Cyber Offense Full Article

Author: Undefeatable

Posts

Total: 8
Undefeatable
Undefeatable's avatar
Debates: 64
Posts: 126
1
6
11
Undefeatable's avatar
Undefeatable
1
6
11
Here is the full article for Site 7 from Round 1 of my Cyber Offense Debate


I own none of this. All credits go to Rod Thornton.

Deterring Russian cyber warfare: the practical, legal and ethical constraints faced by the United Kingdom
ABSTRACT
This article examines both the nature of the cyber threat that Russia poses to the United Kingdom and the efficacy of the latter’s responses to it. It begins, and making use of original Russian sources, with a review of why a Russian cyber campaign is being conducted against the UK and how it is being operationalised. This article then goes on to analyse the UK’s ability to defend itself against this campaign by employing the concepts of both deterrence-by-denial and deterrence-by-punishment. But can this UK cyber deterrence actually work? The idea of cyber deterrence-by-denial seems to be impractical, while there are specific issues with employing cyber in a deterrence-by-punishment capacity. In particular, how can the UK use its own offensive cyber capabilities against Russia and yet remain within international law and ethical boundaries? Indeed, the UK government has already accepted that, in any future use of its offensive cyber capabilities, it cannot do so.
In this article








ABSTRACT
This article examines both the nature of the cyber threat that Russia poses to the United Kingdom and the efficacy of the latter’s responses to it. It begins, and making use of original Russian sources, with a review of why a Russian cyber campaign is being conducted against the UK and how it is being operationalised. This article then goes on to analyse the UK’s ability to defend itself against this campaign by employing the concepts of both deterrence-by-denial and deterrence-by-punishment. But can this UK cyber deterrence actually work? The idea of cyber deterrence-by-denial seems to be impractical, while there are specific issues with employing cyber in a deterrence-by-punishment capacity. In particular, how can the UK use its own offensive cyber capabilities against Russia and yet remain within international law and ethical boundaries? Indeed, the UK government has already accepted that, in any future use of its offensive cyber capabilities, it cannot do so.
Introduction
This article begins by reviewing the rationales behind and the operationalising of Russia’s cyber warfare campaign against certain Western states, including the United Kingdom. It goes on to consider how the threat posed by this activity, having in mind practical, legal and ethical constraints, can best be countered. As a focus of examination, this article reviews the deterrence measures that the UK can apply in response to Russian cyber activity. In particular, it looks at the UK’s stated intent to reply with its own ‘offensive’ cyber warfare capabilities. ‘Britain’, indeed, and as one Russian source puts it, ‘is the first country in the world to publicly acknowledge that it is developing the potential to conduct offensive operations in cyberspace against other countries’ (Savchenko 2017, 153). The conclusion is reached here that it will actually prove extremely difficult for the UK to effectively deter Russian cyber operations simply by using its own cyber tools.
The aims of Russian cyber operations
Undefeatable
Undefeatable's avatar
Debates: 64
Posts: 126
1
6
11
Undefeatable's avatar
Undefeatable
1
6
11

It appears to be a given that Russia conducts cyber warfare as part of a significant – indeed, ‘massive’ – information warfare campaign against Western interests and against NATO states in particular (UK Parliament 2017). Such activity, while primarily involving many low-level interventions, has also included the likes of interference in electoral processes and attacks on energy infrastructure (US Office of the Director of National Intelligence 2017). These operations can originate from one of the official Russian intelligence agencies (GRU, FSB, SVR, Spetssviaz 1) or from the government-controlled but ostensibly private, Agentsvo Internet-Issledovaniya (Internet Research Agency – IRA) in St Petersburg.2 (The Economist 2018). They can also be sourced to any number of sub-contracted non-state groups, agencies and individual hackers who are either pressed into Russian state service or hired under the label of ‘patriotic hackers’ (UK Parliament 2017, 51). Such sub-contracting is engaged in both to make use of civilian expertise (which is difficult to recruit into Russia’s poorly-paying government agencies) and to generate the degree of mass that increases the effectiveness of cyber operations. Sub-contracting also allows for the claiming of state deniability if ever such operations come to be blamed on Russia (see below) (US Congress 2018, Appendix D).
Russia’s current campaign of cyber warfare against what it sees as its Western adversaries can be seen to have three distinct aims. The first is to gather information/intelligence on these adversaries. The second is to probe for weaknesses in computer systems that can be identified and taken advantage of later. Thirdly, and more fundamentally, these operations are being used to, in essence, help weaken targeted states internally. As a spokesperson for the UK’s domestic security service, MI5, recently put it, ‘cyber attacks … are part of a wider Russian operation to disrupt and agitate Western political discourse – an operation which includes more traditional subversion, propaganda and disinformation campaigns’ (UK Parliament 2017, 52).
Russian ‘strategic deterrence’
Undefeatable
Undefeatable's avatar
Debates: 64
Posts: 126
1
6
11
Undefeatable's avatar
Undefeatable
1
6
11

Russian cyber operations against targets such as those in the UK may be viewed as an important part of the package of measures that together make up what Russia officially refers to as its system of ‘strategic deterrence’ (strategicheskoe sderzhivanie). This is notionally a defence mechanism and designed to be continuously operating in peacetime. It is a concept defined in the Russian National Security Strategy (NSS) of 2009 as ‘involv[ing] the development and implementation of a complex system of interrelated political, military, economic, informational and other measures aiming to pre-empt or reduce the threat of destructive actions from an attacking state (or coalition of states)’ (Russian Government 2009, para 26). This Russian idea of ‘strategic deterrence’ thus involves a series of expedients (including cyber warfare) that, acting together, may be looked upon as what is commonly referred to as ‘hybrid warfare’. The Russians, however, tend to see their ‘strategic deterrence’ concept operationalised through a process they refer to as ‘new-type warfare’ (voina novogo tipa).
