Irregular Warfare Podcast - The Digital Bear in Ukraine: Russian Cyber Operations Since 2014
Episode Date: April 20, 2023Be sure to visit the Irregular Warfare Initiative's new website to see all of the new articles, podcast episodes, and other content the IWI team is producing! How much of a role have cyber warfare an...d digital information operations played since Russia's invasion of Ukraine? What about since 2014, when Russia seized Crimea and backed proxy forces in the eastern Donbas region? What lessons on cyber resilience emerge from an examination of Ukraine’s defense against Russian cyber actions? And what do Russia’s cyber operations against Ukraine tell us about the way it conceptualizes and organizes cyber activities? To explore these questions, this episode features a conversation with Gavin Wilde, a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace and former director for Russia, Baltic, and Caucasus affairs at the National Security Council, and Jason Kikta, who served for over twenty years in the United States Marine Corps, including seven years at United States Cyber Command designing and managing the national counter-APT and counter-ransomware missions. Intro music: "Unsilenced" by Ketsa Outro music: "Launch" by Ketsa CC BY-NC-ND 4.0
Transcript
Discussion (0)
It's pretty clear that they were planning for the majority of hostilities to be over within 72 hours or so, and really a two-week war.
That's what they planned for, that's what they had pre-canned, and that's what they executed.
And then they got to the end of that two weeks, and it was kind of like, oh, well, now what?
And then they got to the end of that two weeks and it was kind of like, oh, well, now what?
We burned a lot of our access.
We burned a lot of our opportunities and pre-staged things.
Or they have been taken away from us in the meantime because things have been taken offline.
Things have gone dark.
What I think Ukraine has shown is you prime your public to realize that this is now part of the human condition that we live in, in cyberspace. And these bad things, these disruptive things are likely to happen.
And so what's everybody's role, particularly the commercial sector,
since they hold most of the levers in getting us back to good when they do happen.
in getting us back to good when they do happen.
Welcome to episode 77 of the Irregular Warfare podcast,
which is also our second installment of the IWI Project on Cyber.
My co-host today is Matt Mullering.
Our guests examine the use of cyber warfare and digital information operations in Ukraine since 2014.
They begin by highlighting the differences between how cyber is conceptualized and organized in the United States and Russia. They go on to discuss how cyber was used in Ukraine from 2014 to 2022, and then specifically in regard to the February 2022 invasion. They continue by assessing
Ukraine's ability to defend against Russian cyber actions and the lessons they can teach us on cyber
resilience. Finally, they conclude with thoughts on implications for next year in Ukraine
and broader lessons on cyber warfare. Gavin Wild is a senior fellow in the
Technology and International Affairs program at the Carnegie Endowment for International Peace,
where he is an expert on Russia and information warfare. Prior to joining Carnegie, Wild served
on the National Security Council as Director for Russia, Baltic, and Caucasus Affairs. Wild also
served in senior analyst and leadership roles
at the National Security Agency and as a linguist for the FBI.
Wilde is a non-resident fellow at Defense Priorities
and an adjunct professor at the Alperovich Institute for Cybersecurity Studies
at the Johns Hopkins University School of Advanced International Studies.
His paper, Cyber Operations in Ukraine, Russia's Unmet Expectations,
forms the foundation of this episode.
Jason Kitka is the Chief Information Security Officer at an information technology company.
He previously served for over 20 years in the United States Marine Corps, including seven years at United States Cyber Command, designing and managing the National Counter-APT and Counter-Ransomware Missions.
counter-APT and counter-ransomware missions. Jason is also an adjunct lecturer at the Alperovitz Institute for Cybersecurity Studies at the John Hopkins University's School of Advanced
International Studies. You are listening to a special series of the Irregular Warfare podcast,
a joint production of the Empirical Studies of Conflict Project at Princeton and the Modern
War Institute at West Point, dedicated to bridging the gap between scholars and practitioners
to support the community of regular warfare professionals.
Here's our conversation with Gavin Wild and Jason Kikda.
Gavin Wild, Jason Kikda, thank you so much for being with the Irregular Warfare podcast
today.
We're thrilled to have you, and we're really excited to explore the cyber element within
the Ukraine war.
Long time listener, first time caller. Glad to be here.
Yeah, I'm excited as well. I've really been looking forward to this for a while.
Gavin, going to you first to kind of explore a little bit from your piece. And if you could
start us off by really defining the difference between how the United States defines cyber
warfare and how Russia
defines it and start setting that foundational understanding for us before we talk about
specifics as to how Russia has utilized cyber. Yeah, I think the easiest way to kind of
characterize the difference is that the U.S. conceptualizes cyber as a very network and data centric notion. It's the CIA triad,
protecting the transmission and the integrity and the confidentiality of data and all that that
entails. Whereas in the Russian conception, it starts and ends at the cognitive. It starts and
ends with the kind of social aspect of, you know, content and perception management. And so
in the Russian kind of theorizing about information warfare, the very technical or
cyber operations are kind of nested beneath an umbrella of how it's going to impact popular
thinking or leadership decision making, in addition to whatever kind of
kinetic or battlefield effects that the cyber operations might have. So think of it in terms of
bits and bytes in the U.S. conception kind of being front and center, whereas in the Russian
conception, it's very much hearts and minds. I'll agree with everything Gavin just said and contrast it with how we think of it in the U.S.
