Russian Cyber Operations. Scott Jasper
actions that cause instability and threaten Russian national security.”29 The 2015 National Security Strategy claims Western powers are “flouting international law” and intervening in “countries to change their regimes, consequently spawning terrorism” and “destabilizing the international security environment.”30 The buildup of NATO is singled out as a threat that could spark conflict “because the alliance is expanding its military infrastructure towards Russian borders.”31 Primarily in reaction to Western practices, the 2015 National Security Strategy makes it clear that the “Kremlin considers Russia to be a major power within the global system.”32 It consequently recognizes that there has been an increase in Russia’s role “in resolving the most important international problems, settling military conflicts, and ensuring strategic stability and the supremacy of international law in interstate relations.”33
The recognition of an increased role in the global system confirms Moscow’s intentions to assert influence with all the tools at its disposal.34 The 2015 National Security Strategy states with flagrant transparency that “interrelated political, military, military-technical, diplomatic, economic, informational, and other measures are being developed and implemented in order to ensure strategic deterrence and the prevention of armed conflicts.”35 While the strategy appears to prioritize the use of nonmilitary methods and means based on the “principles of rational sufficiency and effectiveness,” it does note that the capacity of the armed forces is essential for the achievement of both precepts of deterrence and prevention. Thus, plans to improve the state’s military organization are outlined in the new strategy, including “equipping the Armed Forces of the Russian Federation, other troops, military formations and agencies with modern weapons and military and specialist hardware.”36
The 2015 National Security Strategy also identifies a number of domestic challenges that could undermine the ability to play a leading role on the world’s stage. In the sphere of the economy, the main threats to national security are a stagnant export / raw materials model, lagging introduction of future technologies, a progressive shortage of labor, and the persistence of a shadow economy and conditions for corruption. In addition, restrictive economic measures imposed against Russia are seen as a negative impact on economic security. Although Russia has survived four years of sanctions,37 gross domestic product (GDP) growth in 2017 was far lower than neighboring countries such as Poland and Turkey.38 In regard to demographics, the 2015 National Security Strategy seeks to create the conditions for stimulating the total fertility rate, which at 1.3 births per woman is well below the replacement rate of 2.1 to maintain a stable population, and reducing mortality, where the death rate is far higher than the world’s average, reflected in a life expectancy of Russian men at 59 years.39 For Russia, a country with a GDP ($1.28 trillion) smaller than that of the state of Texas ($1.70 trillion), the need to modernize the economy and overcome demographic pressures hampers the fielding of a military worthy of a great power.40
The 2015 Russian National Security Strategy states that the “fundamental principles of military policy” are set out in the Military Doctrine of the Russian Federation. The latest such document was approved by President Putin on December 25, 2014. This edition contains little that is new, other than an emphasis on information warfare and concerns over the establishment of regimes in bordering states whose policy threatens Russian interests.41 The Military Doctrine opens with an assessment of world development as “characterized by the strengthening of global competition.”42 It identifies main external military risks, including the expansion of the NATO alliance, deployment of military contingents and exercises in territories contiguous with the Russian Federation, and deployment of strategic missile defense systems. It also describes the features of current military conflicts, including the integrated employment of military force and political, economic, informational, or other nonmilitary measures, and the use of indirect and asymmetric methods of operations. It recognizes that information and communication technologies (for cyber operations) are being used for military-political purposes counter to international law and are being “aimed against sovereignty, political independence, [and] territorial integrity of states.”43 Although the use and aim of these technologies is stated as a danger to the Russian Federation, the case studies in Estonia and Georgia demonstrate the contrary—of a “mirror image” imposed by Russia on other nations on its periphery.
Cyber Coercion
Scholar Dmitry Adamsky claims that the current Russian art of strategy is one of “cross-domain coercion.”44 The strategy of coercion, according to Thomas Schelling, “includes ‘deterrent’ as well as ‘compellent’ intentions.”45 The deterrent component prevents undesirable actions by instilling a fear of consequences into a targeted actor if the act in question is taken, whereas the compellent component offers the actor positive reinforcement for taking actions he otherwise would not. Compellence usually “involves initiating an action . . . that can cease . . . only if the opponent responds.”46 The 2014 Military Doctrine codified the ideas inherent in nonnuclear deterrence (and possibly compellence).47 By employing asymmetric means, the weak player can impose its political will on a stronger one, without a traditional decisive battlefield victory. The asymmetric approach prevents military confrontation or mitigates its consequences. Cyber operations are an element of cross-domain coercion, but their ability to produce strategic effects was tested in the crisis in Estonia, against a member of the NATO alliance (see map 2.1). The Russians sought to achieve coercive concessions by “demonstrating their power to hurt digitally and by imposing costs.”48 Although the cyber operation “achieved a dramatic effect,” Professors Brandon Valeriano, Benjamin Jensen, and Ryan Maness conclude in their seminal work on cyber strategy that there “was no concession.”49 The Russians were able to shut down governmental and civilian websites in Estonia with DDoS attacks generated by individuals and botnets (swarms of computers hijacked by malicious code). Their use of patriotic hackers and refusal to allow investigations on their territory prevented attribution for what could have qualified as a use of force.
2007 Estonia Assault
During the months of April and May 2017, Estonia suffered through a blistering cyber onslaught. The incident began with rioting and looting in the streets over the relocation of a Soviet war memorial, and the remains of Soviet soldiers buried beneath it, from the center of Tallinn to a war cemetery on the outskirts of the capital. The six-foot-tall bronze statue of a soldier wearing a uniform of the Red Army signified the supreme sacrifice of eleven million comrades made during the “Great Patriotic War,” the Russian term for World War II.50 Yet for a country no longer under Soviet occupation, the monument, located at a busy intersection, had become to many Estonians a symbol of suppression of independence. A beleaguered Russian minority begged to differ and protested as the date for dismantling the monument approached. The initially calm protests escalated into violence with looting. Estonian police arrested hundreds, and one fatality occurred. The Kremlin vocally expressed displeasure at this perceived violation of Russian rights, although instead of military action, Russia imposed retaliatory economic measures and severed passenger services between Tallinn and Saint Petersburg.
Estonian leaders were fully aware of the potential for an ensuing “cyberriot,” a catchy term coined by The Economist magazine.51 The Estonian director of computer emergency response said, “If there are fights on the streets, there are going to be fights on the Internet.”52 The danger was clear, for Estonia had evolved since the mid-1990s into an e-state with Internet-based service solutions. Hence, the Internet in Estonia had become a daily feature of life for many citizens. For instance, some 40 percent read a newspaper online daily, and 97 percent of banking transactions took place electronically over the Internet. Estonians used Internet connections to pay for street parking and bus tickets, to vote, and to pay taxes.53 By 2007, 98 percent of the territory in Estonia had Internet access, either fixed line or mobile wireless.54 Despite nearly ubiquitous Internet access and usage, Estonia was not ready