Literature Review

Moore's Law states that computing power will increase exponentially as the number of transistors that can fit onto a silicon chip doubles every year or two. Since this observation was made in 1965 the pace has not broken, and more and more of the armed forces and intelligence services of nation states around the world seek to take advantage of technology improvements to gain an advantage over their rivals. Russia and the United States are of particular interest due to their different approaches in using cyber to pursue a grand strategy.

Following the Cyberattacks on Estonia in 2007, the use of Cyberattacks in the Russo-Georgian War, and the use of Cyberattacks in the Ukraine and Crimea, many experts have weighed in on how significant cyber is for Russian campaigns and how it is now an important part of Russia's Grand Strategy in its near abroad. Many authors note that while much buzz is made in the western media regarding Russia and its use of cyber, in reality the Russian perspective does not differentiate between “Cyberwarfare” and “Information Warfare”². Instead, similar to the Soviet era, cyber is included within the domain of “Information Warfare” and used in a similar fashion. While targeted attacks to infrastructure may be made, generally Russian forces seek to capture useful information on opponents and create a “Fog of War” through cyber deception. However, authors have also noted that as Russian expertise has increased, targeted destructive attacks could be undertaken³.

2Giles, Keir. “’Information Troops’ – a Russian Cyber Command?” Presented at the 3rd International Conference on Cyber Conflict, Tallinn, Estonia, 2011. http://conflictstudies.org.uk/files/Russian_Cyber_Command.pdf

3Weedon, Jen. “Beyond ‘Cyber War’” Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine.” In Cyber War in Perspective: Russian Aggression against Ukraine, ed. Kenneth Geers, 67-78. Tallinn:

NATO CCD COE Publication, 2015.

This “Information Warfare” can be seen both locally in Ukraine/Crimea and abroad, with election hacks and funding for both far-right and far-left parties throughout Europe, along with a government funded detachment of internet “trolls.” Further, at home, Russian texts frequently regard cyber as an existential threat where Russia is actually supremely vulnerable to outside forces. If Russian policy-makers do indeed view Russia as vulnerable in the realm of cyber, state actions often do not align with these expectations. It has been suggested that Russia's current aggressive policies, both on the ground and in cyberspace, reflect one of Stephen van Evera's explanations for why states go to war, defensive expansionism⁴.

This explanation for Russian geopolitical actions is further strengthened when viewing Europe as a contest between Russia and NATO/The United States. Russia has tailored its Cyber strategy to bypass the deterring tripwires of NATO. For example, by creating a Fog of War in Crimea and Eastern Ukraine, maintaining plausible or implausible deniability, and by controlling flows of information into and out of these areas, Russia was able to delay any western responses and establish boots and facts on the ground. With an established presence in Eastern Ukraine and Crimea, the cost of western escalation has risen greatly⁵. Therefore, it can be argued that Russia's cyber strategy, and Grand Strategy, is tailored specifically towards defeating NATO and western influences and protecting its near abroad.

4Medvedev, Sergei A. “Offense-Defense Theory Analysis of Russian Cyber Capability.” Master’s Thesis, Naval Postgraduate School, 2015. http://calhoun.nps.edu/bitstream/handle/10945/45225/15Mar_Medvedev_Sergei.pdf?

sequence=1

5Wirtz, James J. “Cyber War and Strategic Culture: The Russian Integration of Cyber Power into Grand Strategy.”

In Cyber War in Perspective: Russian Aggression against Ukraine, ed. Kenneth Geers, 29-38. Tallinn:

NATO CCD COE Publication, 2015.

https://ccdcoe.org/sites/default/files/multimedia/pdf/CyberWarinPerspective_Wirtz_03.pdf

The United States has frequently been described as a nation under severe cyber attack from media outlets, but in reality the United States maintains a clear advantage in the realm of cyber.

As many leaks and reports have shown, the United States has a wide variety of sophisticated offensive hacking tools that can both obtain information and engage in targeted attacks with little risk of reprisal. For the cyber hegemon, the greatest preoccupation is network security and maintaining its preeminent status. While Russia and China both acknowledge their own weaknesses and seek to tailor their strategies around this deficiency through offensive cyber development, the United States faces the opposite problem. One major issue with devising defensive strategies of deterrence is the problem of attribution inherent in cyber activities. If Russian hackers can operate out of Nigeria using techniques that are more associated with Chinese government operatives to target critical United States systems, how can network security operatives quickly find the culprits and recommend adequate responses. Legal norms have been suggested as a means of deterring future cyber attacks⁶, however this all requires adequate attribution. A more comprehensive deterrence structure would involve technical approaches such as dispersing networks, IP hopping, use of the Cloud, data fractioning, and others, while able to detect and immediately respond to attackers in asymetric ways. This would involve keeping active defense measures in place 24 hours a day. This multifaceted approach would deter through difficulty in the act of hacking, and the immediate response that could be expected from a network's defenders⁷.