a bit. In the United States, our conception of things like cyberspace operations, signals
intelligence, information operations, all grew up around the authorities. So instead of thinking,
what are the ends that I'm trying to achieve? What is my ultimate goal and how do I best achieve it? We grew it up around what am I allowed to do and how far can I stretch that before somebody else will hit me with the authorities and budget hammer of, no, that's my lane and you can't step into it. So you see that manifest itself in a lot of different ways, whereas the Russians will have
these very holistically planned and well-integrated operations. On the U.S. side, it's very much like,
we're going to do a cyber thing. Oh, but we should bolt on some I.O. So let's go grab some I.O.
people and, you know, they'll come up with our messaging and we'll just be the delivery boy on
this. And, you know, we're just delivering the message. But IO came up with the message and it's very not just fused together, but it has a sort of
rickety feeling to it where the pieces they fit, but they don't fit as well as they should. And
they're definitely not blended together and integrated. And you see that man itself in
myriad ways to the point where even if you look at U.S. military doctrine, and unless this has changed
recently, it's still the case. We don't have a doctrinal term for a network operator, right?
Hey, you're going to do an attack on this network and create this effect and you're going to,
you know, disrupt it. And you've got to watch out for the mystery term, people who run that network,
right? Because we have Doden operations, because we have
the authority to operate the DoD information network, but we don't even have a term for anyone
allied, partner, third party, adversary, enemy. We have no terminology for the people who just
run basic day-to-day IT, let alone that they're cyberspace operators who would potentially perform offensive actions against us. It is the most bizarre thing I've ever seen
in 20-plus years in the military. How could we be this way? This is a sickness that doesn't
just exist in DoD. It's across the U.S. government, FBI, CIA, NSA, CISA. We all have
these very segmented things based on traditional authorities and U.S. code,
and no one seems to want to break that stalemate. And it's a very weird situation when you directly
contrast it with the Russians. So building off that, do you think that when you look at the
Russian organization of their cyber forces, do you see this fluidity in the fact that, like,
you know, obviously the GRU has their own cyber forces and then there's also some interaction with other players outside of the military? Do you
think that just by the nature of the Russian military that they have a better structure,
or is it more just their understanding of the domain is better? Why do you think that play
is different than the United States structure? So while I will say that they have a more coherent operational concept, I think their structure is imperfect and their execution is absolutely awful to the point where, you know, you see things where and it's not just the DNC back in 2016.
over the years, Russian operators running into each other with no deconfliction on the same network, Russian operators stepping on each other's operations, working at cross-purposes,
working ineffectively, inefficiently, because they do not cooperate with one another.
And it's really sort of astounding because you would think such a holistic operational concept
and doctrinal approach would lend itself to that sort of integration and coordination.
But it just doesn't because I think they have some underpinning cultural issues that prevent it.
Yeah, I would footstomp that as well.
I think the parochial and competitive characteristics kind of rear their head equally in Moscow as they do in the U.S.
kind of rear their head equally in Moscow as they do in the US. And I would add to that that I think the aspirations of the operational concept kind of put the goalposts so far down the field,
particularly in terms of information operations, that it's almost impossible to define success as
anything other than just throwing spaghetti against the wall or appearing to be active in some fashion. And I think a lot of that is modeled in response or in reaction to what they think they
saw the U.S. practicing in the 90s, because I think they looked at the Gulf War, they looked at
the conflicts in the Balkans, and they saw the international media coverage, most of which was
U.S.-based at the time.
You know, this was kind of the birth and the advent of Internet ubiquity and of, you know,
CNN and 24-hour news coverage.
And it was relatively easy for them to kind of portray that or decide to perceive it,
you know, cynically or sincerely as all being kind of centrally orchestrated and coordinated
by the Pentagon
or the CIA, when in fact, you know, we know that that's not how everything works in reality,
as much as even folks in DC might wish it would. And so they kind of modeled a lot of their
operational concept, as Jason says, on a version of reality they think they saw in the wild,
but that just simply does not exist. And so I think that
also kind of scuttles their ability to kind of organize around that operational concept,
irrespective of the fact that so much of that, the legacy of the military and the KGB from the
Soviet era, a lot of those disparate pieces of that legacy got broken off into these constituent
organizations like the GRU, the FSB, and the military itself in ways that almost pit themselves
against each other. So you have a lot of competition and lack of a common operating
picture as we saw in 2016. In hindsight, it does not appear that the SVR and the GRU knew of each other's
presence in this operation, but there they were together co-located. So I think, you know, we've
seen that kind of lack of coordination, I don't think has improved over time.
I mean, it's really a contrast in two bad systems, right? On the U.S. side, you have this failure of imagination and this lack of
development of well-rounded operators and this bureaucratic competition, whereas on the Russian
side, it's this, we're going to accomplish all the things that's just not achievable, and you have
this operational competition that is really just extremely wasteful.
So neither one's great.
Best solution we could probably achieve or someone could probably achieve is somewhere
in the middle.
But so far, you know, nobody's really found that middle at scale.
Yeah, it's kind of interesting.
I heard it described from a senior NSA fellow before that we're kind of the biplane era
of cyber warfare.