Elements of this NTW are judged by Moscow to be highly effective currently in terms of achieving its strategic aims without actually engaging in open warfare against the Western powers. Moscow understands that, militarily, NATO forces are far superior to those of Russia and in any kinetic exchange it would lose. Thus, fundamental to NTW is what the Russian military refers to as the ‘indirect approach’ (nepryamoe deystvie) (Chekinov and Bogdanov 2011, 33; Kartapolov 2015). That is, the Russian state and its military will not today be relying on gaining strategic advantage through the use of kinetic force but rather through activities ‘dominated by information and psychological warfare’ (Chekinov and Bogdanov 2013, 16). And it is through such indirect, non-kinetic tools of ‘warfare’ used in peacetime that, according to Russian geo-political and military logic, Moscow can achieve its stated principal strategic aim. This is to ‘pre-empt’ (as the NSS had put it) – any possible future ‘threat of destructive actions’ on the part of NATO adversary states (such as the UK) against Russia or against Russian interests (Boulegue 2017).
Such indirect measures are designed to work by ‘neutralizing’ (a word commonly used in Russian doctrinal statements and Russian military writings) the ‘threat’ that Moscow sees as coming from the West. This neutralisation is, in essence, to be achieved by the process of internal weakening. At its simplest, a state so weakened and having to deal with its own domestic problems is one, in Kremlin thinking, less likely to represent a threat to Russia or to Russian interests abroad; either independently or as part of an alliance (Adamsky 2018).
Moscow also sees such neutralisation as necessary in order to undermine any Western-inspired efforts to set in train a ‘colour revolution’ in Russia that would unseat the government of President Vladimir Putin (Bazylev et al. 2012; Konyshev and Sergunin 2013; Chekinov and Bogdanov 2017, 83). This is an important point to remember when examining Russian security interests: state defence policy is perhaps designed more to defend the Putin regime than the state itself (Adamsky 2018). The Kremlin judges that the very existence of this regime is coming under threat from Western sources through the use by the US and its allies of information warfare, including cyber warfare. As Connell and Vogler express it, this regime sees itself as ‘locked in an ongoing, existential struggle with … external forces that are seeking to challenge its security in the information realm’ (Connell and Vogler 2017, 28, emphasis added). The stakes are thus high. In response, and as one article in a Russian military journal sees it, Russia is under cyber assault from the West and has to fight back: ‘this is not an empty scare – the cyberspace warfare is already on. (Bazylev et al. 2012, 12).
In such a light, Russia’s ‘strategic deterrence’ measures – including its continuous cyber warfare against Western targets – can certainly be looked upon from Moscow’s point of view as a necessary ‘defence’ mechanism with the general aim of destabilising potential adversaries and, in particular, of warding off a regime-destroying ‘colour revolution’. Such Russian measures can, of course, also be seen in another light: as aggressive and designed to weaken Russia’s Western opponents so that, in a zero-sum sense, they create latitude for Russia, as a revisionist state, to be a more powerful global player (Adamsky 2018). Whatever the viewpoint, cyber warfare does now appear to have become a vital indirect, non-kinetic tool for Russia to employ in furthering its aim of neutralising adversaries. And because it is a non-kinetic tool it runs little risk of generating a kinetic response from such adversaries.
The value of cyber warfare to Russia
In Russian thinking, cyber warfare, as a subset of information warfare, is divided into two operational spheres: cyber-technical and cyber-psychological (although the effects of each will overlap and create synergies). Cyber warfare is a popular topic in Russian military journals. This is in part because it is seen as a very effective tool but it is also because the Russians pride themselves on having considerable talents in the cyber field; which is true enough (Thomas 2014; Bridge 2019). While these articles often point out examples of the effective use of cyber warfare, they tend, though, to involve its use by Western actors against Russia and other countries. That being said, when reading Russian military articles which highlight the threats posed to Russian security interests by Western activities, it is wise to be mindful of the fact that such articles are invariably employing Aesopian language (Galeotti 2015). That is, if, in such articles, any means employed by Western military and security agencies can be said to be effective then the implication is that the very same means should also be employed (if possible) by Russia against its NATO adversaries (Thomas 2017).

Undefeatable
Undefeatable's avatar
Debates: 64
Posts: 126
1
6
11
Undefeatable's avatar
Undefeatable
1
6
11
One such 2014 article by two senior officers in the authoritative armed forces journal, Military Thought, examined United States cyber warfare and highlighted how effective it was. It discussed the ‘indirect approach’ to the conduct of warfare in reference to the ‘US strategy of indirect warfare in cyberspace’ (Vorobyov and Kiselyov 2014, 50). Such cyber warfare was noted as being a means used by the US to obtain no less than ‘global domination’. The point was made that, ‘The US political and military leaders view the worldwide information environment as a domain of its vital interests and control over it as a way to achieve their strategic objectives of global domination’ (Vorobyov and Kiselyov 2014, 52). The US was accused, for instance, of using cyber operations to destabilise certain Arab countries at the time of the Arab Spring. The US had ‘invaded these sovereign countries’ cyberspace in peacetime’. The language used is that of invasion and the aim is made clear in this article: ‘By using the strategy of the indirect approach … the US ideologues seek to erode an adversary’s moral spirit and political will and to plunge the target country into chaos and instability, and to bring the explosive situation in the country to the boil.’ These same US techniques, points out this article, are also being applied against Russia. As the authors note, such ‘attempts at unauthorised [cyber] penetration are made in respect of Russia as well’ with the aim of ‘destabilising the country’ (Vorobyov and Kiselyov 2014, 52).
Thus, from this Russian perspective, it is the United States that is aggressively using ‘warfare in cyberspace’ to undermine the Russian state and to establish ‘global domination’. But this also means (using the Aesopian prism) that ‘warfare in cyberspace’ should also represent a highly effective tool for Russia itself to use to achieve the very same objectives vis-à-vis its Western adversaries.
The role that cyber warfare can play in any ‘strategic deterrence’ activity is also highlighted in other articles in Military Thought. In one, four senior military officers point out that ‘cyber warfare’ will be used by Russia ‘against intractable enemies, opposition groups, criminal groups and [with pre-emption in mind] potential adversaries’ (Dylevsky et al. 2011, 157). Here, with its notification that cyber operations will be employed against ‘potential adversaries’, is an example of the Russian military characteristic of seeking always to seize and hold the initiative in any form of contest – be it on a battlefield or in peacetime against geopolitical rivals. The Russian military simply cannot remain passive. The term used to cover such a characteristic is aktivnost’ (Leites 1982). This is the idea that distinct advantage can be achieved by constantly putting disruptive pressure on adversaries to weaken them (Chekinov and Bogdanov 2013). As Shimon Naveh puts it, ‘Aktivnost’ represents a unique idea, constituting one of the fundamentals of Russian military thought’ (Naveh 1997, 172).
The peacetime aktivnost’ now being conducted against Western targets was previously evident as part of one specific aspect of Soviet strategic culture that developed during the Cold War. This was the Soviet employment, at the strategic level, of a form of deterrence then known as ‘active restraint’ (aktivnoe sderzhannie). This was a long-term strategic tool designed to weaken the Soviet Union’s ‘main enemies’ – individual NATO states and the Alliance itself – but without, again, provoking them into kinetic response. It consisted of the continuous application of a series of low-level ‘active measures’ (aktivnye meropriyatiya), which concentrated on the manipulation of information. These measures were employed by all of the state’s defence organs – Ministry of Defence, KGB and Ministry of the Interior. These organs were ‘mobilised to influence international relations in directions required by the new long-range policy [“active restraint”], and, in effect, to destabilise the “main enemies” and weaken the alliances among them’ (Golitsyn 1984, 49). This sounds familiar. For these ‘active measures’ of the past we can read the ‘strategic deterrence’ (hybrid warfare) measures of today; only today they have far more sophistication and are most notably characterised by the use of operations in cyberspace. It is important to note also that these operations will be constantly applied. As one Russian general writes, ‘Information [including cyber] warfare needs to be continuously conducted in peacetime’ (Saifetdinov 2014, 39).
The use thus of cyber warfare by Russia today fits into what is well-nigh a path dependency. Those measures that were adopted in the past when tensions were high between Russia (Soviet Union) and the West will once more be applied now because they represent a form of default setting. Only now there is a new tool to employ: cyber. Hence, cyber warfare is not only a form of warfare in which Russia tends to excel, and which sits very comfortably within Russian strategic culture, it is also one which, given the nature of path dependencies, it is almost bound to employ no matter what the strategic threat situation.
The character of Russian cyber operations
Perhaps the most high-profile of Russia’s cyber operations today against its ‘potential adversaries’ are those that are designed to have psychological effect. These focus on either influencing electoral outcomes or on ‘hack-and-leak’ activity. The aim of the first is to weaken an opposing state by, in essence, ‘undermin[ing] public faith in … democratic processes’ (US Office of the Director of National Intelligence 2017, ii). Hack-and-leak attacks will attempt to make public incriminating information (kompromat) with the aim of embarrassing Western governments, their prominent public figures and their high-profile institutions (Popescu and Secrieru 2018).
However, there are also other, less high-profile, forms of Russian cyber activity. These include covert intelligence-gathering operations and those aimed at putting in place malware ‘to sit invisibly within networks enabling [the Russians] to launch a cyberattack should the order be given’ (Haynes 2018). Alongside these are general probing operations. With these in mind, the UK’s Defence Intelligence (DI) agency has noted that Russia is ‘not targeted in its use of offensive cyber capabilities’. Russian cyber warriors are, it seems, making ‘practice runs’ in order just to see where vulnerabilities exist. According to DI, they ‘are quite prepared to use the world as a range, [saying] ‘we will give it a go and see what happens”’ (UK Parliament 2017, 51–52).
Such espionage and probing operations are actually what would be expected in any use of cyber warfare by a state against an adversary in a situation short of outright, kinetic war. That is, efforts in this particular field are limited largely to carrying out cyber reconnaissance activities in order to look for weaknesses that could be exploited later when true ‘hostilities’ – however defined – have actually commenced. Russia’s cyber warriors, as with those of any state with a significant cyber capability (Rid and McBurney 2012), will also not want to show their hand too early in terms of their full cyber capabilities. This is because once they do so then the vulnerabilities in the cyber realm of the targeted state will become apparent – and it can then raise specific defences. These will then cut off avenues of Russian cyber assault in the future (Berger 2017).
Russian hackers will thus, to a significant degree, want ‘to keep their power dry’ by limiting their cyber operations. This would be the intuitive deduction made of any state that may one day seek to generate profoundly damaging cyber attacks as part of a wider conflict. Indeed, and with an offshoot of Russian strategic culture in mind – i.e. operational art – this would be even more apposite in the Russian case. One of the characteristics of this ‘art’ is that offensive actions in wartime lean heavily on the concept of not just surprise (syurpriz) but also on a stage beyond surprise – vnezapnost’ (Baxter 1986, 113). This is the idea that an enemy should be hit with blows that are not only unexpected, but which also carry an enormous crushing weight. Such vnezapnost’ can only happen in the cyber realm if the Russian intelligence agencies and military hold fire on what they are truly capable of doing until what may be seen as the necessary time and after the requisite degree of reconnaissance. It should thus be expected that current Russian cyber warfare activity against Western targets will remain very largely designed to merely weaken, disrupt and to gather intelligence rather than to create profound damage. And again, Russia, in its cyber activities, will not want to provoke targeted adversaries into an armed response. This fact is, indeed, recognised in the UK. The government’s National Security Capability Review (NSCR) of 2018 makes the point (although without mentioning Russia by name) that, ‘adversaries’ are trying to ‘harm or subvert us in [non-kinetic] … ways calculated to avoid provoking an armed response’ (UK Cabinet Office 2018, 11).

Undefeatable
Undefeatable's avatar
Debates: 64
Posts: 126
1
6
11
Undefeatable's avatar
Undefeatable
1
6
11
The risks posed by Russian cyber operations
While Russia might be limited in its cyber operations, in the realm of cyber warfare, however, the law of unintended consequences can very much apply. Even mere cyber reconnaissance and probing can still produce serious results for the targeted state. Second- and third-order effects may be generated that would have been difficult – if not impossible – for the instigator to have predicted. The abovementioned representative from the UK’s DI talked of the Russians having a high ‘risk appetite’ in their cyber intrusions, while a spokesperson from MI5 also said they ‘are clearly operating to risk thresholds which are nothing like those that the West operates’ (UK Parliament 2017, 52).
It is these ‘risk thresholds’ that are currently causing particular alarm among responsible authorities in the UK. Hackers from, in particular, the GRU have been accused by Foreign Secretary Jeremy Hunt of ‘operat[ing] without regard to international law or established norms’ and of engaging in cyber activity that is ‘reckless and indiscriminate’ (Wintour 2018). Such activities have led to banner headlines – even in quality UK newspapers – such as, ‘Russia is ready to kill us by the thousands.’ This echoed a statement made by then Defence Secretary Gavin Williamson who had warned that Russian cyber attacks against the UK’s energy infrastructure could cause ‘thousands and thousands of deaths.’ He said that Russia wanted to create ‘panic and chaos’ in the UK (Farmer 2018, 1).
But Williamson was only talking theoretically. He understood that Russia’s cyber activity was merely reconnoitering energy systems in order ‘to know’, said Williamson, ‘how they can kill infrastructure’ (Farmer 2018, 1). Thus, overall, the true cyberthreat posed to the UK by Russia seems to be currently, and as would be expected, mostly in the realm of the hypothetical. There is the caveat, though, that this threat has the capacity, given the ‘risks’ being taken, to have consequences that are very serious indeed.
Moscow has certainly shown that it can create such consequences if required. This was evident with the cyberattacks directed at the energy infrastructure of Ukraine before Christmas in both 2015 and in 2016. These attacks cut the power in Kiev, leading to the freezing of water in ground pipes. This meant that many residential areas in the city had no water and, more importantly, also no means of heating.3 There was the possibility that many, especially older people, might have frozen to death. As NATO Secretary-General Jens Stoltenberg later put it in relation to these incidents: ‘anonymous fingers had set off a weapon that, in the depths of a Ukrainian winter, could be every bit as deadly as a precision-guided missile’. He made the point that ‘a cyberattack can be as destructive as a conventional attack’ (Stoltenberg 2018).
While Stoltenberg (as head of NATO) could not officially attribute culpability to Russia in these attacks, the NotPetya cyber attack on Ukraine’s energy infrastructure in 2014 was, however, officially ‘attributed to the Russian military’ by the UK and other states (UK Cabinet Office 2018, 6). But it took eight months to establish this and even then there was some residual doubt (and yet this was ‘the most devastating cyberattack since the invention of the internet’!). Thus even NotPetya showed just how difficult it is, when it comes to sourcing cyberattacks, to definitively apportion blame (Rid and Buchanan 2015; US Office of the Director of National Intelligence 2018). NotPetya, moreover, also showed just how difficult it is for the instigator itself to target and to control such attacks. NotPetya ‘began … as an assault on one nation by another’ but quickly spread and became uncontrollable. It has been noted, indeed, that while ‘the weapon’s target was Ukraine … the blast radius was the entire world’. In blowback terms, NotPetya even affected Russian businesses, including the oil giant, Rosneft (Greenberg 2018).
A vital tool
Overall, however, and as noted, Russia is very comfortable using cyber warfare to gain strategic advantage. Requiring limited capital outlay, it is a cost-effective means of destabilising potential adversaries in peacetime. Its use suits, moreover, a specific Russian strength (cyber) and fits in with the cultural proclivity, in confrontations with adversaries, to maintain the initiative and to apply pressure on them at all times. It also offers, ultimately, the possibility of creating crushing surprise (vnezapnost’) in wartime. Moscow, indeed, with its cyber weapon, is employing what Russian analysts consider to be one of its most potent tools of ‘defensive pre-emption’ (Baryn’kin 2013). Cyber warfare would thus appear to have a vital role to play in current Russian defence and security policy.
Moreover, beyond the danger of some minor blowback, there are few risks involved for Moscow in its employment of cyber warfare, especially given the fact that attribution is so difficult (see below). There could be, of course, some response – possibly kinetic – from aggrieved targeted states who did feel that Russia was responsible; but fashioning reprisal action against it is certainly not a straightforward task. International law is, though, evolving to take into account how states today can defend themselves against such cyber operations.
Cyber conflict and international law
A ‘consensus’ seems to have developed now in the Euro-Atlantic area ‘that existing international law and international commitments are sufficient to regulate cyber conflict’ (Giles and Monaghan 2014, 1). This means that ‘there is general agreement that the UN Charter, even though it was conceived around kinetic principles, also applies to cyber conduct’ (Dev 2015, 385). As such, and as now generally believed, ‘where a computer network attack, directly or indirectly, results in a physical consequence, namely destruction of physical property, injury or loss of lives, it will constitute a use of force under [UN] Article 2(4)’ (Dinniss 2012, 74). Given this, any state should therefore have the right to use force, including armed force, in response to such an attack in order to compel the state conducting it to desist. Moreover, ‘the fact’ also seems to be accepted now ‘that a cyber operation that does not rise to the level of a use of force does not necessarily render it lawful under international law’. It could still be illegal since it ‘may constitute a violation of the prohibition on intervention’ (Tallinn Manual 2013, 44). As such, a targeted state could also be within its rights to take reprisal action (of some description) in response to a cyber operation that was not actually ‘destructive’.
The general legal sentiments abroad now have come to be captured in the NATO-sponsored (but not NATO-authorised), Tallinn Manual on the International Law Applicable to Cyber Warfare (2013) and the subsequent Tallinn Manual on the International Law Relating to Cyber Operations (2017). Russia had no input into either document. Indeed, it would be difficult to see how it could. The first Tallinn Manual was created as a response to the Distributed Denial-of-Service attack on Estonia in 2007, which was considered to have been conducted by Russian hackers. In essence, the stipulations within these Tallinn Manuals are designed to make any future such Russian cyberattacks definitively ‘illegal’.4
Naturally enough, Russia, which looks upon cyber warfare as such an important strategic asset, has its own views. As one Russian source puts it, a ‘cyberattack could not, from a legal perspective, be seen as an act of aggression or the use of force’ (Konyshev and Sergunin 2013, 111). Other Russian sources make the same point, debating, in particular, whether armed force can be used in response to merely a cyberattack (Dylevsky et al. 2011).
Questioning Western interpretations of international law vis-à-vis cyber warfare is one way for Moscow to create a layer of protection for itself in terms of frustrating reprisals for its cyber activity. A more reliable protection, however, comes with the concept of deniability.
Russian deniability

Undefeatable
Undefeatable's avatar
Debates: 64
Posts: 126
1
6
11
Undefeatable's avatar
Undefeatable
1
6
11
It is this aspect of deniability that Moscow appears to be using as its key defence in warding off any sanction by the states it targets in the cyber realm. The logic is clear: if Russia cannot be definitively blamed then it cannot, legally, be punished. The relative ease of creating ‘cyber obfuscation’; that is, of masking the source of any particular cyber operation, means that, as Heather Dinniss notes, it is ‘difficult to state with any certainty that the entity that appears to be the perpetrator of the attack is in fact the ultimate attacker’ (Dinniss 2012, 100). Tarah Wheeler agrees, saying, ‘it would be nearly impossible to identify perpetrators with 100 per cent confidence if they take even rudimentary steps to cover their digital tracks after cyberattacks’ (Wheeler 2018, 41). Even a recent US Intelligence Community publication noted that the best outcome in terms of attribution would be to isolate, at best, a ‘likely perpetrator’ (US Office of the Director of National Intelligence 2017, 2).
The Russian military itself notes that the ‘sources of cyberattacks cannot be identified definitively’ (Dylevsky et al. 2011, 160). And as Russian sources make clear, without attribution there can be no retribution (Konyshev and Sergunin 2013, 111). Moscow knows that even a modicum of doubt as to its culpability can undermine support in terms of generating international consensus (UN, NATO, EU, etc.) for the taking of any reprisal action by any one state against Russia (Wheeler 2018, 40). Indeed, as one official US report puts it, ‘by their nature, Russian influence campaigns [of which cyber operations are a part] are multifaceted and designed to be deniable because they use a mix of agents of influence, cutouts, front organisations, and false-flag operations’ (US Office of the Director of National Intelligence 2017, 2).
Russian deniability, of course, is aided by the fact that, given the ease of launching cyber operations, so many non-state actors across the world could theoretically be the originators of any cyber incident. The claim can also be made by Moscow that an attack that appeared to come from Russia was actually conducted by another state and was just being made to appear to come from Russia – the false-flag idea (Maxey 2018). This aspect of false-flagging does make attribution especially difficult. As Vitaly Kamluk, director of Kaspersky’s global research and analysis team, puts it, ‘Attackers know that creating the ultimate false flag is the ultimate defense’ (Ng 2018) And anyway, of course, even if a cyberattack could actually be sourced to Russia, the authorities there could just claim that it was some loose-cannon ‘patriotic hackers’ who were not under state control.
All this having been said, however, and where its cyber operations against the UK are concerned, Russia does not seem to be too anxious to hide their source. The 2017 report of the UK’s Intelligence and Security Committee of Parliament (ISCP) noted that, ‘Russia [is] no longer concerned about its activities remaining covert, and it [is] adopting a more brazen approach to its cyber activities.’ It is, though, important to note that Russia still does officially disavow responsibility for engaging in such ‘activities’ (UK Parliament 2017, 32). It employs them, however, and as an official from the UK’s signals’ intelligence centre, the Government Communications Headquarters (GCHQ), expressed it, ‘under a deliberately thin blanket of deniability’ (UK Parliament 2017, 51). Russia appears to want to intimidate (aktivnost’) through its cyber operations but without exposing itself to any international sanction because of them. While Moscow’s ‘blanket of deniability’ may be thin, it is still being deployed.
The United Kingdom and cyber deterrence
The UK is a prime target of Russian cyber operations. The government in London has openly accused Russia of using them, as noted, to try and create ‘panic and chaos’ within the country (Farmer 2018). The UK authorities themselves thus seem to have no problem of attribution: Russia is ‘guilty’. As one government spokesman put it, and quoting then Prime Minister Theresa May, ‘The attribution of this malicious activity sends a clear message to Russia – we know what you are doing and you will not succeed’ (Reuters 2018).
It is recognised in the UK, though, that this activity is not currently designed to be necessarily destructive. The NSCR of 2018 notes that, ‘Russia has … mounted a sustained campaign of cyber espionage and disruption’ (UK Cabinet Office 2018, 6). The impression is thus given of Russia acting malevolently but without actually causing specific damage equivalent to an armed attack. But these actions are still viewed as illegal because they are taken to be intrusive ‘interventions’ that contravene the UK’s state sovereignty (Wright 2018). And while the first Tallinn Manual had noted that such ‘interventions … may constitute a violation of the prohibition on intervention’ (Tallinn Manual 2013, 44), there is, however, no such equivocation where the UK is concerned. As the then principle legal adviser to the UK government, Attorney General Jeremy Wright, saw it in early 2018, both Article 2 (7) of the UN Charter and customary international law prohibit intervention in the domestic affairs of states. ‘This prohibition’, as Wright put it, ‘means that any activity in cyberspace which reaches the level of such an intervention is unlawful’ (Wright 2018, emphasis added).
