Читать книгу Russian Cyber Operations - Scott Jasper - Страница 31

The restoration of Russia’s great power status is clearly connected to military power in Russian strategic culture.¹³⁶ Therefore, conventional military and nuclear forces remain essential in the context of “Russian responses to perceived security challenges which are asymmetric in the broad sense.”¹³⁷ Moscow has deployed antiaccess/area-denial (A2/AD) capabilities in the “strategic outposts” of the Kola Peninsula, Kaliningrad, and Crimea to dissuade, deter, or, if ordered, defeat third-party intervention.¹³⁸ Famed historian Stephen Blank agrees that military forces play a vital role in Moscow’s strategic rivalry with Washington but not necessarily a primary role. He argues that “even as Moscow builds up its conventional and nuclear weapons . . . , it conducts an unrelenting asymmetric information and cyber warfare that targets key socio-political, infrastructural institutions and grids” and “uses energy, organized crime, media and intelligence subversion and subsidization of foreign politicians, movements and parties for its aims.”¹³⁹ While Russia enjoys massed conventional superiority in Europe along its frontiers, the nonkinetic aspects of its asymmetric arsenal operate uninterrupted today without fear of legal reprisal.

The DDoS attacks against Estonia in 2007 constituted Moscow’s first use of large-scale, coordinated cyber operations in an attempt to coerce a neighboring state into making a concession.¹⁴⁰ The unrest posed no immediate threat to the Russian Federation but to the interests of nearby Russian-minority populations. Throughout the cyber campaign, NATO member Estonia grappled with the decision to invoke Article 5 of the NATO charter for collective self-defense but could not decisively tie the Kremlin to the attacks. Seemingly, according to Jaak Aaviksoo, it was clear that “at present, NATO does not define cyber-attack as a clear military action.”¹⁴¹ Nonetheless, the DDoS attacks failed to reach the scale-and-effects threshold for classification of an armed attack, an essential condition of Article 5, which alone did not allow Estonia to defend itself with force. Likewise in the Georgia conflict, labeled by the international media as “cyber war,” the effect of the cyber operation itself “was not serious enough to amount to severe economic damage or significant human suffering.”¹⁴² It was also difficult to distinguish the damage and suffering in Georgia caused by cyber operations from that caused by the traditional armed conflict. Even if the effects could be deemed as sufficiently severe, the role of the state on behalf of the hackers and criminals was questionable enough to avoid state responsibility for the cyber operations.

The use of proxies for misattribution prevented holding Russia responsible for the cyber operations in Georgia under the law of armed conflict—even though the cyber operations appeared to be a distinct component of the conflict. So did the deceptive use of patriotic hackers to divert or take the blame in Estonia stymie attribution, which gave Russia a viable option for cyber coercion while plausibly denying its involvement. In some ways, the two cyber campaigns represented the Russian theory of victory, for which leading Russian defense intellectual Andrei Kokoshin has “labeled as asymmetrical, as it is a competitive strategy playing one’s strengths to opponent’s weaknesses.”¹⁴³ The Russian leadership recognizes that despite recent modernization of its armed forces, the state cannot compete with the West in conventional military terms. President Putin has said, “We must take into account the plans and directions of development of the armed forces of other countries. . . . Our responses must be based on intellectual superiority, they will be asymmetric, and less expensive.”¹⁴⁴ Cyber operations fit well into this unique category.