Russian Cyber Operations: 2017 and Beyond
As Russia's alleged cyber-intrusions into U.S. affairs continue to grab headlines and defy easy explanation, the Cyber Security Project at Harvard’s Belfer Center convened a panel of experts on Russia, cyber security and the intersection of the two to shed light on some of the murkier parts of this unfolding story. Below are highlights from the speakers’ Russia-related responses to questions and full video of the Feb. 1 event.
We also recommend the paper co-authored recently by Drs. Buchanan and Sulmeyer, "Russia and Cyber Operations: Challenges and Opportunities for the Next U.S. Administration," which provides insight both into the current state of Russian cyber activities and into their history.
David Sanger, award-winning national security correspondent for The New York Times and senior fellow at the Belfer Center; co-author of the Dec. 13, 2016, Times story "The Perfect Weapon: How Russian Cyberpower Invaded the U.S.
Fiona Hill, director of the Center on the United States and Europe and senior fellow in the Foreign Policy program at the Brookings Institution; co-author of the "Mr. Putin: Operative in the Kremlin and a former national intelligence officer for Russia and Eurasia at the National Intelligence Council
Ben Buchanan, fellow at the Belfer Center's Cyber Security Project; author of the forthcoming book "The Cybersecurity Dilemma
Michael Sulmeyer, director of the Belfer Center’s Cyber Security Project
THE COMMENTS BELOW ARE SUMMARIZED AND PARAPHRASED, NOT VERBATIM; speakers identified by initials.
Q: Where are we today, with a new administration in place, in terms of Russia and cyber?
FH: We are not at that much of a different place with Russia than we normally are during the beginning of new administrations. Think back to Ronald Reagan and George H. W. Bush who both had to rethink and deal with a drastically changing relationship with Moscow. What is unusual is the backdrop of an American election process with unprecedented efforts by Russia to have influence in it, although Moscow denies this. It is, however, not unusual for one power to want to have a say in what another power does, whether an adversary or a friend. It is just that the technological tools for having an impact have improved and, with a few taps of computer keys, rather than physical action, you can start to shape events.
BB: Russian cyber hacking goes back a long way, to the “Moonlight Maze” case in the 1990s. This is an old tactic in new clothes and is incredibly powerful to nations today. The U.S. Department of Defense talks about holding targets at risk, and Russia has done a fair amount in this area. What’s significant here is that if you build a conventional weapon, like a missile, you can target and re-target it quite quickly. Effective cyber tools need time to get access to a target and to develop a tailored effect. We have seen the Russians doing prep work before, even if it was not as high-profile. And the Russians recognize the power of cyber operations, not just to steal information but also to attack.
DS: The title of our Times story, “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.,” reflects the situation Russia finds itself in today. Russians do not see any advantage in controlling us [the U.S.] “frontally,” or by provoking a major response, or a kinetic response. Cyber is perfectly designed for conducting a low-level attack that could be used for espionage, for influence operations (merging an old Soviet tactic from the 1940s with modern means) or for full-scale attacks (like what the U.S. did against Iranian nuclear infrastructure). The trick for the Russians was to find something inexpensive and deniable that would count on our inability to detect quickly and respond decisively. And indeed the U.S. response was slow and confused—to a greater extent probably than the Russians had hoped.
To recap the timeline: The U.S. was alerted by an allied intelligence service about an attack on the Democratic National Committee in fall 2015. Because the U.S. doesn’t want to reveal where intelligence comes from, the process of following up was circuitous and low- to mid-level: from Homeland Security to an FBI agent to a completely clueless IT group hanging around the DNC’s computer systems, who don’t return calls because they don’t really believe it’s the FBI getting in touch. Months are spent on this back-and-forth. The whole response is so slow that the president does not hear about the situation till June 2016. In the interim, the Russians went beyond the DNC, into the email account of [Hillary Clinton’s campaign chief] John Podesta. We actually found evidence of 128 private email accounts within the Clinton campaign that they tried to get into, but they only broke into two, because only two people didn’t have two-factor authentication on their Gmail. It was only months later, when an attack by Russian military intelligence (the GRU) was discovered, that the DNC hard drives got cleared. Timing of the leaks seemed strategic: The first public release of the hacked information came just before the DNC national convention and resulted in a high-level resignation; the next release came within hours after the news about a tape of then-candidate Donald Trump saying some fairly crude things. These leaks first came over two channels that we believe the Russians themselves set up and, when those weren’t getting enough clicks, the materials went to WikiLeaks.
So what was unusual? 1. We did not expect Russia to use the tactics they had used in Europe against the U.S. 2. We failed to anticipate that a group like the DNC, or the RNC, would be an easy target. 3. The FBI responded extremely slowly and unenergetically, without even taking the short walk over to DNC headquarters. 4. When President Obama finally got the information, he didn’t want to be seen as intervening in the election on the Democrats’ behalf, so he reacted slowly and carefully. Taken together, this is a case study in how not to respond to a situation like this.
Q: A recent headline said “Czechs suspect a foreign power in email hacking.” Is this the Russians? Is this part of their playbook? How is it all related to “what makes Putin tick and what the West should do” (an excerpt from the excellent book by Fiona Hill and Cliff Gaddy)?
BB: Interfering in others’ elections is not a new trick the Russians have worked out. In fact, one study shows that between 1945 and 2000, Russia/the Soviet Union and the United States combined tried 117 times to influence foreign elections, whether openly or covertly. The electronic aspect is new. Russian attempts at cyber-interventions in other countries’ elections are not likely to stop. Europeans are concerned, especially in countries where elections are coming up. Maybe rightfully so. The question is: What are they going to do about it? Germany has been calling Russia out, but it’s not clear that works as a deterrent. Smaller nations like the Czech Republic may be more vulnerable. This story is not going away.
FH: Russia’s cyber activities are an extension of Putin’s willingness to fight, as we wrote in the conclusion of the book, “for as long and as hard (and as dirty) as he needs to, to achieve his goals.” Our analysis, however, focused on Russia’s actions in Eastern Europe. So, perhaps, there was a failure of imagination there—not to extend that thinking to actions Russia might take against the United States or Western Europe. In December 2016, German intelligence announced that numerous officials’ personal email accounts had been hacked and, also, that shell bank accounts had been set up in Switzerland, presumably for more conventional types of influence operations in advance of the German elections. So we should now anticipate this kind of Russian activity in a whole range of small and large European and ex-Soviet countries. This is also part of a long-running pattern; it’s just that we’re now seeing it much more starkly in our own backyard. In terms of the “playbook,” Putin is a former KGB operative and he continues to think like one, and he is proud of his skill set. He talks about being a specialist in human resources, and in the use of information, and extols the virtues of the techniques he mastered in the KGB, and their application to politics. In the very contentious U.S. political race I think he saw incredible opportunities to exploit vulnerabilities on all fronts. Putin and the people around him are strategists. We have always underestimated him, as if he is some rank opportunist. Well, you can’t take advantage of opportunities that come along unless you know what you want to do with them. For the whole of his time in office, Putin has prioritized “Russia’s interests first.” Since coming to power, his manifesto has been to put Russia back on its feet, first domestically, and then internationally as a great power. He has said repeatedly that he wants to ensure geopolitical and geoeconomic demand for Russia. He has also made it clear that he will use any means necessary to achieve his goals. That said, Putin is also cautious in his application of force and violence. He uses very selective targeting of individuals, both domestically and in foreign policy. The classic case of this was the targeting of Hillary Clinton during America’s 2016 election, and we saw it with Turkey’s President Recep Tayyip Erdogan after the Turkish air force shot down a Russian plane in 2015. Putin really turned the screws on Turkey’s and Erdogan’s personal vulnerabilities. We have seen Putin take this type of action repeatedly, and now we see that the Russians have been emboldened to operate on a larger scale, but precisely because they are trying to push and protect their own interests. Cyber is just one of a whole range of strategies and mechanisms to do so.
Q: Since governments are loath to talk about cyber issues, journalists take on a very powerful role in informing the public. How can we think about the evidence and standards needed to do that well?
DS: First, remember this was not the first time we had seen Russian intelligence operations of this kind, even against the United States. Ben mentioned Moonlight Maze. But earlier in the Obama administration we had seen three espionage-only attacks: on the State Department, unclassified White House emails and the Joint Chiefs of Staff—that being the scariest, as the .mil domain is supposed to be the safest. It was not the Russians who went into the Office of Personnel Management and got 21 million files; that was the Chinese. But in each of these other cases it was the Russians. And in each one there is the forensic evidence that you see, certain patterns. In the case of this [latest] hack, the Russians used familiar techniques and tools, IP addresses, that had been used elsewhere. Of course, you can fake an IP address and borrow someone else’s tools, but eventually there are enough of these familiar elements that it becomes significant. Secondly, you have a motive. In Putin’s mind, and he’s made no secret of this, Hillary Clinton interfered in Russian elections in 2011-12 and I think it is reasonable to guess that he was seeing this as payback for something she had done.
The only way you get fully convincing evidence is if you have a tapped conversation in which the perpetrators discuss what they’re doing, or you have implants inside a foreign network in which you can see the tracks. So if the DNC emails suddenly show up running through an implant that you’ve put in the Russian systems, you’ve got a pretty good guess how this all came about. This is the hardest part because it concerns revealing implants or human sources. So the U.S. government laid out its case in an intelligence report in December and it was utterly unhelpful. But we quickly found out there were two other versions—a “cleaned up” version for Congress, because leaks happen to be sure, and a “compartmentalized” version shown to President Obama and President-elect Trump and his staff. It’s pretty fascinating: From the afternoon President Trump saw that report, you never heard him again say he does not believe it was the Russians behind the hack; in fact he said “I do believe this was the Russians” and then changed the topic. When we went back to do our reporting we found exactly what you would expect: that there was evidence of this material inside Russian systems.
Q: There has recently been news of cyber-related arrests of security and intelligence officials in Moscow. How do you think internal competition within the Russian security services will influence the frequency and scale of cyber intrusions?
FH: Every group of security services has competition, but in the U.S. we have a pretty strict firewall between what our various agencies can do. For example, the FBI focuses on domestic issues, while the CIA is basically not allowed to undertake investigations with a domestic political component. The Russian services, on the other hand, have a lot of overlap and less constraints. They work in part for different masters, but also for the same master, and they’re very keen on showing who is more agile and who can get the information first. It’s not all about exploiting elections either, because there are routine, ongoing, efforts to find out information about other countries and their leaderships. Right now I think there is some “house cleaning” going on, as Russia is trying to figure out whether some of these individuals gave information to the U.S. or to other governments. This is going to be a big issue, and most of us on the outside will not really know what is happening, but I think we will see more cyberattacks as agencies try to prove their worth. Russia also has a presidential election coming up, in 2018, and Putin has to put himself up for “relegitimation.” Elections do matter in Russia, insofar as they put popular faith back into the presidency. And Putin wants to make sure there will be no outside efforts to influence that election, as he believed happened in 2011-12 elections. So we can imagine more pre-emptive aggression coming from Russia as a deterrent.
DS: One more point: It was the FSB [Federal Security Service] group that first got into the DNC systems. The GRU came in only seven or eight months later. There was considerable speculation among U.S. intelligence agencies that the two were not coordinating. It was the GRU that got caught and that made a lot of this material public. That hints at some of the internal competition Fiona referred to.
Q: In the U.S. press there’s talk that “psychometrics”—basically, enhanced demographic and other customer information based on online behavior—can really affect the outcome of elections through targeting during campaigns. Can this be used by state actors?
BB: Cyber operations intersect quite neatly with information operations, propaganda and what the KGB called “active measures,” including false information. We can debate the effectiveness, but there’s no doubt about the sheer volume of information getting pushed out. Now, I am not sure to what degree the Russians have mastered the art of microtargeting in the way [U.S.] presidential campaigns have, in part because I don’t think they can go out and just buy the data from sites like Facebook. But we can be sure that the more personal data is out there—think of insurance companies, for instance—the more savvy intelligence services can use it for their own ends.
DS: Also, there is no way to quantify whether the hacks and leaks we’re talking about swung the 2016 U.S. presidential election. The Russians didn’t go after voting machines; we have no evidence that votes were manipulated. And it’s impossible to separate out the effect of other factors, like FBI director James Comey’s statements about Hillary Clinton’s emails or the fact that Clinton was not an enormously effective candidate. This mix, and the difficulty of gauging factors’ respective influence, helped make the Russians so successful. They didn’t start this operation in 2015 thinking they were going to get Donald Trump elected. They thought he wouldn’t make it as far as he did. As time went on, it looks like their goals evolved: They were able to move beyond information gathering, where the FSB began, to making information public that might simply disrupt the election and cause distrust in the U.S. system, ultimately to—if you believe the intelligence community’s assessment—actually intervening on behalf of Donald Trump.
FH: The Russians specialize in these kinds of operations. This goes back a long way, certainly to the Russian Revolution, when the Bolsheviks specialized in agitprop and propaganda. And when you look at what they’ve been doing this last 100 years, they’ve been riding a tide that was already there, exploiting vulnerabilities in some cases, but really giving a nudge in the direction of larger trends. Lenin embraced all kinds of causes that were not intrinsic to the revolution, including the nationalist aspirations of Ukrainians and other nationalities in the former Russian empire. Similarly, media outlets like RT and Sputnik merely amplify existing trends that emphasize the direction in which Russia wants to see things move. Also, the Russians want to look good at what they are doing. The kind of attention we are now paying them makes them look strong and effective. The have done a good job in terms of their goals—though certainly not ours—and have loomed large in this past U.S. election in a way that they couldn’t have expected. This is good for business for the security services, in terms of recruiting new agents, because they have taken down a titan of U.S. politics and did it more effectively than others who have tried. For some, like Putin, this is a source of pride and a job well done.