The real fear, however, within the UK is of what these ‘illegal’ Russian cyber interventions could lead to. They may inadvertently bring about dire consequences. They could also be laying the groundwork (‘mapping’) for major cyber assaults in the future (Worldwide Threat Assessment of the US Intelligence Community 2019). As both UK and US authorities have warned in a joint statement, cyber reconnaissance activity seeking out systemic weaknesses can act to ‘lay the foundation for an attack on infrastructure’ (Haynes 2018). Probing hacks into energy grids are seen as particularly worrisome in this regard (Borger 2018). It could all lead up to a Russian act of vnezapnost’ involving serious consequences that would demand a serious response. As Wright says (and echoing Stoltenberg as quoted above), ‘the UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defence’ (Wright 2018). The initial problem here, of course, is how to define what ‘imminent’ (in a cyber sense) and ‘equivalent … to an armed attack’ mean and what will then initiate ‘action’? Wright also does not say whether such ‘action in self-defence’ would involve the use of kinetic force (Wright 2018).
But whatever defensive ‘action’ is proposed by the UK it may be seen as perhaps designed not so much to stop what Russia is currently doing, but rather to stop it doing what it is feared it might later do. The UK has to ‘prevent President Putin from unleashing his full cyber potential’ (Haynes 2018). The UK thus needs to find ways to deter Russia from doing this but without specifically threatening the use of force. The UK’s chosen means of deterrence could thus be to merely utilise its own cyber capabilities.
In theory, deterrence using cyber means works in much the same way as deterrence using traditional military means: that is, it ‘depend[s] on convincing opponents that the costs of attacking would be greater than any benefits they might obtain’ (Andres 2012, 92). Cyber deterrence will come, moreover, as in other defence fields, in two forms: deterrence-by-denial and deterrence-by-punishment. Both have three basic requirements in order to be effective: capability, communication and credibility (Schelling 1966, 36–49; Geers 2010).
Deterrence-by-denial
Here, a passive ‘defensive’ cyber stance is established. The UK has attributed cyber operations to Russia and sent its message that ‘you will not succeed’. This would appear to suggest that the UK has the ability to practice deterrence-by-denial procedures that would prevent Russian ‘success’.
The efficacy of any form of deterrence-by-denial relies on the ability of the defending party to indicate to a threatening adversary that it will not achieve its aims if it operationalised its threat. In ‘normal’ deterrence scenarios, use would be made of known physical assets. Nuclear deterrence-by-denial, for instance, would involve making clear to an adversary that any nuclear attack it proposed to conduct would not succeed because all (or a significant proportion) of its means of delivery (missiles/aircraft) would be intercepted by various existing forms of defence (including Ballistic Missile Defence shields). The adversary, if it fired its missiles, would not achieve its objectives. Such defensive capabilities would be advertised and made visible so that credibility would be communicated easily (Carter and Schwartz 1984).

Undefeatable
Undefeatable's avatar
Debates: 64
Posts: 126
1
6
11
Undefeatable's avatar
Undefeatable
1
6
11
The problem in the cyber realm, of course, is how is deterrence-by-denial supposed to function when the signalling is largely down to mere rhetoric? A prime minister simply saying ‘you will not succeed’ may not be enough. How could Moscow know it would not ‘succeed’ if it did ‘unleash’ its full cyber potential? And, moreover, just how much energy would Russia waste anyway – and what ‘costs’ would it incur – if it did launch a major cyber attack that did not ‘succeed’? Where is the jeopardy? A few hours only of a few hackers’ time might be wasted in an attack that could anyway be deniable. Thus, even if the UK’s cyber defences are, indeed, sound, Russia’s cyber agencies would lose very little by testing them.
While deterrence-by-denial is intuitively the least problematical form of cyber deterrence that the UK could employ, it may be seen to lack credibility. The UK’s cyber defensive capabilities can never be communicated effectively so they cannot be relied upon to prevent Russia attempting a major cyber assault. Deterrence-by-denial thus seems not to be practical.
Deterrence-by-punishment
In defending itself against the Russian cyberthreat, the UK can also theoretically apply the more offensively geared notion of deterrence-by-punishment. That is, if Moscow continues with its current cyber activity against the UK or if other, more serious, attacks appear ‘imminent’ or actually take place, then the UK could threaten to respond with ‘punishing’ cyberattacks of its own. The idea here being that if Moscow did fear such punishment then it would exercise restraint; it would be deterred.
This process, again, relies on signalling. In nuclear deterrence terms, this would be achieved by rhetorically threatening to reply to any adversary’s proposed pre-emptive nuclear strike with an even more devastating nuclear counter-strike. This would make use, in essence, of some ‘rocket-rattling’. Such a communication of capabilities would serve to enhance credibility (Schelling 1966, 36–49).
But cyber sabre-rattling does not, of course, work quite so well. The rhetorical communication might be there in terms of, for instance, GCHQ officially declaring that it has significant ‘counter-state offensive cyber capabilities’ (UK Parliament 2017, 44). This was headlined as, ‘British cyberweapons could paralyse hostile states’ (Elliot and Haynes 2017). Certainly, this message that the UK does have the power to ‘paralyse’ the likes of Russia through its own offensive cyber capabilities is being assiduously broadcast. The aforementioned report from the ISCP says it noted ‘the advantage [that] the UK’s development of a strong offensive cyber capability will confer in terms of an effective deterrent’ (UK Parliament 2017, 44). The principle document relating to the cyber capabilities of the UK’s armed forces also highlights their ‘offensive’ potential.5 Indeed, the military and GCHQ combined their cyber capabilities in 2014 by forming the National Offensive Cyber Programme. Overall, the statement of threat in official government documents is that the UK could, quote, ‘retaliate’ [see below] with its own cyber capabilities if subject to or threatened by a serious Russian cyberattack (Wintour and Walker 2017).
