The “Known Unknowns” of Russian Cyber Signaling
from Net Politics and Digital and Cyberspace Policy Program

The “Known Unknowns” of Russian Cyber Signaling

Recent Russian cyber intrusions in U.S. critical infrastructure have been interpreted as a signal that Moscow "could disrupt the West's critical facilities in the event of a conflict." But is that the signal the Kremlin meant to send?
Russian President Vladimir Putin toasts with Defence Minister Sergei Shoigu after a state awards ceremony for military personnel who served in Syria, at the Kremlin in December 2017.
Russian President Vladimir Putin toasts with Defence Minister Sergei Shoigu after a state awards ceremony for military personnel who served in Syria, at the Kremlin in December 2017. Kirill Kudryavtsev/Reuters

Erica D. Borghard is a research fellow at the Army Cyber Institute at the U.S. Military Academy at West Point. The views expressed here are personal and do not reflect the policy or position of the U.S. government. You can follow her @eborghard.

Last month, the U.S. Department of Homeland Security (DHS) reported that “Russian government cyber actors” gained access to industrial control systems in the energy, nuclear, commercial, water, aviation, and critical manufacturing sectors. According to the New York Times, “United States officials and private security firms saw the attacks as a signal by Moscow that it could disrupt the West’s critical facilities in the event of a conflict.” That may be true, but how can anyone know for sure that was the intended signal?

More on:

Russia

United States

Cybersecurity

Effective signaling between adversaries in international relations is important because it can help convey the intent behind actions and, therefore, avoid unintended conflict. It can also be used to demonstrate resolve, making deterrence more effective. However, effective signaling is also hard—adversaries have private information and incentives to misrepresent it, increasing the likelihood of a signal being misunderstood. Furthermore, signals often get lost in cultural translation.

In cyberspace, there are additional factors that complicate signaling between rivals. Russian cyber operations to gain a foothold into U.S. critical infrastructure illustrate some of the important dynamics at play.

First, officially assigning responsibility to “Russian government cyber actors” provides little insight into which Russian government agency was behind the intrusions, and what kind of command and control (C2) they might have had. Knowing whether it was the Russian Ministry of Defense, intelligence agencies (such as the GRU or FSB), or any of the myriad Russian entities involved in cyber operations could provide a better picture of Russian intent and, therefore, assist in discerning the meaning behind a cyber signal.

The delegation of authority and C2 can be obscured when governments work with proxies to carry out operations on their behalf, which Russia is known to do. Proxies are appealing because they can enhance plausible deniability; provide important skills that government actors may lack; serve as useful tools for authoritarian governments to co-opt citizens; or even act as instruments for internal competition for power and influence among different organs of a state’s security apparatus.

Notwithstanding Russia’s proclivity for cyber proxies, it is likely that the incursions into U.S. critical infrastructure were systematically controlled by the upper reaches of government. The sensitivity of the targets and the tailored approach required to infiltrate them suggests that Moscow would want to exercise strict oversight over the operation. Nevertheless, there is still a lack of reliable information about the authorities delegated that would provide clarity of the operation’s intent. Was this campaign approved at the highest level of government and/or by President Vladimir Putin himself? Which specific “Russian government cyber actors” carried it out?

More on:

Russia

United States

Cybersecurity

Second, there is no shared understanding among Russia, the United States, and other cyber powers on what each country is trying to convey with different types of cyber operations. Gaining access to industrial control systems could mean a number of things. It could be Russia laying the groundwork for a destructive or disruptive attack, similar to several past cyberattacks against Ukraine’s power grid. Or, it could be Russia signaling that it has the capability to do so if it wanted to as part of a broader deterrence or coercion strategy—effectively saying, “I am inside your wire, don’t press me.” Finally, it could simply be industrial espionage. Correctly interpreting the signal is imperative because it guides the appropriate U.S. policy response. Overreacting risks triggering unintended escalation, while underreacting could leave the U.S. vulnerable to further exploitation.  

Third, it is also unclear whether Russia intended the United States to discover its activity against critical infrastructure networks. If it didn’t, it could mean that Moscow wasn’t signaling at all. According to DHS, the threat actors took actions to cover their tracks once they were inside U.S. networks. For instance, they removed applications that they had installed when they were in the network, as well as logs, and deleted connections made to remote systems. Does the U.S. discovery of the breach simply reflect poor Russian tradecraft, or was this a well-planned deception operation?

Finally, complicating matters even further, the United States says it has developed plans for comparable types of cyber operations as Russia is accused of doing. Lieutenant General Paul Nakasone, the nominee for Commander of U.S. Cyber Command and Director of the National Security Agency, admitted as much during his nomination hearing. This raises yet another question. Could the Russian cyber infiltration be part of a larger strategic—but private—communication between Russia and the United States of which the U.S. public and the private sector are only feeling the effects?

So, are countries doomed due to poor cyber signaling and simply have to accept that there are little to no prospects for communication and cooperation between rivals in cyberspace? Not necessarily.

In fact, in the closing days of the 2016 presidential election, the Obama administration is reported to have communicated to the Kremlin using the Nuclear Risk Reduction Center—a hotline originally established during the Cold War—in an attempt to deter Russia from directly interfering with U.S. voting systems (although recent admissions that Russia penetrated dozens of states’ voting systems raises questions about its ultimate effectiveness). What is unique about this instance is not that the hotline was used but, rather, that it was used for deterrence purposes rather than détente. This lone example illustrates that signaling is possible in the context of cyber operations, provided it is couched in or coupled with pre-established mechanisms to which rivals have agreed. Further efforts to promote transparency, such as about the delegation of authority and C2 of cyber operations that take advantage of existing frameworks, can help promote stability in spite of the difficulties of strategic communication stemming from cyber operations.

Creative Commons
Creative Commons: Some rights reserved.
Close
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License.
View License Detail