14 October 2021

Hybrid Warfare and Active Measures

Gabriel Lloyd

Introduction

Since Vladimir Putin’s inauguration as Russia’s president following the tumultuous tenure of Boris Yeltsin, Russia has implemented a coordinated policy of conventional espionage measures, cyber intrusions, and information operations targeting the United States. Validated on the multi-domain battlefields and computer networks of vulnerable Baltic neighbors, Russia’s active campaigns of intelligence and influence operations have caught the United States off-guard. Four successive U.S. presidential administrations have grappled with Russian aggression, but U.S. responses have consistently lacked cohesion, strategy and effectiveness in deterrence. Russia’s weaponization of social media and willingness to attack the foundations of American democracy have made the development of a coherent U.S. strategy a matter of urgent national importance. By examining the underlying doctrine of hybrid warfare, the specific tactics that Putin’s Russia is using against the United States and highlighting recent U.S. responses to Russian espionage and cyber influence campaigns, this paper identifies the potent tools and patterns of hybrid warfare strategy that collectively constitute a growing threat to U.S. national security. While hybrid warfare falls short of conventional military conflict in the metric of physical destruction, its deleterious effects on American security are undeniable and suggest the need for a long-term, comprehensive strategy from the United States.

Hybrid Warfare

Modern Russian intelligence operations, cyber intrusions and influence operations have found both potency in the proliferation of social media technologies and a receptive target in the existing political and social divisions in the United States. Media reports, including dramatic documentaries and breathless biopics on the ten Russian “illegals” arrested in 2010, create perceptions of either a newly developed Russian playbook or a full-scale return to the Cold War era of spy-vs-spy. Neither perspective is entirely accurate. Russia under Putin pursues transparent foreign policy objectives aimed at strengthening Russian prestige on the international stage, diminishing American unipolar global power, and fundamentally shifting the existing international power structure. An evaluation of Russia’s policy objectives by the Baltic Bulletin succinctly encapsulates Putin-era attitudes towards the international system, observing that “Russia seeks to gain superpower status and to reshape the rules of the international system so that Western domination ends and a multipolar world order emerges,” and notes that Russia has no interest in “seek[ing] cooperation with Western countries on equal terms without challenging the current status quo.”[i] The novel set of tools that Putin-era Russia uses against the United States in pursuit of these ends exists within the larger construct of the Gerasimov Doctrine and hybrid warfare.

Analysts have used a myriad of terms to describe the fusion of Russian espionage, cyber and information operations, but all three are best explained as elements of a Russian hybrid warfare strategy. Hybrid warfare “refers to Moscow’s use of a broad range of subversive instruments, many of them nonmilitary, to further Russian national interest.”[ii] While not a term Russian officials use themselves, the concept incorporates the espionage, cyber and information operations directed at the United States, as well as a range of other military and government actions against neighboring Baltic states, European Union powers, and other regional and global competitors. RAND Corporation political scientist Christopher Chivvis’ conceptual framework for hybrid warfare, which offers three defining characteristics and six common tools, clarifies the nature of the Russian hybrid warfare threat to the United States.

Russian hybrid warfare is not a military strategy or a diplomatic one, but rather a fusion of seemingly disparate elements of government operations into a unified instrument of national power. Chivvis observes that hybrid warfare “economizes the use of force…it is persistent…[and] it is population centric.”[iii] Nuclear deterrence, massive infantry and artillery formations, and secret submarines remain elements of the Russian vision of national security, but the post-Cold War atrophy of Soviet power has left Russia in search of long-running, cost-effective and partially hidden strategies that will achieve in the long-term what it is impossible for a militarily overmatched Russia to achieve through military hardware alone. Cyber tools, information operations, and espionage are not tools for occasional use. Instead, “hybrid war breaks down the traditional binary delineation between war and peace…hybrid war strategies are always underway, although at certain moments they may become more acute and intense or cross over into conventional combat operations.”[iv] A diverse array of tactics support ongoing hybrid warfare operations, including information operations, cyber operations, the use of proxy forces, economic influence, clandestine (intelligence) operations, and political influence.[v] All six elements are present in increasingly bold Russian efforts focused against the United States over the past decade.