Such an admission that it had offensive cyber assets did put the UK in a unique position. It became the first country in the world to advertise that it had such a potential (as was duly noted in Russia) (Savchenko 2017, 153). This remained the case until September 2018 when the White House announced, in a new National Cyber Strategy (2018), that it would lift its own ban on both the civil and military use of offensive cyber.
Again, though, the problem with offensive cyber as a deterrence-by-punishment tool is its credibility. How is any state actor to be successfully coerced into changing its behaviour in the cyber realm by a UK cyber capability whose actual effectiveness will largely remain moot until actually deployed? If Moscow has no way of knowing about the potential of UK offensive cyber and whether it could overcome Russian defences, then the UK warnings will have no traction. Indeed, how can it be ascertained if, in any cyber exchange, Russia is actually capable of ‘escalation dominance’? That is, can Moscow respond to any UK offensive use of cyber with an even more destructive one of its own? Hence, the question once more is, just how practical would any UK cyber deterrence-by-punishment capability be if it is both of an unknowable effectiveness and risks inviting a yet more devastating Russian counter-response?
Moreover, the threatened use by the UK of offensive cyber faces a series of both legal and ethical constraints that will inhibit its applicability as a tool of deterrence. If Foreign Secretary Hunt accuses Russia in its cyber activity of ‘operat[ing] without regard to international law or established norms’ (Wintour 2018) then it would seem incumbent on the UK to do so itself.
Cyber deterrence-by-punishment: the legal and ethical dilemmas
There is a reason why the UK was alone in advertising that it had an offensive cyber capability and why the US considered it illegal until late 2018. The fact is that international law is unclear as to the legality of any state employing cyber as a deterrence-by-punishment tool. As Wheeler puts it, ‘reaching an international consensus on what triggers a country’s right to self-defence in cyberspace requires a coherent, common understanding on where to draw the line between nefarious economic or intelligence activities and true cyberattacks’ (Wheeler 2018, 41). Such a consensus is proving difficult to generate.
Firstly, it would be difficult, of course, to say at what specific point the UK could begin to use its cyber offensive capability in response to any Russian cyberattack suffered. And then there is the thorny question of attribution (Tsagourias 2012). If the UK chose to take reprisal cyber action then it would have to be very sure of the source of the initial attack. The ‘victim state’, as Attorney General Wright himself noted, ‘must be confident in its attribution of that act’. He continued, ‘without clearly identifying who is responsible for hostile cyber activity, it is impossible to take responsible action in response.’ Wright also, however, said that the UK, if it decided to take reprisal action, had ‘no legal obligation’ to produce evidence to the international community to confirm who the attacker was (Wright 2018). While such a stance is taken because producing evidence would ‘reveal sensitive capabilities’ it would also, of course, call into question the UK’s ability to obtain international approval for its actions and thereby still operate within international law (UK Parliament 2017, 44).
But even if the UK did decide to take unilateral action using its offensive cyber capabilities, it would still be bound, as noted earlier, by the laws of armed conflict. As such, any act of deterrence-by-punishment could only ever be used in order to either persuade the adversary to desist from what it is doing or to convince it not to carry out any future such attacks. Where the use of armed force is concerned, this has an instinctive logic. But there is less clarity where cyber warfare is concerned. A Russian cyber operation, for instance, that was not designed to be destructive may have inadvertently become so and any damage wrought may have come about by accident. And what if, by the time the UK had launched a reprisal cyberattack, Russia had already stopped its original cyberattack but second-order effects were still continuing?

Undefeatable
Undefeatable's avatar
Debates: 64
Posts: 126
1
6
11
Undefeatable's avatar
Undefeatable
1
6
11
The UK must also be careful not to employ offensive cyber for mere ‘retaliation’. Retaliation – a ‘simple act of vengeance’ – is illegal according to the laws of armed conflict (UK Ministry of Defence 2004, 418). The UK has, though, officially made the threat to use its own cyber offensive capabilities in order to ‘retaliate’ against Russian cyberattacks. The ISCP report, for instance, provides a list of the UK’s ‘offensive cyber’ capabilities and first in this list is ‘the ability to retaliate after a cyberattack’ (UK Parliament 2017, 43). Likewise, the NSCR talks about the UK’s ‘[enhanced] offensive cyber capabilities to detect, trace and retaliate in kind’ (UK Cabinet Office 2018, 11). It is the word ‘reprisal’, of course, that should be used and not ‘retaliation’. As the UK’s own Manual of the Law of Armed Conflict (MLAC) notes, ‘Reprisals are extreme measures to enforce compliance with the law of armed conflict by the adverse party.’ They are designed to make it ‘desist from its unlawful conduct’. ‘Reprisals’, as this Manual makes clear, ‘are not retaliatory attacks’ (UK Ministry of Defence 2004, 418, emphasis added). To remain within international law, the UK must be clearer in its nomenclature.
