October 28, 2022 | CEEW Monograph
Possible Futures for Russia’s CEEW Playbook
October 28, 2022 | CEEW Monograph
Possible Futures for Russia’s CEEW Playbook
Introduction
Over the past four years, Russia has used cyber operations to engage in espionage, disinformation campaigns, and supply chain disruptions. While the tools and tactics of each operation vary, their overarching goal is to weaken the United States through a digital assault on its diplomatic, intelligence, military, and economic wherewithal. The Kremlin has embraced an asymmetric strategy because it lacks the economic and conventional military might to compete directly with the United States.1 Indeed, Russia uses non-kinetic, covert, or deniable means such as CEEW.
Russian cyber operations have historically focused on military and political targets. But over the past decade, these operations have increasingly targeted economic assets such as critical infrastructure and software products.2 As Boris Zilberman explained in his 2018 FDD study on Russian CEEW, Moscow initially focused on infiltrating technology supply chains.3 These “beachheads” enabled Russian incursions into targets ranging from private-sector assets to public-sector data repositories. Now, Moscow’s focus has broadened further, aiming to “gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” according to a Microsoft report.4
American policymakers have long been aware of Chinese cyber-espionage operations within the U.S. economic sphere and have, of late, recognized China’s CEEW activity. However, U.S. officials have often underemphasized the economic impacts and indirect strategic effects of Moscow’s cyber operations, focusing more on the threat of Russian cyber-espionage and disinformation operations. It is now clear that Russia has the intention and capability to undermine key parts of the American economy.5
This chapter begins by examining two critical facets of Russian cyber strategy. First, the Kremlin has vigorously used cyber means to consolidate President Vladimir Putin’s political and economic control in Russia. However, the System of Operative Search Measures (SORM), Moscow’s surveillance dragnet, is not only a tool for domestic control but also a likely enabler of CEEW operations abroad.
Second, Russia is increasingly proficient in preventing Washington from definitively attributing hostile cyber actions to the Russian government. This is consistent with Russia’s long tradition of muddying the information space, including through cyber-enabled influence operations against economic targets to advance Russia’s strategic interests. Moscow obscures attribution by cooperating with cybercriminals. It has created a permissive environment for them in Russia that has helped fuel a cybercrime epidemic abroad, including Russian ransomware attacks against U.S. critical infrastructure. In addition, Russia’s intelligence services seem to understand, perhaps better than American lawmakers, the constraints on the U.S. intelligence community when a foreign adversary shifts — physically or virtually — from operating outside of America’s borders to operating from within.
After exploring these components of Russian strategy, this chapter presents two case studies showing how these techniques and tactics are operationalized. The chapter concludes with policy recommendations to help the U.S. and allied governments combat the Russian CEEW threat.
Russian CEEW Through the Lens of SORM
A systematic analysis of SORM sheds light on Moscow’s current and future cyber tactics. SORM enables Russia’s security services to monitor network traffic in Russia, including communications with the West — thereby helping to identify access vectors into the networks of Western companies. Moscow could use this access to obtain intelligence to provide Russian firms with advantages over their Western competitors.
An outgrowth of the KGB’s telephonic monitoring system, SORM allows Russia’s Federal Security Service (FSB) nearly unfettered access to all phone and internet-based communications that travel in or through Russia.6 Russia’s other security services can request access to SORM as well. The system sits on top of existing internet infrastructure and integrates with other platforms so that a wide range of assets can be monitored.7 Moscow requires telecommunications companies, internet service providers, and social media companies to install SORM equipment.8 Since 2013, Moscow has also required Russian telecommunications providers and foreign technology companies to retain their data inside Russia.9 Applications must be “SORM-compatible” to operate in Russia,10 and the Russian government has issued large fines for non-compliance.11
In a 2018 publication for Lawrence Livermore National Laboratory, researcher J.A. Kerr predicted that SORM-related surveillance technologies and accompanying legal frameworks will continue to proliferate “across the former Soviet region, as these states share legal and institutional legacies, participate in common regional organizations, and also often share overlapping media markets and Internet resources.” Likeminded regimes may grant Moscow access to their systems because they are indebted to Russia or to augment their own domestic surveillance capabilities. Russian hackers may also find these systems easier to penetrate because of their similarity to Russian systems. Kerr added that “experimentation and learning around information control at home can drive advances in ‘political’ or ‘information’ warfare capabilities in international competition.”12 The same holds true for augmenting CEEW capabilities; information collected can help guide the timing and targeting of attacks against adversarial economies.
Russia refined its surveillance techniques during the 2014 Winter Olympics in Sochi, where the Kremlin used SORM to monitor both Russian dissidents and foreigners. The FSB monitored every athlete, coach, journalist, politician, diplomat, company, vendor, and spectator who attended the games. Putin even placed senior FSB counterintelligence official Oleg Syromolotov in charge of Olympic security.13
At the time, the U.S. State Department’s Bureau of Diplomatic Security warned that “trade secrets, negotiating positions, and other sensitive information may be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities.”14 For Moscow, the Olympics were an opportunity not only to showcase Russian athleticism and culture, but also to collect data for Russian CEEW efforts.15 Every company or vendor that attended the games put at risk proprietary trade secrets and valuable IP that the FSB could funnel to state-backed entities or use to undercut or extort their competitors.
Such SORM-enabled surveillance would be particularly advantageous for the Russian energy sector. The Russian partner in any joint venture with a foreign firm — be it a state-owned bank such as Sberbank or state-controlled energy giant Rosneft — could employ surveillance that facilitates cyber-espionage against its foreign partner, including data acquisition outside the scope of the joint venture. For example, information gleaned through joint ventures with Saudi Arabian firms — such as those to which Riyadh agreed during Putin’s October 2019 visit — could empower Moscow during a potential reprisal of the 2020 Russian-Saudi oil price war.16
Intergovernmental agreements on cybersecurity could also facilitate Russian CEEW through SORM. Russia has signed dozens of such agreements.17 Any time foreign systems are connected to Russia, Moscow’s intelligence services can use SORM to penetrate foreign entities by using information that passes through Russian phone exchanges, including calls, messages, and other data.18 Washington and its allies and partners need to better understand how SORM facilitates covert Russian access to international trade and commerce data.
Russia Leverages the Complications of Attribution
After a cyber-enabled attack, identifying the perpetrator is not simple. To be sure, U.S. intelligence and private cybersecurity firms can track packets of information, malware, and network infrastructure around the world. But the need to correlate that information with signals and human intelligence as well as assessments of the attacker’s tradecraft may complicate the government’s ability to quickly determine the party responsible. And absent “high confidence and timely assessments,” explains cybersecurity analyst Sarah Freeman, “accountability within the international space cannot be guaranteed.”19
Russia — like all sophisticated cyber actors — understands these challenges and therefore uses multiple tactics to delay attribution and frustrate Washington’s ability to respond. Beyond strategies to evade detection and complicate attribution at a technical level, Moscow also employs cybercriminals and other non-state hackers to obscure its role. The U.S. government and the press have documented this longstanding FSB practice.20
Beyond sowing disinformation and hiding behind cyber proxies, Russia is adept at exploiting protections guaranteed under the U.S. Constitution. In a May 2018 speech, then-General Counsel of the National Security Agency (NSA) Glenn Gerstell raised the possibility that the Fourth Amendment (barring unreasonable searches and seizures) may hamstring U.S. efforts to stop cyberattacks when the hackers operate from within the United States. In effect, once foreign adversaries step onto U.S. shores (whether physically or virtually), they receive protections under the U.S. Constitution and cannot be surveilled to the same extent as when they are abroad.
Gerstell noted that U.S. “privacy laws in this area are generally backward looking,”21 having failed to keep pace with rapidly evolving technology. For example, the legal definition of search and seizure has not adapted to account for when law enforcement authorities are pursuing bits or bytes that can be moved or destroyed in a millisecond. Nor has the law adequately grappled with what it means to be on U.S. soil when computer network infrastructure is global.
As Cyber Command and NSA chief General Paul Nakasone noted in March 2021 following the SolarWinds attack (described below), America’s cyber adversaries understand and exploit legal constraints on U.S. authorities. The issue is not that U.S. intelligence and law enforcement “can’t connect the dots,” he explained. Rather, they “can’t see all of the dots.” Even when the intelligence community can “see what is occurring outside of the United States,” America’s “adversaries understand that they can come into the United States,” use American internet service providers to conduct a malicious operation, and then quickly dismantle the infrastructure before U.S. civilian authorities can obtain a warrant and begin surveillance. Nakasone pleaded with lawmakers to enable the U.S. government (but not necessarily the NSA or Cyber Command) to increase its visibility into adversarial cyber-enabled attacks against government and private-sector entities.22
Case Studies
Russian cyber operations span a wide spectrum and exploit both software and hardware. While the motivations behind attacks vary, the capabilities employed reveal Russia’s range of tools and how it exploits both SORM and the seams in American cyber defenses.
SolarWinds: Exploiting the Seams
Russia is exploiting attribution challenges and gaps in U.S. intelligence capabilities as it seeks to gain footholds throughout the global information technology supply chain. From these footholds, it can launch further cyber operations.23 The SolarWinds operation provides a case in point.
In December 2020, the cybersecurity firm FireEye discovered that hackers, later determined to be associated with Russia’s Foreign Intelligence Service (SVR), had compromised the Texas-based software company SolarWinds’ Orion network management software. The hackers then used that access to produce and distribute malware to roughly 18,000 of the software’s users across the U.S. government and private sector.24 Once the victims inadvertently installed the Russian malware, the program deployed measures to evade detection,25 then opened a backdoor through which the attackers conducted follow-on operations against select victims.26 The Pentagon and intelligence agencies appear to be the only government bodies that avoided compromise. The hackers also compromised numerous private-sector entities, including major technology firms, hospitals, power companies, and financial institutions.27
During a press briefing at the White House on February 17, 2021, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger tells reporters that nine federal agencies and around 100 companies were impacted by the SolarWinds hacking event. (Drew Angerer/Getty Images)
While the malware’s technical components helped prevent detection, there was a bigger problem: U.S. intelligence was nearly blind to the hackers’ activity. Anne Neuberger, deputy national security advisor for cyber and emerging technology, plainly stated: “The intelligence community largely has no visibility into private-sector networks. The hackers launched the hack from inside the United States, which further made it difficult for the U.S. government to observe their activity.”28 The hackers seemed to understand this. They attacked at the seams of the U.S. government’s authorities, jumping from foreign to U.S. infrastructure, renting servers from American “infrastructure-as-a-service” (IaaS) providers such as Amazon and GoDaddy before launching their intrusion.29 In so doing, the hackers exploited the fact that domestic investigations are largely the purview of U.S. law enforcement and homeland security.
While the goal of the SolarWinds operation appears to have been espionage rather than a disruptive or destructive attack, the intelligence gleaned could undermine U.S. economic statecraft. For example, during the operation, the hackers searched U.S. government systems for information on potential sanctions against Russia.30 Such information could allow potential Russian targets to better hide or secure their assets, reducing the effectiveness of U.S. sanctions.
Likewise, the hackers compromised the National Telecommunications and Information Administration, which advises the president on telecommunications policy, including internet and electromagnetic spectrum policy. Penetrating that organization could enable Moscow to identify companies the U.S. government believes are “untrusted vendors,” thus enabling Russia to prioritize cyber-espionage against trusted vendors that will gain market share. Moscow could also glean how the U.S. government uses and prioritizes the electromagnetic spectrum, potentially enabling Russia to undermine U.S. government communications during a crisis.
Furthermore, Russian hackers could use this type of supply chain breach for a wide range of other nefarious purposes. Even if initially intended merely for espionage, gaining access to internal systems establishes a “beachhead” that Russian actors can use to exert influence, sow disinformation, or even launch disruptive or destructive attacks against the American economy.
As Zilberman warned in his 2018 study on Russian CEEW, the U.S. technology supply chain’s vulnerability poses a growing threat to U.S. national security and economic prosperity.31 After discovering the SolarWinds hack, the Biden administration took initial steps to address this threat, such as launching a supply chain review and issuing an executive order that increased cybersecurity and software transparency requirements for federal contractors.32 Still, much more remains to be done.
Ransomware: Getting More Than Their Money’s Worth
Ransomware groups are taking a toll on the U.S. economy as the frequency and severity of attacks skyrockets. Russia is home to many of the attackers.33 As much as three quarters of all ransomware revenue in 2021 “went to organizations highly likely to be affiliated with Russia in some way,” the blockchain data firm Chainalysis concluded.34
While the Russian government’s role in these attacks remains unclear, Moscow has created a permissive environment for cyber criminals.35 A cache of leaked files from the Russia-based ransomware group Conti, for example, indicated these hackers enjoyed a mutual understanding with Russian authorities.36 In return for making their services available to the state when required, Russian cybercriminals are generally free to continue hacking so long as they “don’t ever work against [Russia or Russian] businesses,” as Karen Kazaryan, CEO of the Moscow-based Internet Research Institute, put it. “If you steal something from Americans, that’s fine.”37
The chaos and damage these cybercriminals can cause was on full display in May 2021, when the Russia-based gang DarkSide launched a ransomware attack against Colonial Pipeline.38 Colonial supplies over 45 percent of the fuel consumed on the U.S. East Coast and provides critical support for military, residential, and commercial facilities.39 The U.S. government therefore considers Colonial Pipeline to be critical infrastructure — that is, infrastructure “considered so vital to the United States that [its] incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”40
On May 7, 2021, the hackers sent Colonial a note saying they had “exfiltrated” company data and encrypted its information technology systems, offering to return the files for $5 million.41 The company immediately shut down all 5,500 miles of its pipelines to stop the malware’s spread and to protect the company’s operational networks.42 Ultimately, Colonial paid the ransom after shutdowns caused gasoline shortages and major disruptions to land and air transportation across the East Coast, prompting the Federal Motor Carrier Safety Administration to declare a state of emergency.43
Less than two months later, another ransomware attack, this time attributed to the Russian ransomware group REvil,44 hit meat processing company JBS. The world’s largest meat company by sales and the processor of one-fifth of America’s meat supply, JBS paid the $11 million ransom.45 President Joe Biden warned Putin to “take action” against Russia-based cybercriminals, threatening consequences if Russia failed to act.46
While Biden continued to raise these issues during bilateral conversations with Putin over the following six months,47 U.S. officials found “no reduction in the overall pace of ransomware attacks” since the previous summer,48 although attacks against high-profile targets apparently declined. “My guess is the Kremlin gave the message to criminals to stay off the front pages,” said cyber expert Jim Lewis.49 There is no public evidence, however, of such an order. It is equally likely that U.S. and allied counterattacks to confiscate ransomware profits and disable the network infrastructure of criminal groups convinced ransomware groups to refrain from attacking critical infrastructure.50
Unless held accountable by Washington and its allies, the Kremlin is unlikely to dismantle criminal enterprises that it can leverage for strategic gain. While Russia’s security services might not be responsible for all cybercrime emanating from Russia, SORM ensures that Moscow knows who the perpetrators are. If it wanted, the Russian government could shut them down. The criminal activity has “served too many valuable purposes,” Michael Daniels, a former White House cyber coordinator, noted.51 Even the FSB’s January 2022 arrest of REvil members, just as U.S.-Russia tensions were escalating ahead of the war in Ukraine, appeared to be geared toward sending a message to Washington, as opposed to cracking down on criminal hackers.52 That message: Russia could be helpful against cybercriminals if America acquiesces to Russia’s designs in Ukraine. As the war in Ukraine continued, Moscow dropped the charges and reportedly explored recruiting the REvil hackers to work for the state.53
In addition to directly harming U.S. companies, ransomware attacks by Russia-based cybercriminals could support Russian intelligence collection. The hackers who attacked Colonial Pipeline obtained about 100GB of data on some 5,180 current and former Colonial employees, including personally identifiable information.54 The FSB has a long history of using cybercriminals to collect intelligence abroad.55 The FSB could also use SORM to obtain the data stolen by ransomware groups. Therefore, the United States should assume Moscow can use information stolen by cybercriminals to support CEEW or other cyber operations.
Recommendations
In his 2018 paper on Russian CEEW, Zilberman provided recommendations aimed at increasing private-sector awareness of the risks posed by Russian technology companies. He urged Washington to safeguard U.S. supply chains from malicious technology and to deny Russia access to advanced U.S. technology.56
Even prior to Russia’s February 2022 invasion of Ukraine, the United States had done this. The Commerce Department has added Russian cyber entities to its growing Entity List, barring exports and re-exports of U.S. technology to designated entities and, in many circumstances, to Russia as a whole.57 The Treasury Department has imposed sanctions prohibiting transactions with designated individuals or entities.58 The Justice Department has charged numerous Russian state and criminal hackers.59 The issue has been featured in public congressional hearings.60 Since February, Washington has sanctioned numerous entities in the Russian technology sector, including ones supporting the Russian military.61
Moscow’s CEEW strategy, however, is purposefully broad, employs a variety of actors, and feigns ignorance regarding cybercrime emanating from Russian territory. As such, the U.S. government not only needs new and flexible approaches to deterrence and mitigation but also better intelligence collection and analysis regarding Russia’s CEEW playbook, including the role of SORM. It is also past time to consider whether and how some U.S. laws constructed prior to the cyber age may need to be revised.
1. Resource and prioritize intelligence collection and analysis concerning Russian CEEW. A better understanding of the officials and institutions directing and implementing Moscow’s cyber policies, operations, and technological development will help Washington predict — and hopefully deter or defend against — future Russian CEEW activities. Washington should focus particularly on gaining a thorough understanding of SORM and the relationship between Russia’s security services and the various cybercriminal groups operating in Russia.
2. Require IaaS providers to “know your customer.” Today, legitimate and illegitimate actors alike are utilizing off-site servers, cloud storage, and virtual machines for operational simplicity. These IaaS providers offer servers, storage, and hardware on demand. Companies use IaaS providers instead of investing in their own network servers. By requiring IaaS providers to conduct due diligence on their clients, Washington can help prevent hackers from using American companies to support cyberattacks. This information could also help law enforcement agencies hunt down malicious cyber actors. Anti-money laundering laws require financial institutions and others to conduct “Know Your Customer” due diligence on potential clients and to continuously monitor those clients’ use of their financial services. The U.S. government should require IaaS providers to do the same.
The Trump administration attempted to address this challenge by issuing Executive Order 13984, mandating regulations that require IaaS providers to conduct due diligence on their customers.62 President Biden wisely left the executive order in place.63
This is a good first step, but Washington works best when the executive and legislative branches act in unison. Executive Order 13984 would function better as a statute, with strict penalties for violations. Congressional hearings can further help to assess the threat IaaS poses and to produce effective legislation to counter it.
3. Conduct studies on the tradeoffs between privacy and security for intelligence collection against adversarial foreign persons. In the years before the 9/11 attacks, al-Qaeda realized the United States had a vulnerable gap between law enforcement and intelligence authorities — a gap the terrorists exploited to deadly effect. Following 9/11, the legislative and executive branches worked collaboratively to help prevent future attacks against the homeland.
Today, by using IaaS providers to launch attacks, hackers can evade U.S. intelligence agencies, which cannot surveil domestic entities and individuals in the same way they can against targets abroad. As then-National Security Advisor Robert O’Brien stated in January 2021, “abuse of United States IaaS products” by malign cyber actors “has played a role in every cyber incident during the last four years, including the actions resulting in the penetrations of the United States firms FireEye and SolarWinds.”64 The executive and legislative branches must again wrestle with the authorities governing intelligence and law enforcement activity, both at home and abroad.
As technology evolves and surveillance by states, non-state actors, and private companies becomes more ubiquitous, the debate regarding privacy and security will only grow more heated. In the context of understanding and deterring Russian CEEW, however, one should frame the security vs. privacy debate through the lens of whether current Foreign Intelligence Surveillance Act requirements limit the intelligence community’s ability to collect against valid foreign targets once they arrive in the United States. U.S. adversaries know how to exploit these constraints. Congress should mandate a commission or direct government agencies to conduct an in-depth study of the costs and benefits of the prohibition against collection against non-U.S. persons physically or virtually located inside the United States. The first step in fixing this problem is to understand the current legal framework’s tradeoffs and limitations.
4. Increase analysis and public awareness of Russian CEEW information operations. Part of Washington’s challenge in countering Russian CEEW stems from a lack of understanding across the executive and legislative branches and by the American public. The U.S. National Counterintelligence Strategy for 2020–2022 noted that “defend[ing] against hybrid attack methods that involve supply chain, cyber, technical means and insider enabled attacks” requires, among other things, “deepening our understanding of our adversaries’ cyber and technical threat intent and capability.” It also necessitates “work[ing] across the whole-of-government, the private sector, and the American public to enhance mechanisms for information sharing and implement more effective defenses.”65
Congress and the executive branch must work together to fully resource and implement that strategy. For example, the aforementioned strategy notes that to achieve its goals, the intelligence community must “[d]evelop, train, and retain a cadre of cyber counterintelligence and technical security experts” to “allow for more rapid recognition of threats and vulnerabilities, and more agile responses and integrated approaches to counter adversary cyber and technical activities.” The intelligence community also needs “new capabilities to track and counter foreign cyber and technical operations against the United States and leverage partnerships with the private sector to develop effective countermeasures.”66
5. Enhance cyber diplomacy to combat ransomware and other cyber threats from Russia. Given its SORM capabilities, Moscow likely knows who is responsible for the cybercrime emanating from its borders but is unlikely to do anything about it. Washington needs a more robust diplomatic engagement strategy with U.S. allies to combat ransomware attacks and other cybercrimes originating in Russia.
Until recently, there had been no individual at the State Department with both the appropriate seniority and exclusive mission to take on this problem. In April, the department inaugurated its new Bureau of Cyberspace and Digital Policy, realigning teams across the department.67 A Senate-confirmed ambassador will lead the bureau. Congress should codify this new bureau into law. With congressional backing, the bureau and its leader can marshal the bureaucracy to communicate U.S. positions on cyber policy and rally U.S. allies to combat cyber challenges. This could include a concentrated effort at the United Nations, the Organization for Security and Cooperation in Europe, and elsewhere. It should also include ensuring European governments and companies understand SORM and how it puts European privacy at risk. The head of the new bureau should also lead efforts to counter the proliferation of SORM-related technologies and legal frameworks in developing countries.
Finally, Washington should also establish an Interagency Working Group (IWG) for ransomware, as recommended by the Ransomware Task Force. The task force stated that the National Security Council, Office of the National Cyber Director, State Department, Department of Homeland Security, Justice Department, Treasury Department, and other relevant IWG members “should engage international allies and partners to build a like-minded coalition against ransomware and ensure policy coordination.” The U.S. government should also “establish an international coalition to combat ransomware criminals” by “building [the] legal case against criminal actors, pursuing targets/groups through pooling resources and tools, and amplifying takedowns when they happen.”68
Conclusion
In 1972, the late RAND analyst Andrew Marshall (who later created the Pentagon’s Office of Net Assessment, which he ran for more than 40 years) wrote a classified report titled “Long-Term Competition with the Soviets: A Framework for Strategic Analysis.” Declassified in 2010, the report argued that Washington needed “improved models of Soviet decisionmaking processes,” and that more “account must be taken of the fact that Soviet force posture emerges … from a complex decisionmaking process involving many organizations with conflicting goals.”69
Today’s challenge is to understand Moscow’s CEEW decision-making process from the ground up — the technology on which it depends to gather data (SORM); the advantages Russian hackers perceive and exploit in the gaps in U.S. law enforcement and intelligence gathering authorities; and the personnel and policies that direct and operationalize Russian cyber and information operations. As Marshall surmised in that Cold War treatise, the U.S.-Soviet “competition will be prolonged — indeed, for planning purposes, endless.” So, too, with the challenge America faces from Russian CEEW.