While he does not specifically use the term hybrid warfare, Valery Gerasimov’s professional writings provide the clearest open-source view into modern Russian strategic thinking and lay the conceptual foundations for understanding recent Russian operations against the United States. Gerasimov, the Chief of Staff of the Russian Federation Armed Forces, describes a global “tendency toward blurring the lines between the state of war and peace,” and notes of the Arab Spring and Color Revolutions that “a perfectly thriving state can, in a matter of months and even days, be transformed into an arena of fierce armed conflict, become a victim of foreign intervention, and sink to a web of chaos, humanitarian catastrophe, and civil war.”[vi] Present in Gerasimov’s writing is an underlying articulated sense of Russian vulnerability to dangerous global trends, and the need for a strong, nationally unified response. Strikingly, Gerasimov asserts that “the very ‘rules of war’ have changed. The role of nonmilitary means of achieving political and strategic goals has grown and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”[vii] Lieutenant Colonel Timothy Thomas, senior analyst at the U.S. Army Foreign Military Studies Office, while downplaying the novelty of Gerasimov’s writings, observes that “Gerasimov’s speech is…the first to express the observation that in contemporary conflict, nonmilitary methods are being used at a ratio of 4:1 relative to military methods.”[viii] This conception of hybrid warfare, obliquely referenced by the top Russian military official in open publications, represents the foundational strategic vision upon which Russia builds its espionage, cyber, and influence operations.

Espionage, Cyber Operations, and Internet-Based Information Operations

Hybrid warfare can take many forms, from subtle information operations to full scale military altercations. The primary tools Russia has used against the United States in the 21st century fall into three categories: espionage operations, cyber intrusions and hacks, and information or influence operations. Russian strategists combine these three types of tools into interdependent hybrid warfare strategies. Executed primarily through Russia’s compartmentalized state security organizations, these tools retain distinct similarities to Soviet operations during the Cold War and have achieved outsized effects through the leverage of technology. Thomas Rid describes the fusion of intelligence and targeted disinformation campaigns in the 1960s, in which intelligence agencies ran deliberate disinformation campaigns as an element of so-called political warfare. By the late 1970s, “disinformation became well-resourced and fine-tuned…lifted to an operational science of global proportions, administered by a vast, well-oiled bureaucracy.”[ix] This fusion of intelligence and information operations became widely known as ‘active measures.’ While the fall of the Soviet Union and breakup of the KGB largely paused such operations in the 1990s, Putin-era Russia has fused traditional conceptions of active measures with innovations in cyber warfare and social media to create modern active measures that have been used against the United States with alarming effectiveness.

Traditional espionage operations are the foundation of active measures campaigns, both of Cold War and 21st century varieties. While Russian intelligence operations are most associated with the recruitment of American spies like Robert Hanssen or Aldrich Ames, intelligence officers who possessed placement and access to classified information that they could sell to Russian intelligence officers, traditional agent recruitment is only one facet of the Russian intelligence domain. The 1960s and 1970s saw KGB intelligence officers spearheading disinformation campaigns. Today, disinformation remains a vital part of the Russian security services’ repertoire. Gordon Corera, referencing the 10 Russian sleeper agents or “illegals” arrested and traded in 2010, notes that observers downplayed the threat these operatives posed because they did not acquire classified material. Corera contends they were engaged in the 21st century hybrid warfare version of Cold War information operations, a phenomenon as dangerous as the compromise of classified information. Corera poses the question, “what if spies are not after secrets but influence?,” observing that “the Kremlin’s agents have learned to marshal espionage, influence operations, and use technology in a novel way as they engage in a conflict with the West that for many years went unrecognized.”[x] Despite the necessary attention paid to internet-based information operations and cyber methodologies in the wake of the 2016 U.S. Presidential election, traditional Russian intelligence operations remain a major element of Putin’s strategy against the West.