And I think that you can see kind of where biplane era of cyber warfare. And I think
that you can see kind of where it's headed down the road. Like you can see like it's going to
have a huge impact, but the tools and organizations haven't fully been built that. And with that,
I think that kind of drives us to our next question, which is with all these organizations
that we've discussed, how did we really see Russia utilize cyber in the initial annexations of
Crimea and Donbass in 2014? And what lessons did they take from that? And then
we saw again in the wider invasion of Ukraine in 2022. I mean, I would defer to Jason on kind of
what hard cyber aspects there were in 2014. At least on the information operations side,
you saw this massive attempt to kind of what I think is in Moscow's mind is to right the wrongs of the 2008 war in Georgia,
where they felt like they had kind of failed to prevent Tbilisi from communicating effectively
with its own people and had failed to shape the narrative in the information space internationally
around, you know, to make it more sympathetic to Russia's plight as they saw it in
2008. And so they kind of really regrouped. And by 2014, I think you saw they certainly had a far
deeper well to draw from in terms of online information operations, ability to kind of
swarm in the comment sections of social media platforms, as well as a much more robust international
propaganda arm with RT and Sputnik. So at a minimum, if they couldn't convince the international
audience that Russia wasn't really, these were Ukrainian separatists, so to speak, or that Russia
really didn't have a Buk missile system in eastern Ukraine that was responsible for taking down a civilian airliner in MH17, at the very least, they could confuse the information space enough
that all of these competing narratives just kind of created chaff and made it more difficult for
any kind of countervailing narrative about, yes, these are Russian forces. Yes, this is an annexation. Yes, Russian military officials
are running the show in eastern Ukraine and Crimea. So on the information operations side,
I think it was kind of a wake-up call for the West as to how much they had learned and galvanized
their own, not just digital, but diplomatic and propaganda arms since 2008.
So, completely agree with what Gavin said, and I think that's where the real ballgame was for the
Russians when you look back at the 2014 era, that they did not have cyber effects in any kind of
outside observable scale to really support that invasion of Crimea.
They've focused their efforts more on the espionage side to understand probably Ukrainian
political reaction, Western political reaction. And that's where the majority of their effort was.
And I think that wasn't a failure on that part. They probably wouldn't see it as a failure. That
was where their head was and that's what they wanted to achieve.
And so they went out and they did that. And I think that's an important thing to keep in mind
when we look at the present conflict in Ukraine is that they don't have the same concept of
integrated war fighting. You know, they're not a maneuver warfare military in the sense that
the United States military is with the tight combined arms effects that we would seek to
achieve with our cyber operations and our kinetic operations. They don't see the world that way.
And it doesn't appear that they've focused on building that, building the C2 necessary to
accomplish that, building the joint planning. It's just not there. And I don't know that they've focused on building that, building the C2 necessary to accomplish that,
building the joint planning. It's just not there. And I don't know that they intend to build it
because I don't know that they see the value in it that we would here in the West.
I'd just jump in before we dig in deeper into these concepts. It's easy to see what did Russia
do? What are they currently doing? What is their posture? And what
is their doctrine? But I'd like to shine the light on Ukraine a little bit. They've been the ones
dealing with Russian cyber operations for years. And for the past year, specifically with the
increase in the war, could you just take us through real quick what the Ukrainians have done
in terms of cyber defense? And have they been able to operationalize
offensive cyber capabilities? I think on the Ukrainian side, it's a lesson in the art of
what can we do, and not as focused on what is possible, and let's go and try and build that.
So the Ukrainians suffered in the intervening years between the invasion of Crimea and the current war with the back-to-back almost attacks on their
power plants starting in 15. Then you had, you know, NotPetya and a whole host of wiper and
fake ransomware that was really wiper attacks against their government, their critical infrastructure,
and their businesses. And it's interesting because what the Russians in effect did is
they conditioned the Ukrainians to what they could expect and what the Russians were doing.
So I think that, as Gavin covered in his paper, because the Russians don't make as much of a
distinction between peacetime and wartime
in their cyberspace operations, including their effects operations. The ramp up isn't as dramatic.
And we saw a lot of those things that would be break glass in case of war for any other country
occurring during this period of low level conflict on the outer borders of Ukraine.
this period of low-level conflict on the outer borders of Ukraine. And because of that,
they're incredibly resilient and they're not as reliant on their technology as we are in the West.
You know, when those, I believe it was eight power plants were hit in 2015, there was an eight-hour outage. Why was it only eight hours? Well, it wasn't because the computers were all fixed. It was because they switched over to manual control and they had a lot of old,
you know, former Soviet-style manual control systems because computers weren't as reliable
in the Soviet era, let alone in the post-Soviet era. And so they didn't have to rely on those
things. They could just put people out there with radios and tell them what switches to flip. And, you know, when a network gets wiped for the first time, it's the
end of the world, right? You feel that in your bones. Oh my God, I lost all my data. We can't
access anything. This is a catastrophe. How will we ever recover? When it happens the fifth time
or the 10th time or the 20th time, it's one of those like, oh, they did it again.
You know, let's pop the DVDs out of our desk drawers. Let's do the restore. Let's pull from
the backups. Right. And you've had this ever escalating set of Western help, not just from
the U.S. government and other Western governments, but from the private sector going in there
and providing some help gratis, providing some help under contracts. And it's a savvy move on those Western companies
part because not only do they get to do the good work of helping the Ukrainians deal with this,
but they're also getting to see things for their cybersecurity products and for their
IT products. They have to endure these events that they wouldn't get to see in real life
anywhere else. And so it's become this sort of opportunity to build and shape and determine what
a truly resilient network looks like. And as a result of that, the Ukrainians are probably
the most resilient to this sort of, you know, low-level Russian wiper activity that we've ever
seen. I would footstomp that. A group of us from Carnegie were in Kiev a couple of weeks ago and had the opportunity
to talk to a lot of senior government officials, and one of them kind of recounted the threat
to the rail networks, which is, you know, critical to keeping life functioning in Ukraine,
but also logistics going to the front.
And he said, you know, one of the interesting things that we learned was that,
okay, one of the ways in which we can be resilient as far as the rail networks,
the rail switching networks that are now, of course, digitized, is to go back and check and
make sure that we can do fallback on some of the analog switching networks that were built, not by the Ukrainians,
mind you. These networks were built by the occupying Nazi forces in 1943 and look like,
you know, old school telephone exchange networks where you plug a cord in, you know, one slot and
in another slot to make the rail switch. And he said, we made sure those
were still functioning. The Nazis built some quality systems in 1943, and now they're using
things like that to kind of build resilience. And I think it's almost helped the U.S. in its
quest to switch the paradigm from being so threat-minded about these intrusions or these disruptions to the
resilience piece, you know, the hand wringing that happens about, well, what if my energy
grid goes down or what if a pipeline goes down?
And the Zelensky administration's answer to that is, well, you go turn it back on.
It might take time and it might be a pain, but you get past it. And the more times you learn how to get past it, the more kind of familiarity and trust and the less kind of catastrophizing you have to do about it.
you know, clearly at much greater cost, but it's an evolution. I think we're just starting to get in the United States with folks like former national cyber director, Chris Inglis, kind of
trying to get us to think in terms of that resilience and shift the focal point from the
threat or the kind of disruption, because the disruptions it's going to happen. You can't
prevent that disruption, but what you can do is start to metricize, you know, how many person hours, how many
resources, how many days does it take to get back to where you were before that?
Perfect that process.
And the Ukrainians have just proven very adept at it.
The other interesting facet that we found out that I think is interesting to point out
is that in the 1990s and well into the aughts,
both Russia and Ukraine and a lot of the former Soviet space was inundated with counterfeit
software. And so you had individuals, small businesses, big businesses, even government
agencies, even using pirated versions of ubiquitous software, either through deliberate kind of piracy or,
you know, inadvertently. And the legacy of that is that you had so much vulnerability built into
their systems. And what I think happened certainly since 2014, but especially since 2022, is now you've got Ukraine able to kind of reset that chessboard
and start from licensed, updatable, current operating systems and software and hardware
that's going to just be much more resilient and less susceptible to those kinds of toll
holds that the Russian security services and intelligence services have had for decades now.
And I think that's kind of an underexplored facet of the Ukrainian experience, especially.
So you have this kind of public messaging pushed by the government that like, look,
it may be more expensive, but it's certainly more secure. Stop using the torrented download of
Microsoft Office and get a license, because in that way, you're doing
your part, a public service to make Ukraine more resilient. So how have private sector actors played
key roles in the cyber domain in Ukraine? And we're thinking of Microsoft, who aggressively
patched critical vulnerabilities and then shared those patches with Ukraine and other countries at
the beginning of the war in 2022, or with Starlink providing a private backbone to Ukrainian cyber infrastructure.
How do private actors shape the space and how should they be accounted for militarily?
So I think that one of the things that makes cyberspace as a domain so very interesting is that
there's not just a high degree of civilian and private sector
participation. It's the entirety of the domain is built and maintained by the private sector and has
overwhelming civilian participation. It just permeates every pore of it. And granted, you have,
you know, civilians everywhere in the real world, but it's just really incredible that if you stop to think about it, that foreign intelligence agencies on a daily, weekly, monthly basis have major campaigns disrupted, not by the United States government or the British government or the French government or the German government, but have them disrupted by Microsoft or Mandiant or Google or CrowdStrike
or pick your company out there.
Sometimes individual threat researchers saying, hey, this is a really interesting domain.
I wonder why this is in here.
Let me register it and see what it does.
And then all of a sudden, when I cry, it comes to a screeching halt. So you don't have anything like that in traditional military operations. There is
no analog to that. It is wholly unique to cyberspace. And so I think with that framing,
the fact that Western companies are getting over there and providing that support to Ukraine and giving
them critical tools to fight back. And it's broader than just, you know, yes, you have the
Microsoft, you have the Mania, but you have Cloudflare, you have Palo Alto, you have these
companies that most Americans don't even understand our cybersecurity companies over there providing critical security and reliability services to that government.
And their ability to shape what the Russians are able to achieve is really unique.
And in many ways, they have better telemetry about what is occurring in Ukraine than most Western governments do.
And I think that's something that
we need to examine. And I think that's something where we need to start asking really hard questions
about the future of operations in cyberspace and what the appropriate role for the government is
and how the government should be harnessing that, how the government should be encouraging that,
and what, in turn, the government should shape its own participation in. And I'll
give you a great example. Colonial Pipeline. So the actor gets in there, ransoms the business
network, right, does not touch the OT network, the operational technology network that actually
runs the pipeline. But, you know, whomever in the control tower sees the one computer lock
is afraid it's going to spread to the OT network, hits a big red button, pipeline shuts down. Great. We didn't have a coherent U.S.
government response on that, right? And I'll fight anybody in real life who says otherwise,
because I know for a fact we didn't. So we failed our first big test. We failed our Zelensky test
of just get things back up and going and keep everybody calm, right? What did we have? We had
gas outages for days
because everyone said, oh my God, there's going to be a gas outage. The pipeline is down. They
all went and filled up their tanks. And the government instead of focusing on that, you know,
is running around trying to do a lot of cyber-y things. And by the way, it wasn't the government
who went in and cleaned up that network and helped that pipeline get online, right? It was a private incident response firm hired by the company to go on there and fix that. So we're in this, you know,
multi-billion dollar cyber industrial complex. Do we fit in appropriately to those sort of
scenarios? That's not far-fetched. That's something that happened. Things like that
will happen again. And we're not really doing that level of thought about how to become more resilient like Ukraine.
Ironically, you know, Jason mentions panic. Doctrinally and strategically, again,
returning to Russia's concept of this, it's all designed to foster panic, to foster a sense of distrust between the state and the governed, to foster this sense that who knows what's going on and how long things are going to be going down.
problem when instead your strategic communications and your ability to keep contagion and panic in a box and reassure your public in a way that they believe you, again, that takes practice.
You have to kind of reinforce that feedback loop over time. And instead, I think we kind of
reflexively reach for the, okay, now how do I go and pose cost for that or prevent it and make sure
it doesn't happen again? The latter two, you're setting yourself up for failure as a government
if you think you can do those things well. What I think Ukraine has shown is you prime your public
to realize that this is now part of the human condition that we live in, in cyberspace. And these bad things,
these disruptive things are likely to happen. And so what's everybody's role, particularly the
commercial sector, since they hold most of the levers in getting us back to good when they do
happen? Gavin, I think that's a great segue back into looking at Russian operations and looking at the war in Ukraine.
So back in February of last year, many outside observers expected massive and potentially decisive Russian cyber operations in conjunction with that initial military push.
So why then did the Russian cyber effort seem so underwhelming? You know, was it due to
Ukrainian preparedness defensively when they saw tanks massing on their border, they were able to
look into and secure their networks? Or was it because the attacks that did happen took down
critical infrastructure that the Russians actually needed themselves? I think it's a constellation of factors. Organizational on the Russian side, I don't think they did a good job of kind of
exercising towards being able to incorporate offensive cyber operations with kinetic strikes
to achieve a discrete, concrete military objective. To the extent that that's possible
for anyone, I think I would put the asterisk there.
But certainly Russia has not perfected that by any stretch. I think certainly there was some
aspect of poor preparedness and some idea that, you know, we don't want to break what we're
planning to buy, essentially, in this operation. But I also think from the Western perspective,
But I also think from the Western perspective, like our expectations were outsized themselves largely through our own doing in our own kind hard to kind of take and amass a bunch of disruption and make that turn into take that hill, prevent the adversary from taking that hill. it's a cumulative effect of cyber operations over time. There again, whether it's offensive
cyber operations or information operations, what's the political objective that it's achieved?
Because since 2014, if the political objective of Moscow's was to prevent Ukraine's westward tilt
and prevent the swarm of Western military and political support for Kyiv, the question then becomes,
well, how did that turn out for you? So at a both political level and at a very discrete military
objective level, either way you slice it, no matter how much disruption you can accumulate
in cyberspace, Russia just, in my view, it just doesn't amount to enough to achieve anything that could approximate victory in any sense.
I think there are additional factors as well that, you know, when you look at their cyber operations immediately preceding the war and then after the Russian army had started to actually move across the border and moved into Ukraine,
actually moved across the border and moved into Ukraine, it's pretty clear that they were planning for the majority of hostilities to be over within 72 hours or so and really a two-week war. That's
what they planned for. That's what they had pre-canned and that's what they executed. And
then they got to the end of that two weeks and it was kind of like, oh, well, now what? We burned a
lot of our access. We burned a lot of our opportunities and pre-staged things,
or they have been taken away from us in the meantime because things have been taken offline,
things have gone dark, and now it's no longer a viable option. So now they're in this
reconstitution of access phase that can be rather lengthy. And then I think, again, this is where,
can be rather lengthy. And then I think, again, this is where, you know, the Russian doctrine doesn't meet their implementation of it, where they look at these things, they look at the
psychological factors very holistically, but none of them seem to have really thought through,
hey, if I disrupt a lot of daily life services and a lot of government services, I might induce panic in the
population and distrust in their government. But if I do it, at the same time, my army is invading
their country and shooting a lot of their fellow citizens, that might provoke a very different
reaction, right? It goes from one of fear and panic to one of, well, no, screw you. I'm going
to pick up a rifle and I'm going to
go start killing Russians, right? There is no normal daily life at that point. It's not really
the right tool at that point. It's not really the right approach that they should have had because
they probably galvanized a bit more of the public than they realized, and certainly a far higher percentage than they scared
off. To be extremely Russia nerdy about it, like this assumption goes back a long way to like
Marxist-Leninist thought that socio-political processes behave like the physical sciences,
where it's explainable, and it's controllable, and it's alterable. And it's a struggle between you
and an adversary state to kind of master how that's controllable. But that removes so much
human agency and it removes so much complexity in the human spirit, so to speak. I mean,
even looking at something as silly as the NAFO phenomenon that took place,
how would you have possibly charted that out or predicted that?