Q: In light of the limitations on releasing information about cyber operations, how can we overcome the problem that a lot of people in the U.S. still don’t believe this happened?
FH: This hacking issue fell victim to partisan politics. It is very difficult for intelligence agencies to release pertinent information in writing. They obviously anticipate that something more substantive will be leaked, but leaks put people in danger. They can have life-and-death consequences sometimes. Perhaps, members of Congress could do more to reach out to their constituents. I do think it is significant that President Trump says he now believes it was the Russians. Hopefully that statement will have an impact in convincing his supporters that something is going on.
DS: I strongly believe the intelligence community could have offered up more information and ratified much of what had already been brought to light by private companies. They could have said their analysis was exactly the same. They could have talked a bit about evidence from plants they had in the Russian systems, because it’s not exactly news to the Russians that we’re inside their systems. There were ways to do this without getting so specific that it would have endangered lives.
BB: To add to David’s comments, talking about cyber security is fundamentally different than talking about chemical weapons in Syria. You have a very active private-sector industry, often made up of former intelligence operators working inside companies that want to own these issues. So by private evidence alone, I was comfortable saying on air by July or August that this was Russian activity, because of the re-use of certain forensic indicators. This is a dilemma for the intelligence community: When should they piggyback on the private sector and when should they fear what it will say?
Q: There’s been some discussion of Russian interference in European elections here. Have you seen European countries learn from the U.S. experience?
DS: Germany’s talked a good deal about this and their vulnerability is different than ours. The U.S. has an election system that’s very disparate across the different states, and even different counties, so hackers would have needed to design lots of different ways to get into them. It’s a lot easier in Europe, which is far more centralized.
FH: One thing European countries have in their favor is that their national intelligence communities tend to be much smaller and better integrated, so they communicate much more quickly. Also, they’ve been set on notice by recent events: If it can be done to the U.S., it can surely be done to other countries. I think we will see European countries taking more active measures in response and working together on this.
BB: The example I’d point to is the 2014 Ukrainian elections. This got very little attention in the U.S. It was not an influence operation along the lines of 2016. The Ukrainians have a centralized system; three days before the election, their systems were wiped. And they were ready and had backups. On election day, 40 minutes before they were going to make their results public, they realized the numbers they had were false and held off. The only media sources that announced the incorrect findings were pro-Russian, somehow knowing what was going to happen before it happened. That suggests a confluence between cyber operations and influence operations, and that’s the sort of thing that would worry me in the European elections.
Q: What would have been a proportionate response from the U.S. to the Russia hacking?
FH: When it comes to a “proportional response,” you have to tread very carefully. The Russian government already believes we’ve been trying to take down institutions similar to our own in their country; I would argue that we have not. We have not engaged in the same kind of retaliation or pre-emptive action that we did during the Cold War. The latest round of sanctions against Russia wasn’t just about hacking; it was also about Russian harassment of U.S. diplomats and all kinds of other actions. Crafting a response is difficult because it depends on what you want to achieve. So we have to look carefully at the instruments available to us. One part of this may be having a structured dialogue with the Russians, like we did with the Chinese, on what they want to get out of this.
DS: When Bob Gates was defense secretary he once said, “The three words least asked in Washington are, ‘And then what?’” That affected the Obama administration’s response. In looking at their options, they said: Had we called out Russia and applied sanctions right in October, it would have invited them to come in and mess around with the election infrastructure, pieces of which they knew how to access, on Election Day. So the U.S. didn’t want to go up the escalation ladder. They could have imposed sanctions or launched counter-strikes, but there’s the problem of feeling really good the next morning and really crummy a week later.
BB: I think we know why they didn’t react. There were options, but, as David said, if you go up the escalation ladder, those actions are not going to be taken lying down.
Q: One warning signs of war is a rapid change in military technology that makes war cheaper and more feasible. How likely is an intensified great-power war with the advent of cyber technology?
FH: I think we’re already in a great-power war and have been for some time. Putin’s speech at the Munich Security Conference in 2007 was a declaration of war, but we did not have the imagination to realize this. We saw this in a conventional sense in Georgia in 2008. But for the Russians there is no such thing as a “hybrid war.” In terms of Russian strategic thinking, from a military perspective, it’s all part of one very large tool kit—going from nuclear all the way through to political efforts. Many analysts and commentators in Russia talk about Syria as a nodal point in that war now because of changes to the regional order; they talk about Ukraine as a proxy war with the U.S. And the full-frontal attack on our elections is part of this strategic thinking.