The recent implication of Russian security services in the targeting of former Russian intelligence officers exiled in Europe has added a troubling dimension to Russian espionage operations in Europe. In 2006, exiled F.S.B intelligence officer Alexander Litvinenko died after polonium-210 was surreptitiously placed in his tea in London. Similarly in 2018, Sergey Skripal, a former G.R.U. intelligence officer traded in the 2010 spy swap for 10 Russian illegals, narrowly escaped death after a high-dose exposure to the nerve agent Novichok. Just as with cyberattacks, ironclad attribution of these attacks is difficult to achieve. A long-running British inquiry into the death of Litvinenko concluded the attack was likely ordered by Russian authorities, but Russia refused to extradite the leading suspects for prosecution. In Skripal’s case, British police identified Anatoly Chepiga and Alexander Mishkin as the Novichok assassins, and research revealed Putin had previously awarded both men state honors for their service.[xi] Russian assassinations of defectors have not reached America’s shores, but the brazenness of these operations, and the mysterious poisoning of Russian opposition leader Alexei Navalny point to the incorporation of Cold War-era assassination techniques into the hybrid warfare playbook. An assassination on American soil, while unlikely, is far from impossible.

The 2020 Russian government cyber intrusion into United States federal government computer systems through a hack of SolarWinds represents the latest in a long line of offensive cyber operations Russia has perpetrated against the United States and NATO allies. The cyber intrusions represent another interconnected facet of Russia’s hybrid warfare strategy. Beginning with a powerful 2007 denial-of-service attack aimed at neighboring Estonia, Russia has demonstrated a willingness to use cyber weapons to steal information and government secrets, disrupt internet commerce, and sow disinformation. Oliver Fitton identifies the potency of these cyber tactics, as well as the United States’ difficulty in defending against them, noting “cyber operations are difficult to attribute and, in some cases, deniable even if a degree of attribution is possible…the potential for both ambiguity and effectiveness means that cyber operations are very likely to be employed” as part of a hybrid warfare strategy short of outright conflict.[xii] A closer examination of the SolarWinds attack serves as a useful case study in offensive cyber operations as distinct from cyber-enabled information operations.

The SolarWinds hack, identified by private sector and U.S. government officials in December 2020, represents arguably the most serious state-sponsored cyber-attack targeting the United States, and the clearest indication yet that Russia is actively engaged in a policy of offensive cyber operations within a larger hybrid warfare strategy. The hack also illustrates the sheer effectiveness of state-sponsored cyber operations. In this “supply chain” attack, Russian hackers infiltrated the servers of SolarWinds, a company whose software saw common usage as a popular IT resource management tool. The hackers used SolarWinds’ periodic software updates to install backdoor access and infiltrate malware into government and private sector networks. Unclassified networks from the Pentagon, Department of Homeland Security, State Department, Department of Energy, National Nuclear Security Administration, and Department of the Treasury experienced widespread compromise. The attack was ongoing for months before its December discovery. Tom Bossert, Homeland Security Advisor to President Trump, describes the massive extent of this hack, positing that “the Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further gain administrative control over the networks.”[xiii] The S.V.R.’s unimpeded access for the better part of a year makes it difficult for experts to assess what other systems may be compromised, and the exact purpose of the attack. Speculating on possible Russian strategy, Bossert assesses that “the actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data…in the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation—both hallmarks of Russian behavior.”[xiv] Just as the use of sleeper agents in conventional espionage operations supported an end goal of facilitating Russian influence campaigns, the SolarWinds cyberattack, too, creates infrastructure to support information operations.

The United States has largely recognized its vulnerability to cyber operations and traditional espionage for years, yet Russia’s ability to weaponize social media as part of influence operations caught most Americans unprepared. Beginning in 2014, the Internet Research Agency, a Russian troll farm, used the tools of online marketing to implement information operations and propaganda campaigns on behalf of the Russian security services targeting U.S. citizens. “What we have here is a multi-strategy, multithreaded approach to influencing and to dividing,” observes Renee DiResta, technical research manager at Stanford Internet Research Observatory.[xv] Between 2014 and the 2016 U.S. elections, the Internet Research Agency and Russian GRU created more than 20 social media influence campaigns targeting 13 countries.[xvi] Meg Kelly and Elyse Samuels of the New York Times provide an illuminating and alarming summary of these operations, noting “Russian operatives weaponized social media, using services and techniques that were designed by technology companies for advertisers. They co-opted traditional media by sharing hacked information and spreading sensationalized stories through fake online personas. They updated long-standing propaganda tactics with inauthentic behavior on social media and in traditional media to reach voters in the digital era.”[xvii] Social media provided a mechanism for Russia to link traditional espionage-based influence operations and cyber-attacks into a unified, potent weapon that is difficult to detect or prevent. Just as Gerasimov’s conception of hybrid warfare seeks to synchronize warfighting domains, Russian active measures in the 21st century combine the effects of previously separate security and intelligence disciplines.