It doesn't make any sense.
It's uncoordinated.
It's spontaneous.
It's cultural on a number of fronts in ways that any information operator
from Moscow or D.C. or anywhere else couldn't have on their best days conceived of it.
And the reason it's so effective is because you can't. It's because it's organic. And I think
that's kind of the risk we run in examining Russia's concept of information warfare and
finding it, yes, logically more coherent than ours, but also, yes, it's far less realistic
than we factor for as well.
That's a really amazing answer.
And I think it really ties into one of the narratives of the war that one of the things
the Russians really didn't account for was just the will of the Ukrainian people.
And I think when you're thinking about cyber operations, it seems that like it's really
difficult if the target is both expecting to be attacked and willing to stand up and
resist these sort of cyber attacks as the Ukrainian people did.
And because of that, I kind of want to take that thought and tie it to is, do we now see
coordination between Russian offensive cyber operations and troop movements, or is it
continuing to have this separation of the information warfare lines of effort and the military lines of
effort as two separate wars? I think they've remained two separate things. And I think if I
had to guess, I think that the Russian cyber forces have been working on slowly extracting as much
capacity out of the war effort as they possibly can and putting it back
into their traditional strengths of what is the espionage that we can go conduct in Ukraine,
but especially in the foreign space outside the near abroad and Western governments and
governments that are potentially friendly to Ukraine or friendly to the Russian government to
give us that diplomatic edge that we're going to need to
sustain this fight long term, that that's where they really see their best chance of success.
I think a lot of them probably see the war as a loser. If I was them, I would not want to sign
up to support this fight in any way, shape, or form, and then be held accountable for the outcome
of any of these operations, because most of them are pretty awful. And most of them
are just these very static meat grinders and how they would be able to potentially use a cyberspace
operation to help out in the Western Front is pretty unclear. And so their best bet is probably
to steer as far away from it as possible and let the Russian army take it on the nose.
I think you're also seeing, you know, people ask, are they evolving? Are they learning lessons? And, you know, the kinds of wipers and
malware that it seems like they've been leaning on the last several months just look like,
you know, repackaged versions of familiar exploits. So I don't get the sense that there's
a deep well of capability that they've just held in reserve. If anything, as Jason says,
at this point, you know, if I'm putting on my hat from the old days, like you're not going to waste
your crown jewels at this point, if you're looking at what's happening on the battlefield. And I
think like Jason says, I think they're going to go back to what they classically are good at,
which is trying to be disruptive with hack and leak
operations and trying to be good spies that are collecting unique insight, not to diminish those
threats. Those threats exist and the Russians are very good at it. But again, in terms of the war
and the course of the conflict itself, I just don't know that there's a, like Jason says,
a position on the field at this point where they can really carry the ball itself. I just don't know that there's a, like Jason says, a position on the
field at this point where they can really carry the ball forward. When we continue on, you know,
reframing, putting Ukraine back in the driver's seat a little bit, when we talk about information
operation efforts from the Russians or espionage operations, has Ukraine been able to learn from that? I mean, their narrative control over the
last year has been pretty disciplined and consistent. Have they been able to utilize
the cyber domain to enhance messaging, to shore partnerships with the West,
or to affect elements of the battlefield? I'm admittedly a little bit of a skeptic on kind of
information warfare in that way. I think oftentimes we've talked ourselves into, as like in the U.S.,
our strategic culture, we've kind of talked ourselves into viewing just being really good
strategic communicators as we put it in the framing of warfare. So I tend to think that we look at, again, popular will in Ukraine, the kind of cultural zeitgeist that support for Ukraine has captured in the West, the kind of clear messaging out of an effective messaging out of Kiev towards their own folks and towards the West.
Certainly their advocacy for their own interests on the international stage.
I think they're very good at all of those things. And I think we perhaps have a tendency to conflate
that with, you know, a concerted or strategic kind of plan or coordinated information or influence
op. All of that said, I think the answer to your question is also yes. They have what seems like a pretty good ability to maintain narrative consistency.
The degree to which they lean on kind of official or unofficial kind of cyber operators or social
media operatives to do so, I'm not sure.
Yeah, I think even when you look at more of the pure cyberspace operations side with things
like the Ukrainian IT army, I think it was
really fantastic at capturing people's attention as, you know, let's build an ad hoc,
Foreign Legion-esque threat actor and just go start knocking over stuff in Russia and let them
feel some of the effects of this war at home. Sounded amazing, right? We were all very excited
about it, but I think the real effects
of it are virtually nothing. And it goes back to the comment that you made near the beginning of
the podcast that NSA senior who made the comment about us being in the biplane era. You know,
I used to believe that cyberspace operations were a little closer to the interwar period where,
you know, we had started to build real fixed wing aircraft
with a higher degree of reliability.
They had more of a payload.
We'd started to understand, like, the need for aircraft carriers and started to build
some of those initially.
