On 15 April 2020, the United States imposed another set of sanctions against Russia. The sanctions were mostly triggered by the largest cyberattack on U.S. governmental and corporate networks which exploited a vulnerability in a SolarWinds software product (revealed in November and December 2020), as well as by another bid to interfere in the 2020 American elections. Of course, given the peculiarities of attributing hacks, one might just as well assume that the attribution of these attacks to Russian intelligence agencies has been erroneous. One may also assume that it was also an error to attribute similar cyber attacks to Russia, namely those against Estonian networks in 2007, against Ukrainian networks in 2015–2017, against Georgia in 2019, as well as cyber attacks to interfere in the U.S. election in 2016, etc. However, all these actions fit into the logic that is characteristic to no other country but Russia. All this provides us with an opportunity to reconstruct the Russian approach to cyberspace operations.
Russian information security paradigm
While official Russian documents do not contain terms such as ‘cyberspace’, ‘cyber security’ or ‘operations in cyberspace’, those terms are used in the rhetoric of government officials, intelligence services and the military. In contrast, Russian documents contain terms such as ‘information sphere’, ‘information security’, ‘information confrontation’ or ‘information and psychological confrontation’. This terminology incorporates ambiguity and can be seen as a kind of linguistic trap.
Here, ‘information security’ implies not only cyber security, i.e. the protection of physical infrastructure (cyber security, information technology security, etc.), but also the protection against what Moscow considers to be hostile military propaganda (influence warfare, information warfare, psychological operations, etc.). In other words, in the Kremlin’s view, the protection of computer networks is merged with the protection of the authorities’ information monopoly. Moreover, anything that contradicts the official narrative is viewed as ‘enemy propaganda’, regardless of whether the source of this narrative lies inside or outside of Russia.
Moreover, the aforementioned English-language terms for military propaganda are interpreted very broadly by the Russian authorities, representing another language trap. They are understood not only as a struggle for opinions and sympathies, nor just as an attempt to influence decisions or persuade people into believing in something while a military campaign is being prepared then conducted. These terms are also understood as a way to shape an alternative and sustainable political behaviour in the society as a whole.
With such an approach, any society, whether Russian or other, is inevitably perceived only as an object of control and manipulation. Incidentally, it is not surprising that the Kremlin sincerely believes that most revolutions in modern times were triggered by conscious manipulation. This explains why Moscow sees itself as threatened by the use of “information technology to compromise sovereignty, territorial integrity, as well as political and social stability.”
Here, Russia’s active steps in the information sphere go beyond intelligence and material damage to the enemy. They also involve attempts to demoralise and weaken its political elites and society. If Moscow views someone as an adversary, it tries to implement a threat similar to the one that it sees for itself. This explains the long-standing logic of Moscow’s endeavours.
On the one hand, the Kremlin is capable of carrying out fully rational espionage in cyberspace, similar to the SolarWinds story. It is equally capable of taking rational steps to disrupt the websites of enemy governments and information agencies during military operations, as it did in 2008 during the war against Georgia, or to hack Ukrainian artillery software during the war in Donbass. On the other hand, Moscow tends to carry out seemingly pointless attacks like those carried out against Estonia, Ukraine or Georgia (in 2019) and the American party system and electoral system. These attacks did not elicit sensitive information. Nor did they counter any objective threat or improve Russia’s own position. However, this type of cyber attack makes sense in the context of ‘confrontation in the realm of information and psychology’ and attempts to ‘inflict damage to political and social stability’.
Efforts to demoralise the society and the political elite of a target country are expected by Russia to generate disappointment in the existing political system, in the democratic system and, in the long run, they are expected to radicalise public sentiment. Demoralisation of the elites is designed to trigger errors in internal and foreign policies, which will further exacerbate the demoralisation and enforce the expenditure of additional organisational and material resources.
Of course, Russian political elites exaggerate their ability to engage in technocratic management of social processes. Furthermore, there is no consistency behind all these efforts to provoke political and social destabilisation. However, Moscow’s belief in the existence of such capabilities and in the very possibility of such management is akin to religion. While this article has no room to delve into the historical, social and cultural origins of this worldview, we should say that it is simply worthwhile bearing it in mind.
A web of intelligence services
Russia’s special services and the military carry out their activities in cyberspace under the political framework described above. Although cumbersome, the organisation of these activities appears to be generally rational.
The Federal Security Service (FSB) is the main body responsible for ensuring information security in Russia. Among all Russian agencies, it is the FSB that has the main intellectual resources in this area, especially in cryptographic protection. Moreover, it extensively utilises the capabilities of the private sector and publicly funded civilian research centres. Given the FSB also engages in intelligence activities outside the country (most probably mainly in the post-Soviet space), it has the capacity to conduct external operations in cyberspace within its area of responsibility.
As regards information security within Russia, the work of the FSB is balanced off by another agency (in the absence of others), namely the Federal Service for Technical and Export Control (FSTEC), which is subordinated to the Ministry of Defence but reports directly to the President. This agency works on technical (non-cryptographic) protection of critical information infrastructure, including coordination of work with other authorities and companies, as well as business licensing.
Operations in cyberspace outside Russia are conducted by the Foreign Intelligence Service and the Headquarters of the General Staff of the Russian Armed Forces. Both agencies are tasked with intelligence and industrial espionage, but the HQ also focuses on disrupting enemy infrastructure, including information infrastructure, in the event of conflict. The intelligence resources of the two services appear to be different. The Foreign Intelligence Service has an unclear scientific and technical capability, but can probably borrow technology from the FSB and, through the FSB, from private companies and publicly funded civilian research centres. In turn, the capabilities of the HQ in cyberspace rely on military research organisations (the 27th Central Scientific Research Institute, the ERA technopolis and special scientific troops), military industry enterprises and on cooperation with civilian scientific centres.
So while the whole conglomerate of agencies that deal with information security and/or operations in cyberspace might be redundant, it is still driven by the need for internal balancing within the Russian political system. However, the main problem of such a complex institutional design is that it is a priori intended for systemic work. As soon as attempts are made to carry out non-systemic operations involving, for instance, interference in an election, or massive attacks on foreign networks with no other purpose except for temporary disruption, this entire structure is used for purposes other than originally intended, bringing a negative result. One might just as well drive nails with a microscope. Firstly, such non-systemic activities divert resources from core business. Secondly, they obscure working methods and technologies as well as the vulnerabilities used, without clear benefit. Thirdly, they inflict obvious political and economic damage to Russia.
Why would Russian political leaders not abandon such non-systemic activities and why would they be reluctant to reconsider its logic behind information security, given how this logic fails when put into practice? To answer this, we need to recognise that the agencies designed to balance each other and, at the same time, be at least somewhat effective in one of the most important spheres, tend to gather enormous bureaucratic inertia. Thus, non-systemic operations, much like the Russian information security paradigm itself, are designed to combat this inertia and sustain political control over the special services and the army in the hands of the Kremlin, even at the cost of damage to foreign policy.