20 Dirasat Warfare by Another Name: Russian Computer Hacking against the United States and the West Jumada I, 1438 - February 2017 Jack Caravelli & Sebastian Maier Warfare by Another Name: Russian Computer Hacking against the United States and the West Jack Caravelli & Sebastian Maier 4 Dirasat No. 20 Jumada I, 1438 - February 2017 © King Faisal Center for research and Islamic Studies, 2017 King Fahd National Library Cataloging-In-Publication Data Caravelli, Jack Warfare by Another Name: Russian Computer Hacking against the United States and the West, / Jack Caravelli ; Sebastian Maier, - Riyadh, 2007 34 p ; 16.5 x 23 cm ISBN: 978-603-8206-23-2 1 - Russia - Foreign relations - United States I - Sebastian Maier (co. author) II - Title 327.73047 dc 1438/6686 L.D. no. 1438/6686 ISBN: 978-603-8206-23-2 Table of Content Abstract 7 Introduction 8 “Nonlinear War” or Making Sense of the Gerasimov Doctrine 12 The Importance of Resilience in the Cyber Domain 14 The Aftermath of the Edward Snowden Leaks 15 Disruption and Hacking Surrounding the 2016 US Presidential Election 18 Beyond the Political: Industrial Espionage and Cyber Fraud against the US 25 Manipulation Attempts in the Run-Up to the Elections in France and Germany in 2017 28 Conclusion 29 5 Abstract Russia has developed one of the world’s most extensive cyber warfare capabilities and views those capabilities as a means to advance its strategic objectives in both war and peacetime. This paper examines Russia’s approach to the use of its cyber capabilities and how they are integrated into Russia’s broader objectives for dealing with its adversaries. Particular focus is placed on Russia’s unprecedented use of cyber to influence political elections in the West, including in the United States, France and Germany. To further its objectives, Russia also has used relations with outsiders such as at WikiLeaks to disseminate information considered damaging to Russian foes such as the US political campaign of Hillary Clinton. The paper concludes that there are very limited means to either deter or hold accountable Russian uses of cyber, implying Russian cyber attacks will continue and could easily expand to Middle East nations. 7 8 Dirasat No. 20 Jumada I, 1438 - February 2017 Introduction The development of the Internet and the computers that access it are among mankind’s greatest scientific achievements. Together, they form cyberspace, “the realm of computer networks (and the users behind them) in which information is stored, shared and communicated online.”1 Behind this definition there occurs an almost endless series of global cyber activities daily. They can encompass everything from sending a simple birthday greeting to a friend across the globe to corporations or medical institutions exchanging data with their counterparts and dialogue occurring within or between governments. The people who developed the Internet intended that it would be free and accessible to all. By harnessing the use of information, they wished to make science serve the greater human good. That idealistic and even noble view has been achieved in numerous ways, including through the examples mentioned here. By any standard, the Internet is a wondrous development that advances global prosperity. But that is only part of the story, however. At the same time, the promise of the Internet also has given way to a darker reality. Today, cyber criminals carry out numerous cyber attacks that provide enormous financial gain through such activities as stealing proprietary data. Moreover, terrorist organizations such as Daesh use the Internet as a means to propagate their violent visions, encourage their followers, and recruit new adherents. Another growing threat is the use of the Internet by various nations wishing to advance their political goals. China, North Korea, and Iran all have mastered the Internet in ways designed to further their policy ends of disrupting their enemies and undermining opposing governments. China, for example, robbed the U.S. Office of Personnel Management of the personnel files of 22 million Americans who had served their government in various capacities. (1) P. W. Singer and Allan Friedman, Cybersecurity and Cyber Warfare: What Everyone Needs to Know (Oxford: Oxford University Press, 2014), 13. Perhaps above all, no nation has used the Internet in more creative and politically motivated ways than the Russian government and those who work on its behalf. Russian cyber attacks against the West, which are often, though not always, launched against the United States, are persistent, effective, and growing in scope and nature. Moreover, cyber attacks can be as devastating as kinetic attacks, albeit in different ways. Through much of the twentieth century, and certainly since the end of World War II, the Soviet Union, and then Russia, have sought to use propaganda and related techniques to influence or gain advantage over other nations. Of course, Russia’s use of the Internet to carry out cyber attacks is more recent, but it still spans several decades. The 1991 collapse of the Soviet Union resulted in the steep decline of what would become the Russian military. In ensuing years, the Soviet political collapse also became a financial collapse, and for a long time the military would be starved for financial support. Senior military commanders saw that the relatively low costs of conducting information warfare and cyber operations were a way to compensate for some of the growing shortcomings in other areas of combat capabilities. At the same time, Russian military strategists, who were always keenly aware of what their adversaries were doing, also studied the importance of U.S. electronic warfare operations in the 1991 U.S.