And that, you know, we're just waiting to cross that threshold where we could kind of
leverage it and utilize its scale and build the force the way it ought to be and really bring aviation into its own. But for cyberspace, I think it said we really are closer to the biplane era. And right now it's a whole lot of, you know, well, what do you need us to do? Well, what what can you do? Right. And it's, hey, I need reconnaissance. So fly your biplane over, you know, the enemy positions and try and sketch it down in your cockpit and fly that map back to me.
You know, fly over the enemy trench line and drop grenades over the side of your biplane and maybe you'll hit something useful.
And espionage, it has proven its value many times over.
side, we've tried to, and by we, I mean globally, like the world has tried to model a lot of operations in cyberspace, a lot of effects in cyberspace around real world kinetic effects.
And so we tend to think very much as, you know, it's that tomahawk replacement of like,
I won't have to hit that site with a tomahawk because I can come in with a cyber operation,
just kill the power or, you know, wipe their software or change the settings, manipulate it so that, you know,
instead of them dropping shells on that position, they drop the shells on their own position.
Big success, but it just hasn't really proven out to be all that effective in practice. And I think
that there needs to be some more deep thinking on not just how do we defeat or deter or disrupt these cyberspace operations that may come for us, these effects that may come for us, but what are meaningful effects that we can present to the force that we can make part of a joint fight that are really going to, you know, endure past the first one or two whiz-bang ones right before,
right at the opening of hostilities. I don't think we're there yet.
So I'll take us into kind of our conclusion, and we'll start really broadly with just what are
some broad implications for policymakers, practitioners, and academics.
I've kind of been fascinated. We touched on a little bit the kind of role of the commercial sector. This conflict in particular, I think, has kind of shown a light on how throughout history, much as commercial actors had hoped to remain kind of neutral or they hoped that their wares and goods and services would somehow not be co-opted by states if Bush came to shove. I think it's again highlighted how much
everything can be kind of geopoliticized and the degree to which commercial actors like neutrality
is a pipe dream if you're a multinational, like at some point you're going to have to make tough
decisions about who you're selling to, about who you're taking money from, et cetera. And so I
think that's been a fascinating dynamic, which, you know,
in this cyber domain also creates a lot of conundrums that I think we're going to have to
wrestle with. The degree of dependency that purported democracies want to have on private
actors to pursue their geopolitical, if not military goals. That's a thing we've been worried about China
doing pretty restlessly in D.C. over the last several years. But it's something I think we're
starting to now have to grapple with as we think about we, DOD, or the U.S. national security
bureaucracy needs Starlink to do a thing. They need Microsoft to do a thing. Reportedly, now
we're going to lean back on, you know, Amazon AWS to do a thing or Google to do a thing. Reportedly, now we're going to lean back on, you know, Amazon AWS
to do a thing or Google to do a thing. And all of that might be great, but how we countenance those
dependencies and how much we kind of lean into them as democracies and then how we countenance
that with the approach of our adversaries, you know, quote-unquote autocracies, I think is a very
academic question and a very interesting question from a lot of perspectives, you know, how do we
pay for it, but also how it aligns with our values. And so that's kind of something I'm curious as to
how it's going to play out as a result of the war, so that public-private interaction and dependency? I think the implication for policymakers, academics,
and practitioners are multifold. And along one lines is Ukraine knew the war was coming,
and they still weren't able to stop or deter most of these offensive actions against them
and their infrastructure. And not just the Ukrainians themselves and their government,
but private sector entities where you had spillover like VSAT. How do they not see that coming? How are they not more focused on that and more ready for that? You know, what did they
really do in advance? Probably not a whole lot, I would guess. You know, there seemed to be a whole
lot of pickup game going on and a lot of shock and awe and, oh, my God, we have to suddenly check all the things.
But they knew it was coming.
They had been warned that it was coming.
It was pretty clear as each day went by that it was coming.
And yet more of those attacks weren't stopped before they started.
But then they also have to deal with the fact that, you know, these effects operations occurred, but they didn't really have much of the
outcome. So there's implications there of we're probably not doing meaningful things in cyberspace
when we talk about the effects that we want to create today. They're probably not going to be
sufficient. And yes, what the U.S. has on the shelf is going to be very different than what
the Russians have on the shelf for Ukraine. But
there needs to be that sort of fundamental re-examination of, are we even leveraging the
tools we have in the proper way to achieve these warfighting goals or these policy outcomes that
we desire? I think we also have to look at the fact that while we have made targeted attacks
far more challenging, you know, what any state actor has to do for a
targeted espionage campaign today, or effects, but any sort of targeted campaign today versus what
they had to do five or 10 years ago, night and day difference, right? Far more sophistication,
much longer time to achieve their end goal, a lot more multi-stage sets of tooling, multi-stage infrastructure.
It's just far more advanced to be able to do that because we've had a lot of revolution in
tooling and built-in, baked-in protections into products. But on the other hand,
what did the Russians start doing, or what was the majority of Russian effort in Ukraine and
is up until today? untargeted,
opportunistic wiper attacks posing as ransomware. And what is the biggest problem in the FBI report
that just came out? What is the biggest cost coming out of the U.S. economy? It's ransomware,
right? Ransomware finally beat out business email compromise as the biggest cost to the economy.
And I think that's because while we have made
certain types of activity expensive, the ability of any modern organization to build and run a
secure network is still extremely disadvantaged compared to all the ways there are in the world
to exploit the thing. And so until we start to examine some of those, I would almost say like fundamentals of cyberspace and understand how they apply,
I think you can polish the brass and twist the knobs on your fantastical multi-billion dollar
cyber machine all you want, but it's not going to get you the effect you desire because you don't
have the right underlying assumptions, right? It's on a very rickety structure, and it's going to produce a lot of unexpected outcomes and insufficient outcomes.
For the next year in Ukraine,
what things are you guys participating, like expecting or looking for
as far as like indicating a change in either Russian or Ukrainian cyber operations?
Or do you expect a lot more of the same?
And if it is more of the same,
what are those specific operations you're expecting to see?
One of the things I'm kind of looking at is, or I think will be interesting to
watch, is to the extent that Russia has been cut off from Western tech, and there's varying reports
on how effective our attempt to isolate Russia technologically have been, but to the extent that
there's been an impact or the extent that, you know, major software suppliers are no longer running updates in Russia or to the extent it's more difficult for Russia to get its hands on advanced tech. even assuming some portion of that grouping has no intention of returning, I think the
combination of that exodus and that tech isolation may kind of conspire to alongside
Russia's kind of waning capacity to do much in Ukraine through cyber means. It may very well
signal that Russia's best cyber days might be behind it, certainly as it
becomes more dependent, as Russia writ large becomes more dependent on Chinese tech and becomes
much more of kind of a little brother, so to speak, in a lot of ways, economically and otherwise,
to China. The scenario very well may be 10, 15, 20 years down the line, that Russia threw all of its cyber cards on the table in Ukraine.
And that kind of was the heyday or the kind of salad days of Russia as a formidable, you know,
offensive cyber adversary. That's probably wish casting on my part, but I like to entertain the
scenario in any case. Let me first say what I expect over the next year is probably much of the same. I expect
a lot of opportunistic attacks from both the Russian side and the Ukrainian side against
each other's networks where it's what can I get into? Is it even worth doing? And then if it is
like, you know, here is yet another variation of the same wipers, the same ransomware stuff, the same DDoS, very low level, just consistent pressure stuff, but nothing really exciting.
I think they probably both have a big one left in them.
I would not be surprised if during the course of the next year you see at least one sensational effects operation
out of the Russians or out of the Ukrainians. Probably neither one tied to frontline fighting,
but I expect each of them probably can get lucky at some point during the next year and do something
that'll hit the news and capture people's imagination, but in the end not have a real
effect on the fighting beyond maybe a day or two's worth of interest. But I
don't think it'll even shift the balance of the fighting or the balance of forces in the fight.
But what I would watch for and where it would probably signal a change is if we start seeing
a lot more tactical operations against Ukrainian forces on the front lines, where you get down into a little bit more
of the electronic warfare, a little more adjacent to the electronic warfare side of things, where it
is going after digital targeting systems, it's going after drones, it's going after ISR logistics
functions. If we start to see that more than just a one-off,
then that might signal that they finally got their head in their game and they figured out
how they can make a meaningful contribution to the fight. But I won't hold my breath.
So both of us making predictions for which neither of us are holding our breath.
Any Russia watcher will tell you the next day will always bring something you couldn't have expected.
And, you know, I had a lot of mentors that worked in the intelligence community, you know, when the Soviet Union fell and kind of hearing in hindsight the shock of they thought the world was going one way.
And the next morning they woke up and it was going a different way.
And I think Russia has a pesky habit of pulling that on the world in a lot of ways. Gavin Wild, Jason Kikka, thank you
so much for being with the Irregular Warfare podcast today. I know Matt and I learned a lot
and I think this will be very beneficial to our audience for learning about cyber operations
broadly and specifically within the war in Ukraine. An honor and a pleasure. Thanks for having me.
Thank you. It's been a lot of fun being here and talking with you all today.
Thank you again for joining us for episode 77 of the Irregular Warfare podcast
and our second installment of our series on cyber.
We release a new episode every two weeks. In the next episode, Ben and Kyle talk with
Lieutenant General Jonathan Braga and Dr. P.W. Singer about the future of Army special operations. Following that, Adam and
Julia delve into the gray zone with Australian Senator David Vann and Clementine Starling.
Be sure to subscribe to the Irregular Warfare podcast so you don't miss an episode.
The podcast is a product of the Irregular Warfare Initiative. We are a team of all
volunteer practitioners and researchers dedicated to bridging the gap between scholars and practitioners episode. The podcast is a product of the Regular Warfare Initiative. We are a team of all volunteer
practitioners and researchers dedicated to bridging the gap between scholars and practitioners to
support the community of irregular warfare professionals. You can follow and engage with
us on Facebook, Twitter, Instagram, YouTube, or LinkedIn. You can also subscribe to our monthly
e-newsletter for access to our content and upcoming community events. The newsletter signup is found
at irregularwarfare.org. If you enjoyed today's episode, please leave a comment and positive
rating on Apple Podcasts or wherever you listen to the Irregular Warfare podcast. It really helps
expose the show to new listeners. And one last note, all that you hear in this episode are the
views of the participants and do not represent those at Princeton, West Point, or any agency of the U.S. government.
Thanks again, and we'll see you next time.