And then there is the issue of targeting. Even if there was, say, a major cyberattack on the UK’s energy infrastructure sourced to Russia, then in any reprisal cyber action the UK could not apply reciprocity. UK offensive cyber could not itself target Russian energy infrastructure. This is because it is ‘prohibited’ by the laws of armed conflict to take reprisal action against ‘civilians and the civilian population’ (UK Ministry of Defence 2004, 418). Moreover, while a UK cyberattack on Russian energy infrastructure in winter might kill a considerable number of people, this would not happen in reverse given the UK’s mild winters. Additionally, the UK should only ever be taking cyber reprisals against ‘military targets’. Although what exactly today constitutes a ‘military target’ (the IRA in St Petersburg?) is another point of debate. And how also could the legal principle of ‘proportionality’ – present in the laws of armed conflict – apply in any UK cyber response? Cyberattacks are difficult to precisely target. NotPetya showed just how hard it is to control any cyberattack’s ‘blast radius’. This lack of control means that ‘proportionality’ cannot be guaranteed. Again, as the UK’s MLAC notes, ‘Disproportionate acts cannot be justified as reprisals’ (UK Ministry of Defence 2004, 419).
Indeed, the UK has actually accepted now that it cannot conform entirely to the laws of armed conflict when it comes to its use of offensive cyber in a deterrence capacity. The MLAC, for instance, declares that any proposed reprisal actions have to be ‘publicised’ beforehand and that ‘reasonable notice must be given that reprisals will be taken’ (UK Ministry of Defence 2004, 419). But this is one convention, not without reason, no longer supported in London. As Attorney General Wright admits, the UK now ‘departs from’ international law in that it ‘would not agree that we are always legally obliged to give prior notification to the hostile state before taking [cyber] countermeasures against it’ (Wright 2018).
Such an admission that it cannot keep to the laws of armed conflict is indicative of the problems faced by the UK in any application of its offensive cyber capabilities as a tool of deterrence. Just as it will be limited by practical considerations, UK offensive cyber will also patently be constrained by legal and ethical factors.
Conclusion
It does seem then that the UK’s ability to employ its cyber deterrence capacity – whether in the deterrence-by-denial or deterrence-by-punishment roles – to counter Russia’s cyber warfare campaign lacks a certain credibility. It appears to be an impractical instrument. Moreover, if UK cyber is to be operationalised in an offensive manner, it runs the risk of contravening both international law and ethical principles. This seeming weakness in deterrence terms of the UK’s cyber capabilities has then also to be set against the fact that Russia’s own cyber weapon is such an important part of its ‘strategic deterrence’ logic. Moscow is deriving a great degree of strategic utility from its cyber warfare activities aimed at its perceived adversaries. And this is, of course, a mode of warfare that Russia is both very comfortable employing and which fits in so very well to Russian strategic culture. A path dependency is patently at work with Russia’s use of cyber and it will be very difficult to remove it from this path. Any attempts, thus, by the UK, using its own cyber capabilities of debatable efficacy, to dissuade – to deter – Moscow from continuing to use its own cyber assets would seem at the very least to be a fraught exercise.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes on contributors
Rod Thornton is an Associate Professor in the Defence Studies Department of King’s College London based at the UK’s Defence Academy at Shrivenham. As a British infantry soldier in the Cold War, Rod studied the Soviet military. He has also later served in a military intelligence capacity. After military service, he took a degree in Russian and Serbo-Croat at the University of Nottingham. On graduation in 1992, he rejoined the army to act as an interpreter in Bosnia, where he served for a year during the war there. On leaving the army again, he took two master’s degrees and gained a PhD from the University Birmingham. Rod has taught at the University of Nottingham, the University of Erbil in Iraq and in Qatar. His current work at the Defence Academy revolves around professional military education matters where he advises on the Russian military and issues related to contemporary warfare: Information Advantage operations, cyber, AI and Electronic Warfare. He is the author of the book, Asymmetric Warfare (Polity Press) and numerous articles, mostly on the Russian armed forces. His most recent article, on the Russian military in Syria, appears in the latest edition of the Journal of Slavic Military Studies.
Marina Miron, A fluent Russian speaker, gained a PhD in Strategic Studies in 2018 from the University of New South Wales at the Australian Defence Force Academy. Prior to her doctoral studies, Marina received a BA in Politics and American Studies (Jt. Hons) from the University of Nottingham and an MA in War and Contemporary Conflict from the same institution. Since 2012, she has worked as an assistant editor for the Infinity Journal. She is currently a Research Fellow at the Centre for Military Ethics at King’s College London. She has given several lectures on the contemporary theory of strategy (University of Alicante, Spain; NATO School Oberammergau, Germany), and presented at several conferences. Prior to her shift to the social sciences, Marina was heavily involved in computer programming. She worked as a Unix System Administrator and as an independent programmer focusing on authentication and encryption algorithms. Her research interests include Russian operations in Syria, strategic theory, theory of war, Clausewitz’s thought, ancient military thought, cyber-warfare and military ethics.
ORCID
Notes
1 The GRU (Glavnoe Razvedyvatel'noe Upravlenie) is the intelligence arm of the Russian armed forces. The FSB (Federal'naya Sluzhba Bezopasnosti) is primarily responsible for internal security (MI5/FBI equivalent). The SVR (Sluzhba Vneshnei Razvedki) is the Russian Foreign Intelligence Service (MI6/CIA equivalent). The Spetssviaz (GCHQ/NSA equivalent) is the successor to the KGB’s 16th Directorate (Electronic Intelligence) and was known between 1991 and 2003 as FAPSI.
2 All Russian translations, including of article and book titles, are the responsibility of the authors.
3 In Eastern Europe, heating is supplied centrally through the delivery of hot water from power stations directly to houses and flats in order that underground pipes do not freeze. Individual residences tend not to have their own independent means of heating or of producing hot water. Moreover, the wiring in apartment blocks normally does not support the use of electric heaters.
4 This first manual merely remains ‘an expression of the views of 19 international law experts, mostly from NATO countries, and does not represent the position of NATO or any other entity’ (McClintock 2017). The same is true of the Tallinn Manual 2.0 (Talbot Jensen 2018, 738). Their wide-ranging applicability is, therefore, limited.
5 This document uses the word ‘offensive’ (in terms of the UK military’s cyber capabilities) 25 times in its 64 pages (UK Development, Concepts and Doctrine Centre 2018).