The Center for European Policy Analysis (CEPA) recently published a 38-page study, Russian Cyberwarfare: Unpacking the Kremlin’s Capabilities by two esteemed researchers, Irina Borogan and Andrei Soldatov.
The opening premise is that Russia has not demonstrated its cyber warfare adroitness in support of its invasion of Ukraine.
Whether the Russians tried, and their efforts failed due to the capabilities of Ukraine’s cyber defenders or because leadership meddling disrupted the execution strategies of the professional cyber warriors, hasn’t yet been revealed.
What is evident is that the Ukraine example has called into question the Russian playbook being technologically focused and suggests that the political quotient is much more in play than perhaps previously suggested.
History of Russian cyber operations
The authors take the reader through a tour de force on the history of cyber operations, outlining the roles played by the “Key Russian cyber actors” which included, the Federal Security Service (FSB), 16th Director of the FSB—Center for Intelligence in Communications (FAPSI), Foreign Intelligence Service (SVR), Military Intelligence Service (GRU), Presidential Administration/Security Council, and the Russian cyber security companies.
They continue how Russian collaboration and coordination in offensive cyber operations is best described as “remarkably fluid and informal.” Providing an informal definition of the playbook being exhibited, though it is likely not etched in pencil, let alone granite.
The four identified system of cyber operations per the authors include:
- Coordinated through a set of political processes centred on the Presidential Administration and the Security Council, rather than a traditional, military-style command structure
- Characterised by significant overlap in mission and capability, often leading to competition for resources and sometimes to problems of coordination and conflict
- Subject to a significant degree of informality and political maneuvering, as different actors report to the Presidential Administration and Security Council via different channels and with differing degrees of accountability
- Heavily dependent on the private sector for training, recruitment, and technology, leading to a high degree of informal interagency integration at the grassroots level
For those lacking a firm grounding in the evolution of Russian cyber operations, the report walks you through exemplars from 1991 through 2016 when the involvement of Russia in influencing and affecting elections in the West was laid bare, and the year ended with an internal dust-up and arrests within the FSB and Russian private sector of personnel involved and believed to have let the cat out of the proverbial bag to the West, specifically the United States.
The walk through Russian cyber operations continues from 2017 to 2022 and includes the creation, within Russia, of the National Computer Emergency Response Team (CERT).
Russian cyber security talent leaving for the West
Of particular note, especially given the current exodus of cyber talent from Russia by those who are voting with their feet in response to Russia’s invasion of Ukraine and the resulting embargoes and crippling sanctions, is the manner in which Russia has historically addressed its cyber and information operations personnel pipeline.
As in the West, a finite number of individuals are available to fill an ever-increasing number of cyber security or cyber operations roles. The report suggests the personnel shortage is not an issue in Russia (pre-Ukraine invasion).
In 2015 the Ministry of Defense set up the ARSIB (Association of CISOs) as a means to raise the collective tide within the Russian cyber security world. The ARSIB hosts the CTF competitions at universities and also hosts multi-day hackathons.
The country’s polytechnic schools historically are given resources to produce talent and the recruitment of personnel both within the ethical cyber community, as well as the resident criminal cyber community is a natural segue, snapping up the talent from the academic pipeline.
The authors posit that today, the Kremlin is much like the Soviet era in the manner in which acquiring talent is concerned, with the creation of education pipelines, to “make sure that enough talent and resources are available for Russia’s cyber operations on a global scale.”
One of the recommendations made by the authors which should absolutely resonate with every CISO who has hired personnel who have recently emigrated from Russia is to provide them training opportunities that touch on ethics and the rule of law.
Russia’s strength comes from its creation of cadres of personnel to fill their pipeline, that is until such time as the flow of trained personnel to the West causes shortages of personnel.
Soviet roots shape Russian cyber activities
In closing the report draws four conclusions:
- Russia does not have a true cyber command. There is no clear delineation of operational responsibility and no uniform system of reporting and accountability
- The organisational, strategic, and cultural differences that characterise Russia’s various military and security agencies in the conventional field do not carry over into cyber operations.
- The lack of a true cyber command appears to mean that agencies tend to apply conventional approaches to cyber, rather than developing command-and-control approaches tailored to the cyber domain.
- Russia’s cyber-active state, quasi-state, and non-state cyber actors share roots in the Soviet and early post-Soviet SIGINT and cyber spheres — roots that continue to shape how Russian cyber functions to this day.