The coordinated international action targeting hostile Russian cyber operations represents a real determination by Western governments not to leave cyber an uncontested space for Russia. But the question remains as to what steps governments can take that will actually deter Russia from continuing their hostile cyber operations.
Unlike some of its allies, the UK government historically avoided naming and shaming hostile cyber activity by foreign states. But things have changed, and over the last twelve months the UK has called out Russia in particular a number of times over specific cyber attacks. November 2017 statements by Prime Minister Theresa May and by Ciaran Martin, the CEO of the National Cyber Security Centre, cited Russian state sponsored attacks on the UK media, telecommunications and energy sectors.
Now we have a step change in this approach with a set of coordinated international actions, including attribution of multiple attacks to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, Russia’s military intelligence agency commonly known by its old GRU acronym, led by the UK’s National Cyber Security Centre (NCSC). The US has also indicted seven named GRU officers for illegal cyber operations, and the Dutch government has recently revealed how a GRU close access operation (a type of technical interception or cyber operation that requires close physical access to the intended target for it to be successful) was disrupted, in a way that revealed embarrassing failures in Russian tradecraft.Â
While the coverage of the failed GRU close access operation targeting the Organisation for the Prohibition of Chemical Weapons in the Hague might have been the most eye-catching part of the story, it is important not to draw the wrong conclusions from that incident. More interesting is the NCSC’s statement attributing a range of cyber operations to the GRU; this indicates a capability and ambition of serious proportions.
The NCSC statement shows GRU cyber activity across the spectrum from the disruption of critical national infrastructure, through intelligence gathering, to information operations including those designed to disrupt the democratic process. This represents an ambitious and wide-ranging hostile cyber programme, aiming to exploit the full potential of internet operations. The targets are broad as well: foreign governments of course, but also international organisations and political parties, as well as industry, including companies that build the technology that lies at the heart of the global telecommunications system.
The GRU operations reflect cyber responses to a broad range of Russian requirements, from the very tactical to the strategic. Operations apparently aiming to deliver timely intelligence on the response to the Russian attack in Salisbury, or to highlight potential doping issues by Western athletes to draw attention away from Russian transgressions at the Olympics, sit alongside more strategic attacks aimed at enabling large scale intelligence gathering by attacking communications routers on a global scale.
Much of the media coverage of the Dutch operation revelled in the apparent GRU incompetence, and the embarrassment this will cause to Russia. But to conclude that the GRU is no better than the Keystone Kops risks missing the point, the GRU is by no means the first intelligence agency to be guilty of sometimes sloppy tradecraft, and it certainly won’t be the last.
And the failings of a team carrying out what is really a pretty low level, low tech, old school close access operation should not blind us to the broader point. In the words of Ciaran Martin ‘Russia is our most capable hostile adversary in cyberspace’. The GRU has a global and sophisticated cyber capability. Certainly, for some of their operations they make use of basic techniques like phishing or the sort of operation revealed in the Hague. But that is because those techniques continue to work, rather than because that is the most the Russians are capable of.
Their targeting of telecommunications infrastructure, for example, shows an ambitious and strategic capability designed to position them both to collect intelligence at scale and be in a position to disrupt global telecommunications at a time of their choosing. When the NCSC, the US’s FBI and the US Department of Homeland Security revealed this activity earlier this year, they acknowledged it had already been going on for at least three years.
That brings us to the question of what can be done to deter Russian action. Naming and shaming is a start, and the shift in the UK government’s position to a much greater willingness to do so should be applauded. But few can be under any illusion that this alone will dissuade Russia from continuing with their cyber campaigns. Hostile cyber activity of many kinds has been widely and convincingly attributed to Russia for years, without any apparent impact on them. Indeed, arguably the Russians seem less bothered about being found out than in the past, and probably see some attribution of successful attacks to them as being part of the effect they are looking for.
Still, attribution is a start; it gets the issue on the table and sends a signal. But it needs to be accompanied by other measures. The UK has indicated, unsurprisingly, that all options are on the table. Some have seen this as meaning some UK offensive cyber counter attack is on the cards. But this feels wide of the mark.
Behind the scenes, Western agencies will be looking at covert operations that could deny or degrade GRU cyber capability. Jeremy Fleming, GCHQ’s Director, spoke recently about offensive cyber techniques that have been used against the Daesh (also known as the Islamic State of Iraq and Syria, ISIS). Similar capabilities and techniques could potentially be brought to bear against the GRU, should the stars align. But there is no silver bullet here, and cyber operations are unlikely to be the main effort in countering Russian activity. This is not a binary equation, there is no reason why a cyber attack by Russia is best responded to by a cyber counterattack from the West.Â
In practice, other tools should be turned to first, such as indictments (a route the US has followed on a number of occasions now) and sanctions. But even then, there are considerable questions as to how best to leverage these measures so as to really achieve the desired outcome. There is as yet no strong evidence base of measures that have truly deterred cyber activity by hostile states.
If the UK is showing a new commitment to increasing the cost for Russia of its hostile cyber activities, the other key point to note is the international character of the response. Building on the remarkable coordinated international response to the Salisbury poisonings, the recent revelations about GRU activities very deliberately involved a multinational effort. We are likely to see more of this, and it should be no surprise that the UK has close operational relationships with allies across the spectrum. Many allied agencies from states beyond the Five Eyes have highly developed capabilities and there is close partnering. This is likely to be increasingly leveraged to expose and counter Russian operations, complemented by coordinated political action.
Recent events show a clear statement of intent by the UK to take more active steps to counter Russian cyber operations, consistent with the response to the Salisbury poisonings. The eye-catching details from the Hague may be intriguing, but we must not draw the wrong conclusions from them. The GRU is a capable, aggressive and ambitious cyber adversary, deploying tactical and strategic operations globally across the full spectrum of cyber. Attribution by itself is unlikely to make much difference to the Russians, but it is a start, and arguably not before time. The challenge now is to maintain and strengthen the international response, and implement strategic measures that inflict sufficient pain on Russia so that they curb at least the most egregious of their activities. This may be easier said than done, but there does at least seem to be a new impetus to find ways to do so.
The views expressed in this Commentary are the author's, and do not necessarily reflect those of RUSI or any other institution.
WRITTEN BY
Conrad Prince CB
Distinguished Fellow and Senior Cyber Adviser