-led war to oust Saddam Hussein’s Iraqi military forces from Kuwait. As a result, the combination of need and the recognition of U.S. advances in cyber warfare led Russia to fully embrace the need for a robust set of cyber-warfare capabilities. Revealing Attributions: Operation “Moonlight Maze” and “Grizzly Steppe” Improvements did not happen overnight, but they did slowly emerge. In 1998, the U.S. Federal Bureau of Investigation (FBI) carried out an investigation it called Operation Moonlight Maze in response to a series of attempts to 9 10 Dirasat No. 20 Jumada I, 1438 - February 2017 break into computers where information regarding sensitive U.S. Air Force technologies was stored. In particular, the information was held at Wright Paterson Air Force Base in Akron, Ohio, one of the air force’s top research and development centers. There also were attacks against computer networks at two of America’s most important nuclear weapons facilities, Sandia National Laboratory and Los Alamos National Laboratory, both in New Mexico. The investigation resulted in the FBI’s conclusion that thousands of pages of documents had been stolen and the hacking operation had been extended to other nations, including Germany, the United Kingdom, Canada, and Brazil. This was not the first time Germany had been victimized by a hacker. In the 1980s it had been targeted by a German citizen, Markus Hess, who sold German secrets to Russia. That episode underscored the importance of identifying insider threats. The FBI found that four Internet addresses listed in Russia were involved in the late 1990s attacks, although the Russians never acknowledged any role in them. In 2007, Russia began carrying out government-sponsored attacks against selected Western nations, including Estonia, Lithuania, Poland, and Georgia. For example, in April and May 2007, Russian hackers launched cyber attacks against the Estonian government and financial institutions in retaliation for Estonia’s decision to remove a Russian World War II memorial. A year later—in June 2008—in retaliation for similar “crimes,” the Lithuanian government’s webpage was defaced and the Russian symbols of the hammer and sickle were inserted on its webpage as punishment for similar perceived crimes. None of this came as a surprise to astute observers such as Michael McFaul, a former U.S. ambassador to Russia. Speaking several years ago, McFaul said that “for years now the Kremlin has looked for ways to disrupt democracies, to help the people that they like to come to power and to undermine the credibility of the democratic process.”2 (2) See “The Key to Putin’s Cyber Power,” The Atlantic, December 30, 2016; interview with Uri Friedman. There is little doubt that those attacks and subsequent Russian cyber attacks against even more formidable targets, such as the United States and Germany, can be traced to official actions. The GRU, the Russian military intelligence organization, and the FSB, the successor to the notorious KGB, maintain a dedicated cadre of cyber experts.3 Moreover, and equally important, the foreign intelligence service, known as the SVR, closely monitors the Western media and bloggers for insights and information that can be used or distorted to serve Russian political goals. In late 2016, a joint U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) report titled, “Grizzly Steppe: Russian Malware Cyber Activity,” singled out those Russian government organizations that had been directly implicated in cyber attacks against critical infrastructure in the United States. U.S. companies were advised to notify government officials of any suspicion of cyber attacks on their computers. Other vulnerable institutions identified in the report included universities, think tanks, areas of critical infrastructure, and political organizations. Predictably, the Russian government denied all the charges, using such descriptions as “hysteria” and “groundless” to describe the reporting.4 That report, while useful in identifying much of Russia’s cyber activity, failed to address a major threat to U.S. national security overseas, that of information warfare. In Afghanistan, the United States has been fighting a resilient foe, the Taliban, since 2001. This protracted war has cost the United States thousands of lives and well over a trillion dollars.