6Lotrionte, Catherine. “A Better Defense: Examining the United States’ New Norms-Based Approach to Cyber Deterrence.” Georgetown Journal of International Affairs Special

Cyber Issue, 3rd ed. (January 2014): 71-84. http://journal.georgetown.edu/wp-content/uploads/2015/07/gjia13007_Lotrionte- CYBER-III.pdf

7Fahrenkrug, David T. “Countering the Offensive Advantage in Cyberspace: An Integrated

United States cyber power was most evident to the world with the Stuxnet attacks on Iranian nuclear facilities. However, in retrospect, there has been much debate on whether the attacks themselves were valuable and whether these kinetic attacks will be an important aspect of cyber activities in the future. Empirical studies on kinetic attacks flip the common script of weaker powers directly attacking the infrastructure of larger powers. Instead, the high costs and marginal benefits of these attacks reveal that while kinetic attacks are an option for wealthy powers, they often will not have the catastrophic results that many envision⁸. Rather, these targeted attacks, when taking Stuxnet as the prime example, may marginally slow or hamper a target. The development and operational costs for these targeted attacks will generally outweigh benefits except for top powers like the United States⁹. However, if the costs of offensive hacks were to decline and defensive measures were not improved, even the United States and its infrastructure would be at risk of sabotage from rival powers¹⁰; although it is noted that this power is still out of reach for most operators¹¹. A caveat with kinetic attacks to also be considered, is that with clandestine cyber attacks the physical results may not be of the utmost importance. Instead, the messages and changes in perceptions may be the end goal; messages and perceptions that may alter later diplomatic proceedings. This empirical analysis calls into

Defensive Strategy.” Presented at the 4th International Conference on Cyber Conflict, Tallinn, Estonia, 2013. https://ccdcoe.org/cycon/2012/proceedings/fahrenkrug.pdf

8 Slayton, Rebecca. “What is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment.”

International Security Vol. 41 Issue 3 (Winter 2016/17): 72-109.

9 Lindsay, Jon R. “Stuxnet and the Limits of Cyber Warfare.” Security Studies Vol. 22, Issue 3 (2013): 365-404.

10 Applegate, Scott D. “The Dawn of Kinetic Cyber.” Presented at the 5^th International Conference on Cyber Conflict, Tallin, Estonia, 2013. https://ccdcoe.org/cycon/2013/proceedings/d2r1s4_applegate.pdf

Baylon, Caroline, Roger Brunt, and David Livingstone. “Cyber Security at Civil Nuclear Facilities:

Understanding the Risk.” Chatham House. 2015.

11 Clayton, Blake and Adam Segal. “Addressing Cyber Threats to Oil and Gas Suppliers.” Council on Foreign Relations. 2013.

question future doctrine and strengthens the argument that the future of cyber will not be kinetic and offensive, but rather will focus on espionage and information conflicts while large powers strive to maintain a secure network through an advanced defensive posture.

Cyber and Information War itself has been a subject of debate by academics and industry leaders. Of particular mention has been the discussions of whether offense will overwhelm defensive measures or vice-versa in the future. Generally speaking, authors agree that it is currently all but impossible to stop cyber incursions from motivated attackers¹². While commonality is found with regards to the current power of offensive operators, the most interesting analysis is regarding how embattled states may craft policy to deter hackers.

Approaching hacks from a cost/benefit perspective, as suggested by Nye¹³, as opposed to purely from an absolute power dynamic would be an appropriate approach in researching what may lead to a more stable world. Many authors will analyze singular factors that may lead to deterrence, such as legislation, norms, active defense, and others; however, Nye and Slayton have offered cumulative studies that illustrate the subtlety of cyber operations. It is likely that in the coming years as this research becomes more advanced and political scientists more aware of technological advances, the literature will become more focused on the gray areas that make cyber and deterrence so difficult to reconcile when compared to nuclear and conventional weapons. In particular, a focus on the need for a combination of policies to provide adequate

12 Junio, Timothy J. “How Probable is Cyber War? Bringing IR Theory Back in to the Cyber Conflict Debate.” Journal of Strategic Studies, (2013).

Libicki, Martin C., Lillian Ablon, Timm Webb. “The Defender’s Dilemma: Charting a Course Toward Cybersecurity.” RAND Corporation. 2016.

13 Nye, Joseph S. “Deterrence and Dissuasion in Cyberspace.” International Security Vol. 41 Issue 3 (Winter 2016/17): 44-71.

deterrence as opposed to simply more offensive capabilities, active defenses, or international norms individually. Lastly, as mentioned by Nye, attempts at complete deterrence will likely change and researchers may engage with models from other disciplines, such as public health research on and hardening of local networks and, more importantly, proper training for staff in handling sensitive materials. Many hacks are as a result of human error, and are as simple as using an infected USB stick or clicking on a spam e-mail. This avenue would likely offer the most immediate results, given the rudimentary means that many hackers are using to infect even secure networks.

Cyberwarfare will continue to gain importance as each year passes, and every nation state

14 Rivera, Jason, and Forrest Hare. “The Deployment of Attribution Agnostic Cyberdefense Constructs and Internally Based Cyberthreat Countermeasures.” Presented at the 6^th International Conference on Cyber Conflict, Tallinn, Estonia

15 Geist, Edward. “Deterrence Stability in the Cyber Age.” Strategic Studies Quarterly, (Winter 2015): 44-62.

Hathaway, Oona A. “The Drawbacks and Dangers of Active Defense.” Presented at the 6^th International Conference on Cyber Conflict, Tallinn, Estonia, 2014.

16 Demchak, Chris C. and Peter J. Dombrowski. “Rise of a Cybered Westphalian Age”. Strategic Studies Quarterly, (Spring 2011): 31-62.

Buchan, Russell. “The International Legal Regulation of State-Sponsored Cyber Espionage.” In International Cyber Norms: Legal, policy & Industry Perspectives edited by Anna-Maria Osula and Henry Rõigas, 65-86.

Tallinn: NATO CCD COE Publication, 2016.

will devise their own cyber-strategy tailored towards their own goals. The Russian and United States cases show that different material and historical circumstances will affect policy in this regard, in addition to perceptions of power disparities. Of most interest, however, is how advancements in the United States may tip the balance from an offensive focused cyber paradigm to one that more explicitly favors defense and may one day lead to the development of a legal norms based and holistic approach to cyberincursions that may act as an adequate deterrent.