Cyber threats from the U.S. and Russia are now focusing on civilian infrastructure
Cyber-confrontation between the U.S. and Russia is increasingly turning to critical civilian infrastructure, particularly power grids, judging from recent press reports. The typically furtive conflict went public last month, when The New York Times reported U.S. Cyber Command’s shift to a more offensive and aggressive approach in targeting Russia’s electric power grid.
The report drew skepticism from some experts and a denial from the administration, but the revelation led Moscow to warn that such activity presented a “direct challenge” that demanded a response. WIRED magazine the same day published an article detailing growing cyber-reconnaissance on U.S. grids by sophisticated malware emanating from a Russian research institution, the same malware that abruptly halted operations at a Saudi Arabian oil refinery in 2017 during what WIRED called “one of the most reckless cyberattacks in history.”
Although both sides have been targeting each other’s infrastructure since at least 2012, according to the Times article, the aggression and scope of these operations now seems unprecedented.
Washington and Moscow share several similarities related to cyber-deterrence. Both, for instance, view the other as a highly capable adversary. U.S. officials fret about Moscow’s ability to wield its authoritarian power to corral Russian academia, the private sector, and criminal networks to boost its cyber-capacity while insulating state-backed hackers from direct attribution.
Moscow sees an unwavering cyber-omnipotence in the U.S., capable of crafting uniquely sophisticated malware like the ‘Stuxnet’ virus, all while using digital operations to orchestrate regional upheaval, such as the Arab Spring in 2011. At least some officials on both sides, apparently, view civilian infrastructure as an appropriate and perhaps necessary lever to deter the other.
Whatever their similarities in cyber-targeting, Moscow and Washington faced different paths in developing capabilities and policies for cyberwarfare, due in large part to the two sides’ vastly different interpretations of global events and the amount of resources at their disposal.
A gulf in both the will to use cyber-operations and the capacity to launch them separated the two for almost 20 years. While the U.S. military built up the latter, the issue of when and where the U.S. should use cyber-operations failed to keep pace with new capabilities. Inversely, Russia’s capacity, particularly within its military, was outpaced by its will to use cyber-operations against perceived adversaries.
Nonetheless, events since 2016 reflect a convergence of the two factors. While the U.S. has displayed a growing willingness to launch operations against Russia, Moscow has somewhat bolstered its military cyber-capacity by expanding recruiting initiatives and malware development.
The danger in both sides’ cyber-deterrence, however, lies not so much in their converging will and capacity as much as it is rooted in mutual misunderstanding. The Kremlin’s cyber-authorities, for instance, hold an almost immutable view that the U.S. seeks to undermine Russia’s global position at every turn along the digital front, pointing to U.S. cyber-operations behind global incidents that are unfavorable to Moscow’s foreign policy goals. A declared expansion in targeting Russian power grids could ensure that future disruptions, which can occur spontaneously, are seen by Moscow as an unmistakable act of U.S. cyber-aggression.
In Washington, it seems too little effort is dedicated to understanding the complexity of Russia’s view of cyber-warfare and deterrence. The notion that Russia’s 2016 effort to affect the U.S. presidential election was a “Cyber” or “Political” Pearl Harbor is an appropriate comparison only in the sense that U.S. officials were blindsided by Moscow’s distinct approach to cyberwarfare: an almost seamless blend of psychological and technical operations that differs from most Western concepts.
Russian military operators conducted what should be considered a more aggressive cyber-campaign a year before their presidential election-meddling, when they posed as ‘CyberCaliphate,’ an online branch of ISIS, and attacked U.S. media outlets and threatened the safety of U.S. military spouses.
For their part, the Russians made a different historical comparison to their 2016 activity. Andrey Krutskikh, the Kremlin’s bombastic point-man on cyber-diplomacy issues, likened Russia’s development of cyber-capabilities that year to the Soviet Union’s first successful atomic bomb test in 1949.
Western analysts, fixated on untangling the now-defunct concept of the ‘Gerasimov Doctrine,’ devoted far less attention to the Russian military’s actual cyber-experts, who starting in 2008 wrote a series of articles about the consequences of Washington’s perceived militarization of cyberspace, including a mid-2016 finale that discussed Russia’s need to pursue cyber-peace with the U.S. by demonstrating an equal ‘information potential’.
Despite Cyber Command’s new authorities, Moscow’s hackers are comparatively unfettered by legal or normative boundaries and have a far wider menu of means and methods in competing with the U.S. short of all-out war. Russian military hackers, for example, have gone after everything from the Orthodox Church to U.S. think tanks, and they launched what the Trump administration called the most costly cyber-attack in history.
In the awkward space between war and peace, Russian cyber-operations certainly benefit from the highly permissive, extralegal mandate granted by an authoritarian state, one that Washington would likely be loath (with good reason) to replicate out of frustration.
By no means should the Kremlin’s activity go unanswered. But a leap from disabling internet access for Russia’s ‘Troll Farm’ to threatening to blackout swaths of Russia could jeopardize the few fragile norms existing in this bilateral cyber-competition, perhaps leading to expanded targeting of nuclear facilities.
The U.S. is arriving late to a showdown that many officials in Russian defense circles saw coming a long time ago, when U.S. policymakers were understandably preoccupied with the exigencies of counterterrorism and counterinsurgency.
Washington could follow Moscow’s lead in realizing that this is a long-term struggle that requires innovative and thoughtful solutions as opposed to reflexive ones. Increasing the diplomatic costs of Russian cyber-aggression, shoring-up cyber-defenses, or even fostering military-to-military or working-level diplomatic channels to discuss cyber redlines, however discretely and unofficially, could present better choices than apparently gambling with the safety of civilians that both sides’ forces are sworn to protect.