Inconsistent and Nonexistent United States Policies

Broad consensus exists in policymaking and analytical communities that the threat posed to U.S. national security by Russian espionage, cyber operations and multi-discipline active measures is both serious and growing. Creating a comprehensive response strategy, however, has proved difficult for leaders of both political parties. Response, too, is only part of the solution. United States policy should consist of both deterrence and response elements, proactive and reactive measures to limit Russia’s ability to achieve its long-term strategic goals of reshaping the existing international system. This section will examine a sample of U.S. responses to espionage, cyber, and information operations campaigns.

United States responses to Russian espionage operations have changed little since the Cold War. The expulsion of Russian spies with diplomatic credentials or the trade of ‘illegals’ for imprisoned U.S. intelligence assets are not novel techniques. Past administrations have struggled, however, to balance punitive actions with a desire not to destroy bilateral relations with Russia. In response to the Russian cyber-attacks on the Democratic National Committee (DNC) in 2016, for example, the Obama administration ordered the expulsion of 35 Russian intelligence officers (under diplomatic cover) as well as a litany of new sanctions on Vladimir Putin’s government and private corporations accused of serving as fronts for Russian intelligence operations. Administration officials hinted at other covert response measures, but open-source details are not available.[xviii] The capture of 10 Russian ‘illegals’ in 2010 presented a challenge rarely seen in the days since the Cold War, as none of the accused intelligence operatives had diplomatic immunity. Under such circumstances, criminal prosecution remains an option, however Administration officials elected to trade the ten agents for four Russian double agents who had worked for the United States and Britain before being imprisoned in Russia on espionage related charges. The expulsion or swap of intelligence officers comes at a cost for the Russian intelligence services, as these officers have decades of experience and contacts in the United States. There is little evidence, however, that the threat of expulsion alone serves any deterrent effect. Instead, Russia factors in such risks as the cost of doing business in the intelligence profession. Expulsion of known intelligence officers can also make future counterintelligence operations more difficult, as the FBI must identify new intelligence operatives rather than surveilling known ones.

U.S. responses to Russian security services’ targeting of dissidents has also adhered largely to a cold-war playbook of expulsion and sanctions. In response to the poisoning of former Russian intelligence officer Sergei Skripal in 2018, the Trump administration announced the expulsion of 60 Russian diplomats (some likely intelligence officers) and the closure of a diplomatic compound in Seattle. With no requirement to permanently reduce manning levels at diplomatic compounds, however, all 60 were replaced with some combination of legitimate diplomats and intelligence officers.[xix] Despite the severity of the assassination allegations, the United States sought once again to balance a ‘proportionate response’ with a desire to preserve some level of amity in bilateral relations with Russia.

Cyber-attacks and hacks pose distinct challenges to U.S. authorities. First, attribution of cyber-attacks can be a difficult and lengthy process. Herbert Lin, a senior researcher at the Center for International Security and Cooperation at Stanford University, notes that “all attribution judgements are necessarily accompanied by some measure of uncertainty…attribution of malicious cyber activity can be to a machine, to a specific human being pressing keys…and to a party that is deemed ultimately responsible for that activity.”[xx] Just as the United States takes technical measures to hide its involvement in cyber operations, Russia, too, operates through a web of proxies, private corporations, and false certificates. Second, cyberwar and cyber espionage are distinctly different activities. The SolarWinds intrusion, while devastating to U.S. national security, was not an act of cyberwar, but rather another form of intelligence collection. Borghard notes that “to call [SolarWinds] a cyberattack would be off the mark. At this point, the operation appears to have been espionage to steal national security information, rather than to disrupt, deny, or degrade US government data or networks…Espionage is an accepted part of international statecraft, one that states often respond to with arrests, diplomacy, or counterintelligence. In contrast, an attack (even a cyberattack) has international and domestic legal ramifications that could allow states to respond with force.”[xxi] The United States treats Russian cyberattacks and hacks as espionage and has traditionally used the associated tools of statecraft in response, primarily diplomatic expulsions and limited sanctions.

