Russian Cyber Operations. Scott Jasper

       CHAPTER 2

       Asymmetric Arsenal Tool

Asymmetric approaches can generate significant advantage over a stronger power by leveraging vulnerabilities that are either overlooked or tolerated.¹ A 2018 report for the United States Senate noted that cyber operations are a prominent tool in the Kremlin’s asymmetric arsenal, which includes military invasions and other nonmilitary methods, such as organized crime, disinformation, corruption, and energy coercion.² The Kremlin has refined the role and use of asymmetric tools over time while increasing the production and deployment of formidable conventional and nuclear forces. In December 2015, President Putin approved a new National Security Strategy for his country. It declares that “one of the country’s fundamental long-term interests” is consolidating “Russia’s status as one of the world’s great powers.”³ The notion of great power status is a key component of Russian national identity and one that it appears impossible to relinquish.⁴ Therefore, the regime appears intent on using all means and measures, military and nonmilitary, at its disposal to achieve this status. In an energy-dependent economy constrained by Western sanctions and volatile oil prices, cyber operations are not a burden in macroeconomic terms.⁵ They are also not manpower intensive—ideal for Russia, which faces a shrinking population.⁶

In military operations, the term asymmetric infers “the application of dissimilar strategies, tactics, capabilities, and methods to circumvent or negate an opponent’s strengths while exploiting his weaknesses.”⁷ For Russia, that opponent is the United States and the North Atlantic Treaty Organization. The latest Russian National Security Strategy asserts that “the U.S. and its allies are seeking to contain Russia in order to maintain their dominance of world affairs, which Russia’s independent foreign policy challenges.”⁸ In response, an asymmetric approach permeates Russian military doctrine and the state armament program to execute it. To support great power ambitions, Moscow has prioritized the building of a robust military to project power and add credibility to Russian diplomacy.⁹ The result is visible posturing of the Russian military near NATO borders that alarms force commanders and foreign ministers.¹⁰ While Russia uses its military to overawe and misdirect the West, the country is in no position to wage a real conflict.¹¹ Instead, Russia prefers to test the thresholds of armed conflict, using cyber operations and other ambiguous means in its asymmetric arsenal in continual “day-to-day” competition with the United States and its allies.¹²

Two significant early incidents signaled Russian preference for cyber operations. The first occurred in Estonia in 2007, where they were used in an independent manner in a political dispute. The second happened in Georgia in 2008, where they were integrated “into a kinetic battle, not as a standalone effect, but rather as a force multiplier.”¹³ Russian cyber operations for denial of service in Georgia were familiar in tactics and methods to their application the year prior in Estonia. The only difference was that in Estonia they served as a form of coercion, while in Georgia they acted as a component of warfare. This chapter will describe how cyber operations fit into Russian national strategy and military doctrine. It will then evaluate the role and use of Russian cyber operations in the virtual protests in Estonia and in the state conflict in Georgia. The chapter will conclude with trends in Russian investments in asymmetric weapons, which indicate that cyber operations will remain prominent in Russian strategy and doctrine.

       Asymmetric Approach

The term asymmetry in warfare denotes the use of “some sort of difference to gain an advantage over an adversary.”¹⁴ One acts, organizes, and thinks differently from opponents to maximize one’s strengths and exploit their weakness. Critical components of asymmetry are cost, means, time, will, and behavior. Asymmetric approaches are well suited for the cyber domain as cyber operations can be low cost, technically superior, and persistent over time. They are often employed by an antagonist with the will to defend its survival or vital interests. Usually the actor operates under different views on ethics or laws while demonstrating irresponsible behavior. Asymmetry in the cyber domain is often presented by scholars in the context of the offense over the defense.¹⁵ A prevailing view is that “offensive operations are low cost and have a high payoff for the offense, whereas defensive operations are expensive and ineffective.”¹⁶ Part of this assessment is based on the seemingly endless ways to exploit human and machine vulnerabilities. The attacker has to succeed only once to penetrate a system, while the defender has to install layers of security to prevent every attack vector. Gen. Joseph Votel, the commander of US Central Command, further elaborates that “the cyberspace domain provides our adversaries an asymmetric advantage where they can operate at the speed of war without bureaucratic obstacles or concern for collateral damage, and at relatively low cost.”¹⁷

Strategic theorist Everett Dolman argues that “strategy, in its simplest form, is a plan for attaining continuing advantage.”¹⁸ Advantage may take the form of material, will, and ways to employ forces to achieve aims. Professor Lukas Milevski, at the University of Leiden, asserts that strategy may be “interpreted as the generation and exploitation of asymmetry for the purposes of war.”¹⁹ His conclusion is in line with an observation by Capt. Roger W. Barnett, from the Naval War College, that “asymmetries arise if opponents enjoy greater freedom of action, or if they have weapons or techniques available to them that one does not. Perpetrators seek to void the strengths of their adversaries and to be unpredictable. They endeavor to take advantage of an ability to follow certain courses of action or to employ methods that can be neither anticipated nor countered effectively.”²⁰ Milevski argues this statement could be conceived as the “very essence of strategy.”²¹ He points out that famed military theorist Sir Basil Henry Liddell Hart focused his strategic theories “on the indirect approach to create situations in which the enemy would be utterly helpless.”²² Russia continues to employ strategies designed to render the enemy hopeless and gain its surrender without undue bloodshed.

The Russian General Staff has “systematically explored the role of asymmetry in modern warfare, learned lessons from historical evidence worldwide, followed Western discourse on the subject, and generated insights from the benefits of the military theory and practice.”²³ The result of this exploration is evident in the observation by Andreas Jacobs and Guillaume Lasconjarias, at the NATO Defense College, that “Russia has developed the ability to employ non-linear and asymmetric tactics, in place of—or alongside—conventional means of warfare.”²⁴ Diego A. Ruiz Palmer, of the NATO International Staff, argues that what makes Russia’s use of asymmetric tactics and techniques different than other weaker opponents “is its scale.”²⁵ He claims that Russia has the “strategic capacity to use a mix of hard and soft power instruments to isolate and coerce weaker neighbors, while intimidating and deterring more distant, but also more capable, opponents.” Furthermore, Palmer states that Russia will apply hard and soft power “in ways that maximize asymmetric advantages for Russia, as well as minimize risks and costs.”²⁶ In an asymmetric approach, advanced technologies for military functions offer decisive advantage in the context of hostilities, while other advances in technologies for computer hacking aim to attain political advantage short of conflict.

       Strategy and Doctrine

The 2015 Russian National Security Strategy defines national interests and priorities in the sphere of domestic and foreign policy. The strategic planning document focuses on national defense, state security, economic growth, education, health care, culture, ecology, and strategic stability.²⁷ While the 2009 version had the same basic concerns, the new document “contains fiercer and