Home inFocus Defense Modernization and Challenges Ahead (Winter 2016) Cyber Threats and Russian Information Warfare

Cyber Threats and Russian Information Warfare

Paul M. Joyal Winter 2016

In his confirmation hearing to be Chairman of the Joint Chiefs of Staff, Gen. Joseph Dunford on July 9, 2015, told the U.S. Senate Armed Services committee that Russia currently poses the greatest global threat to the United States. While many understood this assessment as based on Russia’s new aggressiveness, its nuclear modernization program and militarization of the Arctic, there is more to the story.

The Russian military and security service has systematically prepared itself for war in cyberspace–a new type of warfare–by experimenting with three different but complementary operational cyber scenarios since 2007. In each case, certain cyber capabilities were tested, culminating in the Crimea operations that featured use of specialized covert military units. Crimea represented the pinnacle of information warfare (IW), or what has been described as “hybrid warfare.” Russian Professor Aleksandr Selivanov predicted in an article on internal and external IW threats to Russia that, “Seizure of territory by means of IW, presumes ‘nontraditional occupation’ as the possibility of controlling territory and making use of its resources without the victor’s physical presence on the territory of the vanquished.” This would become the game plan for the takeover of the Crimea and in Eastern Ukraine.

The first operational test case occurred in 2007 with Estonia, when the E-Government systems and the banking sector were struck with massive denial-of-service (DDOS) cyber attacks. These were launched using criminal botnets that provided both Russian government deniability and an operational test for using private criminal DDOS capability for state-sponsored attacks. In the second example, in Georgia in 2008, Russian criminal members provided scripts for hacktivists (Nashi) to attack Georgian government web sites. These cyber operations were a precursor to military operations. In the third example, covert military forces moved quickly into Crimea under the cover of staged political protests in 2014. One of the first objectives was to cut Internet fiber optic undersea cables and take over communication centers. Once inside these communication centers, malware was directly inserted into Ukrainian telecommunications systems to disrupt government telephone connections and operations. These had devastating psychological effects. The evolution of these three cyber-attack cases shows the clear teleology of the cyber operations. Cyber is an integral part of the war fighting strategy of the Russian Federation.

Resistance is Futile

The Crimea campaign represents a new crystallization of an integrated strategy of geopolitical projection and political warfare where the use of cyber operations, covert military, and intelligence forces were deeply involved in the Crimea takeover. The political warfare campaign included the entire spectrum of influence operations including disinformation, psychological and cyber operations, propaganda, paramilitary and military covert action, diplomatic efforts, cultural programs, popular songs and music videos, sports promotion, public diplomacy, media manipulation and projection, etc. The purpose is to create a psychosis that promotes a perception that Russia is correct in its position, unstoppable and resistance is futile.

Cyber warfare is better understood within the continuum of low intensity conflict, specifically, IW. This can and would be combined with other capabilities in higher-intensity forms of conflict in the future. When cyber operations are employed in conjunction with a state-sponsored interstate attack, they carry a powerful political influence value and psychological effect. Russia understands this completely and has developed a war fighting operational doctrine that falls within the larger Russian doctrine of Information Warfare. This doctrine is being employed tactically in Ukraine today. As the NATO analysis of the Russian Crimea operation pointed out, “Russia was prepared to conduct a new form of warfare in Ukraine where an information campaign played a central role.”

Cyber War?

Cyber attacks are not a new form of warfare; electronic warfare has been a staple of military operations for some time. Cyber attacks and operations are a logical part of Russian IW doctrine and its two consistent subcategories: information-technical and information-psychological capabilities. Cyber represents the information-technical component. After the Georgia conflict of 2008, Russia’s first deputy of the General Staff General Aleksandr Burutin said in an interview on January 29, 2009, that it is “essential to switch from an analysis of the challenges and threats in the sphere of information security to a response and to their preemption.” This is a very Chinese approach, where military operations follow cyber IW operations that attack the society of the enemy to deprive the population of its normal life and psychologically damage its will to resist and persist.

A month after Burutin’s 2009 interview, the deputy chief of the Russian Armed Forces General Staff, General Anatoliy Nogovitsyn, stated that the General Staff would develop a strategy for the state’s information defense. This is because Information Warfare is a reality and Russia must be ready to respond to the threat. IW’s main tasks will be to destroy the key military, industrial, and administrative sites and systems of an enemy, and to inflict psychological and information damage on the military and political leadership as well as the troops and population. Victory in modern war, he argues, much like the Chinese believe, occurs with one “preemptively winning information superiority and only later superiority in the sphere where military operations are going on.”

Cyber attacks can indeed be used to degrade, silence, and destroy military, financial, and critical infrastructure systems. Be they nuclear reactors, electricity grids or water control systems, cyber attacks on critical systems can potentially inflict devastating strikes on our modern electronically connected civilization. They can be used to steal intellectual property, acquire government secrets, syphon funds from bank accounts and credit cards, or shut down commerce. Cyber attacks can deface or silence a web site to advance an information operation theme or plant false and misleading stories that cause doubt and panic among targeted populations. Malware can also be used to manipulate data, to render it useless or inaccurate. Today’s world demands that public infrastructure respond to this threat, and it may require federal mandates and financial and tax incentives to ensure compliance.

Russian Doctrine Development

Russia, since the collapse of the Soviet Union in 1991, has attempted to adapt to the dramatic decline of its military fortunes partly through their IW doctrine and capabilities. Russian military strategic thinkers early on comprehended how the development of new cyber weapons would have a deep influence on the methods, ultimate objectives, and definitions of victory in future wars. They observed the effectiveness of the U.S. electronic warfare forces operating against Iraq during the first Gulf war. Afterwards, Russian doctrine began to reflect the realization that the use of these new cyber/electronic weapons would be directed at targeting the most important political and economic systems (electronic intelligence) without direct contact with opposing forces. This would include obtaining unauthorized access to information resources through the use of software and hardware for penetrating systems protecting enemy information systems, the purposes being to destroy, distort, and disrupt the normal operations of the military, governmental, and critical infrastructure systems. Modern net-centric military warfare requires information to be reliable, precise, and complete with the ability to deliver this information to the war fighter in a timely manner. To disrupt and deny this information flow would help offset the tremendous advantage enjoyed by Western forces.

In December 1996, the Chief of the Russian Staff General Viktor Samsonov captured the future direction for the Russian military: “The high effectiveness of information warfare systems, in combination with highly accurate weapons and non-military means of influence, make it possible to disorganize the system of state administration, hit strategically important installations and groupings of forces, and affect the mentality and moral spirit of the population.” In other words, the effect of using these means is comparable with the damage resulting from the effect of weapons of mass destruction.

The Three Pillars of Russian Information Warfare

Since the mid 1990s, Russia has engaged in strategic persistence to develop the doctrine, strategy, and tool set for implementing its IW capacity. This doctrine has been implemented operationally with three pillars representing the totality of actions to ensure victory over the opponent in the information sphere.

Reconnaissance in force: This involves a complex set of measures for acquiring information on the opponent and the conditions for achieving victory in a conflict. This includes an assessment of both natural and manmade factors (e.g. radio electronic, meteorological, geologic, engineering assessment, communication infra-structure, information enterprise networks, critical infrastructure, etc.). Prior to the cyber operations and other means of attack, all targets should be identified and assessed for vulnerabilities. This focuses on enemy information systems, especially command and control systems.

Surveillance and penetration: The object is to gain knowledge of the enemy information support for troops, communications, and weapon control systems (information opposition). It also includes critical infrastructure in private hands and governmental structure, as well as the media. Once acquired, planning is undertaken to develop measures to block the acquisition, processing, and exchange of information. This includes the delivery of disinformation to all levels of the enemy’s information support apparatus. Adversaries’ targets include communications systems, the whole gamut of media hardware and software that shapes public perceptions, space based sensors, relay systems, automated aids to financial, banking and commercial transactions, and power production and distribution systems.

Russian-developed software has been identified throughout U.S. critical infrastructure and is a top national security concern. On October 29, 2014, the U.S. Department of Homeland Security dramatically announced that several industrial control systems had been infected by a variant of a Russian Trojan horse malware program called BlackEnergy. Infected programs included GE, Siemens and Advantech/Broadwin software responsible for portions of the U.S. critical infrastructure. Various sectors were targeted according to DHS including “water, energy, property management and industrial control systems vendors.”

Russian doctrine requires plans to be developed to deny enemy access to external information, and that credit and monetary circulation should be disrupted. The populace should be subjected to a massive psychological operation—including disinformation and propaganda.

Disinformation in the U.S.