The Biden Administration’s response to the Solar Winds hack, announced on April 15, 2021, shared many similarities with previous U.S. responses to state-sponsored cyber intrusions, but sought explicitly to establish clear attribution. President Biden signed an executive order which, in addition to announcing the expulsion of ten Russian diplomats from diplomatic missions in Washington, DC, sanctioned 32 individuals and entities “carrying out Russian government-directed attempts to influence the 2020 U.S. presidential election, and other acts of disinformation and interference.”[xxii] Additionally, the White House explicitly named “the Russian Foreign Intelligence Service (SVR), also known as APT 29, Cozy Bear, and The Dukes, as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform” stating “the U.S. Intelligence Community has high confidence in its assessment of the attribution to the SVR.”[xxiii] Finally, the National Security Agency, Cybersecurity & Infrastructure Security Agency, and Federal Bureau of Investigation issued a joint advisory entitled “Russian SVR Targets U.S. and Allied Networks,” seeking to publicize cautionary information to blunt the effectiveness of future Russian cyber espionage operations.[xxiv]

The Biden Administration’s decision to address both cyber espionage (SolarWinds) and social media-enabled election interference with a unified response is evidence of a dawning recognition that Russian hybrid warfare techniques are elements of a unified strategy rather than isolated incidents of concern. In 2018, The Trump Administration sanctioned five Russian citizens and 19 individuals for cyber activity related to the 2016 election but hesitated to pursue more lasting policy changes. By 2019, however, the Trump Administration acknowledged the vulnerability of the U.S. election system and warned that technological advances would only increase the risk of foreign interference. In a memo to Congress, Trump wrote that “the ability of persons located…outside the United States to interfere in or undermine public confidence in United States elections, including through the unauthorized accessing of election and campaign infrastructure or the covert distribution of propaganda and disinformation, continues to pose an unusual and extraordinary threat to the national security and foreign policy of the United States.”[xxv] Absent in the memo, however, was the identification of Russia as a leading culprit in the disinformation arena.

Because the expansive proliferation of social media served to enable Russia’s modern disinformation strategy, social media platforms have made some effort to address the issue from the private sector. Twitter banned political ads in the run-up to the 2020 presidential election, while Facebook and Google created tools for users to check on the source of political ads and content. Facebook has subjected some posts to scrutiny from third party fact checkers, a policy that has roiled domestic political tensions in the United States. Across the social media industry, engineers have focused new attention on purging fraudulent accounts and bots from their platforms, with some degree of success.[xxvi] Debate continues about the degree to which social media platforms have an obligation to review and censor misleading content, and government regulators are thus-far unwilling to subject the companies to strenuous government oversight. Brookings fellow Niam Yaraghi notes that “there are two ways to consider a social media platform: on one hand, we can view them as technologies that merely enable individuals to publish and share content…on the other hand, one can argue that social media platforms have now evolved curators of content.”[xxvii] Despite limited efforts to address their exploitation as delivery vehicles for Russian influence and disinformation activities, the major social media companies remain vulnerable to continued exploitation.

Conclusions

Russian active measures exist as part of a hybrid warfare strategy put in place by President Putin as a tool to pursue foreign and domestic political aims. The United States under the past three administrations has lacked a comprehensive strategy of response. While the constitutional and democratic norms of the United States necessitate a different foreign policy playbook from Russia’s, nevertheless it is imperative for the U.S. to implement a structured, comprehensive strategy to deter and respond to brazen acts of aggression aimed at undermining U.S. national security and domestic governance. While Russia’s active measures are largely refinements of Cold War-era strategies and tactics, their surprising success in disrupting American life have no doubt caught the attention of other U.S. adversaries, most notably China, Iran and North Korea. The defense and intelligence establishments must continue to examine how peer and near-peer adversaries around the globe are developing their own active measures. The exponential growth of technological interdependence all but ensures active measures, in a variety of forms, will remain a threat to American national security for the foreseeable future.

No comments: