12 March 2019

Hacker Militias or Cyber Command? The U.S. and Russian Institutionalization of Cyber Warfare

By: Madison Creery

If a Russian state-sponsored hacking group attacks a computer network, the target only has nineteen minutes to defend itself before the initial penetration becomes wider network access, data theft, or information destruction.[i] The speed and agility of Russian hackers has long been known, demonstrated by their degrading cyber-attacks on critical infrastructure in both Georgia and Ukraine, as well as by their attacks on the Democratic National Committee’s network during the US elections.[ii] The use of this state sponsored hacker system has allowed Russia to become one of the most aggressive and destructive actors in cyberspace.[iii] Further, its reliance on this hacker network for talent maximizes the country’s deniability in cyber operations (plausible or not), while remaining low-cost.[iv]

However, Russia’s reliance on proxy “hackers-for-hire” to accomplish strategic objectives have led some to question why Russia has yet to institutionalize its cyber workforce into its military. Over the last 20 years, Moscow has relied on hackers and criminals to conduct cyber operations,[v] while the United States has chosen to delegate its cyber capabilities to US Cyber Command (CyberCom).[vi] No such military structure exists in Russia, despite the preeminent role both cyber and information play in its military operations.[vii] For years the Russian government has toyed with the idea of creating “Information Troops” to fill the space previously held by hackers, but this dream has yet to become reality.[viii] However, Russia may not have to. What works for the U.S. cannot be expected to work for Russia because of their fundamentally different views on how to conduct cyber warfare. Indeed, “hacker militias” may just be good enough to meet Russia’s current strategic objectives.

Contrast between Russian and US Cyber Strategy and capabilities

Russian hackers frequently use classic cyber operations against a target’s computer network, which include Denial-of-Service Attacks (DDoS), phishing, and SQL injections. When used with great frequency over extended periods of time, these attacks can cause websites and communication nodes to “crash.” Though common, these cyber tools are relatively modest, if not low-level.[ix] In contrast, the U.S. has only recently used harassing vandalism methods against a target (ironically, against Russian hackers)[x] and rarely uses DDoS attacks.[xi] When the U.S. engages in cyber operations, it places a higher priority on cyber “Pearl Harbors,” or one-time, major attacks on adversary’s computer network and operating systems. With a preference for precision strikes against a target’s command and control system, US cyber-attacks rely on complicated, costly, and time-intensive operations.[xii] One such example was the 2010 Stuxnet Worm, designed to cripple the Iranian uranium enrichment gas centrifuges.[xiii] This cyber-attack gained access to a secretive regime’s sensitive nuclear enrichment program, and then brashly destroyed part of a nation’s critical infrastructure. Russian hackers, by contrast, are far from accomplishing this kind of feat, due to its lack of coordination among hired hacker groups, as well as the lack of funding necessary to conduct these advanced cyber operations.[xiv]

Today, the U.S. continues to conduct cyber espionage operations through CyberCom which, due to increasing cyber threats around the world, President Trump elevated to a unified combatant command in 2017.[xv] [xvi] This decision streamlined US cyber operations under a single commander, who now reports directly to the Secretary of Defense. The four service commands – US Army Cyber Command, US Fleet Cyber Command, Air Forces Cyber, and Marine Corps Forces Cyberspace Command – help carry out CyberCom’s mission of defending the Department of Defense Information Network and strengthening the nation’s ability to withstand and respond to cyber-attacks.[xvii] Today, CyberCom directs, synchronizes, and coordinates nearly 6,200 personnel in 133 teams.[xviii] This level of cyber coordination is visibly missing from the Russian military force structure. Instead, Russia relies heavily on its intelligence agencies to fill this role, both gathering intelligence as well as directing and coordinating cyber operations with hacker groups.[xix] The closest Russia has come to institutionalizing cyber within its military is the Main Intelligence Directorate (GRU), the military intelligence service of Russia. This agency has consistently been at the forefront of Russia’s psychological warfare and cyber operations, coordinating hackers under its jurisdiction-such as APT28-as well collecting intelligence of military or political significance.[xx]

How Russia Uses “Hacker Militias” to Accomplish its Objectives

In Russian society, the distinction between the government and the criminal cyber underworld often becomes blurred. During the 2008 Russo-Georgian War, for example, many of the hackers that targeted Georgian websites and communication nodes used tools, attack commands, and servers attributed to the St. Petersburg-based criminal cyber gang, the Russian Business Network.[xxi] Because of the high-level of coordination in both the timing and target selection of the cyber-attacks, many have asserted that this group took its commands from the direction of the GRU and the Russian intelligence community.[xxii]

This is but one example of many that demonstrates not only the symbiotic relationship between hackers and the government, but also the difficulty of attribution. Employing hackers and cyber-criminal gangs increases the distance between the targeted country and the Russian government, helping Russia in its attempts to maintain a high-level of deniability. Linking a cyberattack to a hacker group is one thing, but linking that same hacker group to a state, especially a particular government, is quite another. Russia’s reliance on the hacker network for talent maximizes deniability in cyber operations (plausible or not), while remaining low-cost.[xxiii] This is critical, since Russia employs cyber warfare as a way to sow discord and disrupt communications, all while avoiding escalation that similar tactics with military forces might generate.[xxiv]