The New York Times Magazine reported a dramatic incident that occurred on the anniversary of September 11th in 2014. The director of the Office of Homeland Security and Emergency Preparedness, Duval Arthur, for St. Mary’s Parish, Louisiana, received a call from a resident describing a text message she had received: “Toxic fume hazard warning in this area until 1:30 PM,” the message read “Take Shelter. Check Local media and columbiachemical.com.” St. Mary’s Parish is home to many chemical and gas processing plants. Director Arthur knew of no chemical release that morning or Columbia Chemical. Twitter began lighting up with hundreds of accounts documenting a disaster down the road. “A powerful explosion was heard from miles away happened at a chemical plant in Centerville, Louisiana #ColumbiaChemicals,” a man named Jon Merritt tweeted. The #ColumbiaChemicals hashtag was full of eyewitness accounts of the horror in Centerville. In another post @AnnRussela shared images of flames engulfing the plant. @Ksarah12 posted a video from surveillance footage from a gas station capturing the flash of the explosion. Others posted images of thick black smoke. Dozens of journalists, media outlets from Louisiana to New York City received similar posts on their twitter accounts. Some indicated ISIS had taken credit for this action.

Eventually, a private company named “The Agency”− operating out of a nondescript office building in St. Petersburg, Russia−was identified as involved in these placements for this elaborate hoax. “The Agency” employs an army of well-paid “trolls” who tried to wreak havoc around the Internet and in real life American communities. This was a coordinated disinformation campaign by a “private” company conveniently providing deniability for the Russian government. Cloned websites were even set up of local Louisiana television stations and newspapers filled with doctored images. A YouTube video of a man watching fake TV coverage of the fictitious incident was also doctored, tailor made for the hoax. A Wikipedia page was constructed that cited the fake YouTube video. Was this a test of a new weaponized information capability? There is no definitive answer.

The Spiritual Dimension of Information

Russian IW policymakers at the strategic level have approached information-related developments as integral and essential for war fighting success. They also understand the “spiritual” or moral dimension of information and how important it is to maintain domestic support and to erode the war fighting will of an adversary. In the 2008 Georgia war, one of the first casualties was to deny access to external and internal news. This led to panic among much of the population. Similarly, the fake Columbia Chemical disaster might very well have also been a test of how American communities respond to disinformation operations.

Active defense and offensive operations: Active information defense is the means to defend against the opponent’s information opposition (offensive operations). Russia has a well-developed offensive cyber attack program. It has developed tactics and weapons designed to produce dominance in the information “battle space” tested in Georgia and Ukraine. In Ukraine, cell phone networks and internet connections were disrupted and shut down, government websites were overwhelmed with DDOS attacks, social networks were corrupted, and internet and telephone cables were cut by pro-Russian forces. Russian Special Forces who installed equipment that blocked cell phones for members of the Ukrainian government and legislative branch deputies attacked the Ukrtelecom base in Crimea.

As we have observed in Ukraine, cyber weapons have been used to infect government and non-government systems with computer viruses, logic bombs, Trojans, and BotNets to suppress the exchange of information in telecommunications networks and transmission of needed information with DDOS attacks. Techniques (downloaders, droppers) have been developed and acquired/adapted from criminal gangs to introduce viruses, malware into the state and corporate information networks. These realities can threaten our own very existence. The question not only concerns defense but more importantly resilience. Do we have the necessary preparedness and capacity to survive these challenges if a coordinated nation state or states attack?


Since the collapse of the Soviet Union, Russian military strategic planners have continued to develop doctrine and strategies to adjust to the new reality of the world they confront. Today, these are being tested outside Russia. Given the imbalance in conventional military capabilities, both Russia and China have developed asymmetric responses to our global power and dominance – particularly against the weaknesses and vulnerabilities of our technologically driven society and military. History has shown that Americans and Europeans have a perception of peacetime as more than a period without war. Other countries have different perceptions of such a period and use it to better position themselves for future conflict. Russia’s image of itself as a world power did not evaporate with the end of the Soviet Union. Its ambitions remained, and now, with a resurgent leader and new international bad-boy status, Russia is flexing its military and diplomatic muscle. With such a view, concentration on indirect methods of attack that offer deniability and benefits such as technology theft are attractive. Another is building pre-emption capabilities and doctrine that represent a modern companion to the unthinkable calculus of a nuclear strike out of the blue.

One of the most powerful ways to defend our technologically dependent society from these and other threats is to engage in building significant resilience capacity, especially with our electrical power networks. This does not need to be done by brandishing a Russian flag to alarm the public. This can be done based on other natural threats such the potential for a space-based EMP event that could result in loss of electrical power for up to a year. Another would be the elevation of U.S. Cyber Command to a Combatant Command. These would be good places to start, and be an important deterrent against adventurism and miscalculation.

Paul M. Joyal is the Managing Director for Public Safety at National Strategies and Former Director of Security for the Senate Intelligence Committee.