare play”, largely because Russia's strategy overall has been shown to have serious flaws. And so, if your overarching strategy is flawed, the use of your auxiliary tool, which cyber is, there's a good chance that will also be flawed. And that, that flaw is not indicative of cyber overall as a form of warfare so much as it is indicative of its application in this case. I think we see that in the way that there was sort of a low level of cyber engagement at first and in late March, and now we're into early in mid-April, we're seeing a ramping up of those attacks, which is in line with the sort of repositioning we've seen for Russia's kinetic forces. So a lot has been coming out in the last few weeks; we had Ukraine's CERT warning against a phishing campaign targeting Ukrainian public authorities - that came from threat group Primitive Bear which is an FSB group- wiper attacks, more wiper attacks against, telecoms; Russian interference with GPS near Finland; you know, kind of goes on and on, and that might be part of a successful repositioning that then we evaluate in a different light than the initial use. Winnona, I think you’d probably have thoughts on this I’d love to hear what you’re thinking.
Winnona: I do, but for our listeners who may not know what a wiper attack is, basically what a wiper attack is, is wiping or overriding or removing data from a victim machine that can be done through a variety of ways. But the goal is to basically be disruptive. My question though, or maybe a remark, I hate being that person, that's like, this is a question, but it's actually a statement.
Dani: We love your statements though so we want you to give it.
Winnona: Thanks guys. Um, so my remark kind of moving back to Dani and Sophie's point is the left hand not talking to the right hand and how we're not seeing very much Russian cyber integration with their more kinetic military. And I wonder if that's due to the dual nature of cyber as an intelligence, as well as a military force where you see a lot of really well-developed and well executed Russian espionage campaigns. But I wonder how that is relating to their actual military operations and organizational structures. Where you see that, like, that's one of the reasons why NSA and CYBERCOM are dual hatted with each other.
Dani: That's a great question. And I think, especially given the commentary, we're hearing right now about Russian intelligence failures, uh, leading up to the invasion, it's another space where there might be complicating factors in terms of our interpreting what went on. Certainly, when you look, in earlier days of US cyber strategy that dual use between intelligence and actions on, complicated the use of actions on with, you know, or intelligence services, unwilling to compromise access in order to deliver cyber payloads. We've gotten better about sort of resolving that cooperation, and I think we're having the left-hand talk more to the right hand in the US at least, but it very well could be that Russia is experiencing the same thing, and that we're seeing that play out in this invasion.
Sophie: I think we should also remember that we're early on in this conflict and just because we haven't seen the sort of doomsday predictions materialized yet in cyberspace, we should also consider that that may be a strategic choice in and of itself. I think Putin understands that if he launches a crippling malware attack on Ukraine and that malware seeps across to NATO borders, he's going to have a bigger problem on his hands. And just because we haven't seen that attack materialize yet, I wonder if that's part of a broader strategic consideration, and that, that may yet be to come.
Dani: Yeah, I think that's spot on.
Michaela: Yeah. In addition, we might not want to think about this in the vacuum. US and our allies, we're looking at this and learning from this, but our adversaries are also learning from this: learning from the mistakes that the Russians have made. And so the next engagement or conflict that we might see, our adversaries might have learned from the lack of coordination on the Russian side. And we want to be prepared for.
Dani: Yup. I do want to note sort of some things we got, right. Because we've talked a lot about what we predicted that hasn't panned out. So Sophie, I think your point, that we may yet see different kinds of cyber-attacks and that what's going on right now is a deliberate restraint on Russia's part is, I think there's a good chance of that. Another feature that we sort of predicted, including from the early days of US cyber strategy, was the risk that anybody could engage in cyber warfare, and so we'd have this sort of free for all if this domain was really developed. We have seen a lot of presence of hacktivists on both sides, Organized crime sides from the Russian side, Anonymous collective on behalf of Ukraine, another collective network, Battalion 65, one of Ukraine's ministers, you know, invited hacktivists. So this is a really sort of new stage of non-state players getting involved in a conflict domain. So, I think that prediction did play out, and I'd be curious to see going forward, how nation state strategists sort of absorb that development and deal with it within their strategies. The other thing that played out was an example of the US’s 2018 cyber strategy, this persistent engagement strategy. So, US and Ukraine are fighting back. We have preemptive measures against the GRU Sandworm botnet. That was in March 2022, their botnets Cyclops Blink. General Nakasone recently acknowledged on in his testimony to Congress providing readiness and intel services to both the US and its allies, and also in direct support of Ukraine, including network hardening services and threat hunting. Meanwhile, US companies, Microsoft notably, are disrupting GRU cyber operations. So, both in the public and private sector, we are seeing this aggressive defensive action that we said we were going to do. And when we talk about the failures of the Russian attack, I think a lot of that has to be attributed to really good responses, by the US and its allies.
So we've talked a lot about different players, things that panned out as we expected, things that didn't pan out as we expected, I guess I want to turn it over to you guys and be curious: what do you make of all of that? What does that mean for the future of our cyber warfare strategy? How does it fit with your expectations? How do you change what you think we should be focused on going forward?
Winnona: Can I just say something that I'm going to cut out of this podcast, but I've been thinking of for the last five minutes, since you were like, “we got a bunch of stuff wrong, but we got a bunch of stuff right.” Is this an equivalent of a Rose-bud-thorn assessment of US and Russia cyber capabilities?