Russia’s focus on hacker-conducted cyber operations, while less technically sophisticated than U.S. cyber operations, can still do a great deal of damage, like keeping the Georgian government largely disconnected from the outside world for five days.[xxv] Through the use of hacker militias, these cyber-attacks can impact a country’s critical telecommunications infrastructure, all while keeping the chances of a severe international response low.[xxvi] With a light management touch, Russia accomplishes its objectives while maintaining some semblance of deniability. If the Russian government were to follow the U.S. model, perhaps through the creation of Information Troops, an even greater management touch could possibly lead to an increase in both the sophistication of cyber tools, as well in coordination, as seen in the U.S.[xxvii] However, there is a trade-off: incorporating cyber operations within Russia’s military structure eliminates a crucial layer of anonymity between the government and the target of a cyber-attack. Russia needs to weigh if this loss of deniability is worth increased coordination. It is currently more desirable for Russia to use cyber operations to create a simple nudge in the right direction in order to create the requisite chaos and confusion that Russia seeks. While there still remain advocates for Russian “Information Troops” within the Armed Forces, why fix what isn’t broken? At least for now, Russian proxy hackers are here to stay.

[i] Patrick Tucker, 2019, “You Have 19 Minutes to React if the Russians Hack Your Network,” Defense One, February 2019, https://www.defenseone.com/technology/2019/02/russian-hackers-work-several-times-faster-chinese-counterparts-new-data-shows/154952/?oref=defenseone_today_nl.

[ii] Ibid.

[iii] Brandon Valeriano, Benjamin Jensen, and Ryan C. Maness, Cyber Strategy: The Evolving Character of Power and Coercion, New York: Oxford University Press, 2018, p. 115.

[iv] Michael Connell and Sarah Vogler, “Russia’s Approach to Cyber Warfare,” CNA Analysis & Solutions, March 2017, https://www.cna.org/cna_files/pdf/DOP-2016-U-014231-1Rev.pdf, p. 5.

[v] Ibid.

[vi] Katie Lange, 2018, “Cybercom: How DOD’s Newest Unified ‘Cocom’ Works,” U.S. Department of Defense, October 2018, https://www.defense.gov/explore/story/Article/1660928/cybercom-how-dods-newest-unified-cocom-works/.

[vii] Keir Giles, 2011, “Information Troops – A Russian Cyber Command?” In Cyber Conflict (ICCC), 2011 3rd International Conference on, pp. 45-60, IEEE; Nikolay Koval. 2015. “Revolution Hacking.” In Kenneth Feers (ed.), Cyber War in Perspective: Russian Aggression against Ukraine (Tallinn: NATO Cooperative Cyber Defense Center of Excellence): 55-65.

[viii] Ibid.

[ix] Andreas Schmidt, “The Estonian Cyberattacks,” In A Fierce Domain: Conflict in Cyberspace, 1986-2012, edited by Jason Healey, 174-193, Virginia: Cyber Conflict Studies Association (CCSA), 2013, p. 182.

[x] Nakashima, 2019, “U.S. Cyber Command”

[xi] Valeriano, Jensen, and Maness, Cyber Strategy, p. 181.

[xii] Valeriano, Jensen, and Maness, Cyber Strategy, p. 171.

[xiii] Ibid.

[xiv] Ibid; Julia Ioffe, 2018, “What Putin Really Wants,” The Atlantic, January/February 2018, https://www.theatlantic.com/magazine/archive/2018/01/putins-game/546548/.


[xvi] U.S. Cyber Command. 2019. “About Us.” U.S. Cyber Command, https://www.cybercom.mil/About/.

[xvii] Lange, 2018, “Cybercom”

[xviii] Ibid.

[xix] Ioffe, 2018, “What Putin Really Wants”; Marie Baezner and Patrice Robin. 2017. “Hotspot Analysis: Cyber and Information Warfare in the Ukrainian Conflict.” Center for Security Studies (CSS), ETH Zurich, June 2017, http://www.css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/20181003_MB_HS_RUS-UKR%20V2_rev.pdf, p. 12.

[xx] Troianovski and Nakashima, 2019, “U.S. Cyber Command”; Baezner and Robin, 2017, “Hotspot Analysis,” p. 11-12.

[xxi] Andreas Hagen, “The Russo-Georgian War 2008,” In A Fierce Domain: Conflict in Cyberspace, 1986-2012, edited by Jason Healey, 194-204, Virginia: Cyber Conflict Studies Association (CCSA), 2013, p. 202.

[xxii] Ibid.

[xxiii] Michael Connell and Sarah Vogler, “Russia’s Approach to Cyber Warfare,” CNA Analysis & Solutions, March 2017, https://www.cna.org/cna_files/pdf/DOP-2016-U-014231-1Rev.pdf, p. 5.

[xxiv] Diego A. Palmer Ruiz, “Back to the Future? Russia’s Hybrid Warfare, Revolutions in Military Affairs, and Cold War Comparisons.” Research Division, NATO Defense College (120), October 2015, https://www.files.ethz.ch/isn/194718/rp_120.pdf, 6.

[xxv] Hagen, “The Russo-Georgian War,” p. 204.

[xxvi] Ibid.

[xxvii] Valeriano, Jensen, and Maness, Cyber Strategy, p. 179.

No comments: