What a U.S. Operation Against Russian Trolls Predicts About Escalation in Cyberspace

March 22, 2019

The Washington Post recently reported that U.S. Cyber Command conducted an offensive cyber operation in the fall to block the Internet Research Agency, a Russian troll farm, from carrying out a cyber-enabled influence operation against the 2018 U.S. midterm elections. This appeared to build on a previous cyber operation in which Cyber Command directly targeted Russian operations to warn them against meddling in the upcoming midterms. Senior U.S. leaders billed Cyber Command’s efforts as an example of the Department of Defense’s new “defend forward” strategy for cyberspace in action.

Since the public launch of that strategy, analysts have expressed concern about the risk that a more proactive and engaged U.S. cyber force will provoke dangerous escalation dynamics with rivals. What can this recent demonstration of the defend forward strategy tell us about the escalation risks of offensive cyber operations? To understand why concerns about cyber escalation may be less worrisome than many commentaries suggest, it’s important to put the operation in context. Notably, the United States does not appear to have targeted the much bigger fish here: the Main Intelligence Directorate of the General Staff (GRU), Russia’s military intelligence agency. Instead, the operation targeted the IRA, a Kremlin-affiliated company that conducts social media-based influence campaigns to sow public distrust in U.S. institutions. Why was this? Operational requirements and calculations about intelligence tradeoffs seem to have informed Cyber Command’s decision-making. A closer examination of likely U.S. motives suggests that offensive cyber operations are subject to many, if not more, of the same constraints that other military operations are: Planners may choose less ambitious targets because they’re easier to attack, to avoid revealing what they know, or because they want to prevent an escalatory spiral.

First, the United States may have chosen to target the IRA because, from an operational perspective, it was easier to gain access to their networks. All offensive cyber operations require some means of access to exploit a vulnerability and deliver a payload (such as malware). Typically, access is gained remotely (through the Internet) or via close access (for instance, through a human agent on the ground or supply chain interdiction). Remote access is far riskier and more expensive than close access, although in some cases even the former requires a non-negligible level of skill and intelligence about vulnerabilities and potential attack vectors.

According to Russia’s Federal News Agency, Cyber Command’s operation relied on remote access through a compromised iPhone that an Internet Research Agency employee connected to a computer. One plausible explanation for the decision to disrupt the troll farm’s influence operations, rather than targeting the GRU, is that it may have been far easier for Cyber Command to gain access to Internet Research Agency networks and systems, while the GRU was a considerably more “hardened” target.

 

 

Alternatively, it is also possible that Cyber Command and/or the National Security Agency had (and still have) access to the networks and systems of more valuable targets within Russian military and intelligence agencies, but did not want to reveal that information and risk losing that access through a noisy offensive cyber operation. Gaining access to high-value targets can be resource-intensive and yield uncertain results, and maintaining persistent access over time can be difficult. Moreover, revealing information about access enables network defenders to take measures to negate it. Therefore, decision-makers planning an offensive cyber operation must weigh the costs and benefits of burning an access that could support a crucial intelligence function. Penetration of the GRU’s networks could support critical U.S. intelligence priorities. Or, access may want to be reserved for future use as part of an offensive cyber campaign.

The difficulty of gaining and maintaining access to a target may be a cause for optimism regarding cyber escalation. Qualms about offensive cyber operations triggering escalatory spirals may be misplaced because access requirements make escalation difficult. Put simply, a state may lack means of access to the ideal target at precisely the desired time and, therefore, may only be able to “hit what it can get” in cyberspace. These limitations may be particularly acute in the context of a crisis or a known upcoming event—as was the case with the scheduled 2018 midterm elections—because a target is likely to be more attuned to potential efforts by adversaries to breach their networks and more apt to take proactive measures to detect adversary activity. In this case, U.S. operators may have anticipated that the GRU knew a U.S. response was coming because the elections were near. Even if a state does have access to a target it believes could prompt an escalatory response, it may prefer to save that target for other purposes. Altogether, this suggests there are impediments to what might otherwise be escalatory cyber spirals.

Second, U.S. decision-makers may have chosen to disrupt the operations of a less significant target out of the fear that an operation against an actor such as the GRU would trigger Russian retaliation. Indeed, the Obama administration reportedly hesitated to take more decisive action in response to Russian meddling in the 2016 elections due to concerns about triggering escalation. According to this logic, cyberspace holds the potential for dangerous escalation that the United States has thus far been able to avoid due to prudent policy decisions. Considering the counterfactual, it is possible that a Cyber Command operation to disrupt the GRU may have provoked Russia into disrupting, for instance, the U.S. power grid.

This example holds potential implications for deterrence. Specifically, if accurate, the reporting that the Obama administration rejected more aggressive cyber countermeasures to address Russian interference in the 2016 elections due to apprehension that the United States was asymmetrically vulnerable to Russian cyber escalation may stand as an example of successful deterrence. This demonstrates that, with respect to cyber deterrence – just like other forms of deterrence – perception may matter more than reality. In other words, despite the many factors that make cyber deterrence elusive (such as problems of signaling intent, attribution, or revealing capabilities to convey credibility, to name a few), deterrence in cyberspace may nevertheless hold when states—due to adversary manipulation or their own strategic myopia — perceive that they are vulnerable.

But, perhaps more importantly, if the United States overestimates Russian cyber deterrence and the potential for Russian escalatory cyber responses, it may be erroneously limiting its response options to adversary cyber behavior. There are reasons to be circumspect about the possibility of an escalatory Russian response even if the United States had gone after the bigger target. First, Russia faces the same access requirements and intelligence gain-loss calculations as the United States does, so any Russian response would be conditioned by these factors. Moreover, even if Russia tried to escalate, cyber campaigns (in isolation) are limited in their abilities to sustain meaningful costs against targets. This dampens the potential for escalatory spirals. As the New York Times noted, “Intelligence officials have said it is difficult, if not impossible, to use cyber operations to take an adversary off line permanently….Given time, the target of an operation can find workarounds or fix software problems.” The operation targeting the Internet Research Agency was disruptive and therefore only achieved temporary effects. It is reasonable to infer that a hypothetical Russian response would be constrained by similar operational realities. Moreover, even a potentially prolonged Russian cyber campaign encompassing a range of diverse target sets would be limited by challenges associated with delivering sustained effects against a strategic, dynamic defender.

On balance, this initial implementation of the defend forward strategy suggests the United States can be more proactive and engaged in cyberspace without provoking dangerous escalation dynamics. This does not mean adversaries will not react to a more forward-leaning U.S. posture in cyberspace; rather, it implies that the United States can reasonably assume some additional risks to confront undesirable adversary cyber behavior. However, the U.S. cyber operation against the Internet Research Agency should also energize further research on identifying the thresholds above which offensive action in cyberspace could prove to be escalatory or trigger an undesirable adversary response.

 

 

Erica D. Borghard is an Assistant Professor at the Army Cyber Institute at the United States Military Academy at West Point. The views expressed are personal and do not reflect the policy or position of the Army Cyber Institute, U.S. Military Academy, Department of the Army, Department of Defense, or U.S. Government.

Image: U.S. Air Force Cyber Command photo