Sophie: Well, one thing that this illustrates to me is that there needs to be a much clearer and easier way for the private sector to coordinate with the government on understanding both from an attribution perspective, but also just generally at a strategic level, understanding how cyberspace is evolving as a domain of war, because a lot of these attacks, most of these attacks, all of these attacks, use private sector infrastructure, and there needs to be a better way for the government to have a clear understanding of the operating picture, and a lot of that comes from the private sector.
Bethan: I think this goes back to Dani's point earlier about this being a very crowded space. You've got a nation state, you've got non-state actors, you've got the private sector who enable a lot of this, or as Sophie said, all of this. So how do we go about thinking strategically about all the different actors or stakeholders as we talk about in many of our HKS classes, and mapping that. Is it even possible at this point and how to governments wrap their minds around that? I think that will be a conversation that flows and will continue, and it also comes up in many of our podcast’s episodes.
Dani: Good HKS shoutout.
Bethan: Oh, absolutely. That's why we're all here. I
Winnona: do want to make a couple of points about specifically the hacktivists as well as private sector engagement. I mean, when we're talking about this being very crowded, I will also say that the effectiveness of the actor really depends on how poorly certain systems are defended. And I think that with regards to individual hacktivists, yes, there are some very, very talented individuals and there is no mistaking that in a lot of ways, the US government and other governments focus largely on corporations rather than individual researchers or individual hacktivists, which, you know, we can debate whether or not that's the right choice to make or how we can interact with these individuals, and, you know, especially us as individuals that are helping support the Ukrainian government. And then on the private sector point, I think, private sector and the government are kind of working hand in hand with regards to shutting down this activity. But fundamentally the incentive there is user security. And you don't want this abuse on your platforms. And in this case, the incentives are really aligned here. And I think that it's important that when we're doing as Bethan says stakeholder engagement and analysis, that we should figure out when these incentives are aligned and to take advantage of those situations.
Sophie: Winnona, what are your thoughts on how we communicate that from a government perspective? Because, after the US government received credible threats that Russia would launch some type of attack on US infrastructure, CYBERCOM and NSA launched their Shields Up campaign. To me, it sort of felt like it fell somewhat on deaf ears. You didn't see a lot of coverage on it in the news. And I wonder if that messaging was quite right or are we at risk of crying wolf too many times?
Winnona: So, I mean, you probably know just as well as I do, Sophie, from working in the industry. I will couch, all the caveats of like, I've never worked in government, we are not representative of any institution. But I mean the whole industry, especially the defensive side, suffers from alert fatigue. I mean you work in a security operation center. There’s a lot of false positives in your alerts. There's a lot of feeds that you don't know where the data is coming from. You don't know the veracity of whether or not something coming up your triage queue is actually an incident or is something that doesn't really matter. And so, specificity really matters when it comes to government alerts. And I think that that's something that CISA, NSA and CYBERCOM had in the Shields Up issue, where we get alerts all the time about potential threats. When the government is specific, they provide indicators of compromise, they say, “Hey, this is the Russians; here are their domains; here's a sample of their malware”, that is really effective. And I think a generalized warning is really hitting below the mark.
Dani: I do want to offer one caveat for that, which is, I agree with you, Sophie. We didn't see a lot of coverage in mainstream media, and I also agree with Winnona. There's definitely alert fatigue, but I don't know that any of us sort of were on those calls that CISA initiated with potential targets, after they did the Shields Up call. And so it may be that there's an awareness and a sort of readiness of posture within those private companies that just isn't trickling to the outside.
Winnona: That's entirely fair. And like, you know, if we have at least one US company that saw that Shields Up campaign, decided to implement two factor and that prevented some Russian hacktivists from getting into their systems, that's a win.
Bethan: Yeah. Like we don't, we can, we don't know from where we're sitting, what those impacts are. However, that's not to say we can't question, are we getting that fatigue? And is this really the most effective way to communicate these risks? And I think that's a broader policy issue as well: what is the most effective way, and how do we even study that or decide that?
Sophie: And how do we resource smaller companies who are not Google and Microsoft so that they have the right tools, right people, and right information, to be able to address these threats.
Bethan: And this is something Sophie and I will be talking about in our episode. We really want to expand the defense industrial base with small businesses and diversify away from the major primes. But how do we support those small businesses with the capabilities to work in national security and strategic technologies that they could be putting themselves at a higher risk of attacks? So again, looking forward to that.
Dani: Yeah, I’m looking forward to that conversation. So I think about where we've traveled today and then where we've ended up. I think there are a few things that we learned. One is that this, that Russia's invasion and Ukraine and its use of cyber warfare is not indicative of cyber warfare as a tactic, largely because it's occurring within the context of an overall military campaign that already had major strategic flaws exposed in it. It's also not proof that Russia cyber arsenal is weak or not as bad as we thought it was, which was one of the takes that I think came out originally to explain why we weren't seeing overwhelming cyber force from Russia. I do think that this invasion I=is a reinforcement of that US 2018 strategy and the value of doing the kind of network hardening and threat hunting that the US and Ukraine have done. And I think it's a really important reinforcement and encouragement to keep doing that kind of work. And then finally, there are some takeaways here for our partnerships, with the private sector around being conscious of giving specific and actionable intelligence to them, avoiding alert fatigue, and figuring out how to help not just our big private partners but sort engaging everybody in the fight.
Thanks everybody. This has been really wonderful to chat with you looking forward to being with you next time. Tune in.📍
Michaela: Thanks Dani. This is Cyber dot RAR
[Background chatter]: One day we'll be in one day, all of us will have the visibility and be in the room and then we'll look at each other.