Governments and media credit Russia with fearsome hacking capabilities―which happens to suit Moscow very well. The West should take concrete counter-measures.
It is not entirely surprising that Russia has made a name for itself in the cyber world. Russians are, after all, good at hacking―very good. It’s an ironic by-product of backwardness. If one goes back to the 1980s and 1990s, and even the 2000s, Russians were often unable to buy the latest technology that we in the West could access; at the same time, Russia is historically strong in mathematics. Quite a few Russians, deprived of the programs we rely on, actually learned to code. Hacking systems and programs was meant as a workaround, but these hackers eventually developed a subculture of their own.
Hackers are by definition nearly always ahead of the game. They are looking to exploit vulnerabilities that are largely unknown until they are weaponized. Because of this, hacker activity often says more about Western vulnerabilities than Russian capabilities. The Russians have not really been able to break anything that is not broken already; they have merely been able to exploit opportunities. Rather than recognize what this means about our own failings, we often use the Russians as scapegoats.
Conversations with those in the security establishment and military in Moscow inevitably reveal the extent to which they feel Russia is at war with the West―a war they believe the West started. This is a non-connected, non-military war, one where they are fighting for Russia’s place in the world and Russian sovereignty.
At the same time, under Putin, Russia is invested in a campaign to make Russia great again, to assert itself as a great power when in fact it is not. Despite Russia’s vast physical scale, its economy is smaller than that of New York state. Its soft power is almost non-existent. And its military power, while not inconsiderable, is reaching the point of being overstretched.
Not Much Impact
This helps to explain the country’s enthusiasm for cyber warfare: if you are sensible, you move the field of battle to where you feel your opponents are most vulnerable. Putin believes that the West’s vulnerability is precisely that it is a constellation of democracies, with legitimate internal and inter-state disputes and disagreements along various fault lines. He is aided by the fact that the West is going through something of a legitimacy crisis, with real suspicions about the political class, questions about the future of the EU, and pressures on the transatlantic alliance. Even if Putin had never been born, these tensions would still have arisen.
The Russians have exploited these weaknesses. In terms of the American election, the Kremlin was clearly trying to influence the outcome, though it is still unclear how great an effect its efforts had. The much-vaunted Facebook campaign has been shown to be relatively marginal, and so far research on voting patterns and intentions as a result of that, or the leak of Democratic emails, have not been able to demonstrate substantive shifts in any statistically robust way.
Donald Trump won to a large extent because of his own capacity to create a groundswell of public support, and perhaps more importantly thanks to both James Comey’s unexpectedly timed announcement about the investigation into Hillary Clinton and Clinton’s own clumsy campaign strategy. In general, when Russian hackers act abroad, their impact is often relatively small. But even when the effect is significant, this does not mean they are particular capable.
Many Russian people genuinely believe they are fighting Western attempts to muzzle or restrain their country. While there is a certain degree of exasperation in Russia over the claims of hacking, on another level it fits into a very convenient narrative: it elevates Putin to a status he frankly does not deserve, as this terrifying Bond-type villain threatening Western democracies. One would almost believe that Putin can reshape elections and topple governments with the click of a mouse. He cannot, but it suits him to maintain that appearance.
In reality, we should not assume Russia is any more secure than we are, not least because we have witnessed a series of cyber crimes carried out against Russian targets as well. Instead, it is important to examine the country’s political intent and its willingness to take geopolitical risks. When you are fighting a war like the one the Russians believe they are, you are willing to take risks. The West, on the other hand, does not regard itself as being at war with Russia, so we have a very different set of basic operating principles.
If we question which global powers have the greatest offensive cyber capabilities, America would undoubtedly be at the top of that list. Western nations, however, are not deploying their capabilities against the Russians the way the Russians are deploying theirs against the West. The difference really is about politics and mind-set―indeed, the Russians are lucky we are not seeking to hack them in the same way as they are hacking us on a state level.
We should not underestimate the fundamental resilience of democratic systems and democratic societies. The Russians did not even seek to elect Trump, or believe he could be elected; they believed the American establishment would not allow a Trump to win, and that American democracy is much more managed than it is in reality. They simply wanted to ensure that Clinton, whom they were certain would be elected, would be as weak as possible on Day One of her presidency. It is entirely possible they played some small role in Brexit, but ironically enough, news about the scale of that support could give the British political elite the chance to renegotiate and revisit the decision to leave the European Union. The Russians supported the Front National in France, but they could not secure a victory. And in Germany, Russian meddling has in many ways forced the country and Chancellor Angela Merkel into a much more anti-Russian position. Time and again, what is seen as a tactical success by the Russians is really a strategic defeat.
Cyber Is Cheap
There is a strong case to be made for far less hysteria over Russia’s capabilities. When we overestimate Putin, we not only encourage him but also empower him; people begin to believe we need to make a deal with Russia. Instead of obsessing over Russia, however, we need to push for greater resilience in general. This is not merely a Russia problem, after all, it is a modernity problem.
There are various other protagonists that could be using these strategies, and quite possibly with much more serious intent. If one looks at Chinese military and political thinking, for example, it already embodies many of the principle of so-called “hybrid warfare,” and they have used similar tactics in the South China Sea. It is certainly not implausible that they will also be looking carefully at the lessons of Russia’s information warfare campaign for future reference. Other actors are unlikely to be operating on the same scale, but as cyber and information operations can be relatively cheap, we cannot exclude them being used in more limited ways, whether to try and tip the balance of power in the Balkans or other complex political environments. Finally, let’s not assume this is purely the province of states; in the US elections and the Brexit vote in particular, we have already seen significant legal campaigns by pressure groups and powerful individuals to manipulate the information environment for political purposes. This is only likely to become more common, and perhaps in some cases also shade into the realms of illegal operations―or at least morally questionable ones, given that laws tend to lag behind the technical capabilities.
In the case of more direct cyber attacks, unless it comes to a real conflict situation, Putin is not going to try and crash national power systems in the middle of winter, for example. That would mean war, a shooting war. But there may well be terrorists and pariah regimes that are less concerned about the implications.
So this is a useful opportunity to consider the vulnerability of our modern systems and shore up their security and resilience. European security would be served better by investing more in cyber security rather than simply assuming that hitting the 2 percent of GDP mark on defense spending in terms of tanks and guns and rockets provides guaranteed protection.
We must also rethink our response to Russia. There has been very little cost to the Putin regime as a whole, because we have a tendency to fetishize symmetry: If you carry out a cyber attack, then our response ought to be something cyber; if you limit our media, we will limit yours.
We can and should think more imaginatively and asymmetrically. It is perfectly legitimate for us to make clear that we regard hacking our systems as unacceptable, and that rather than responding by hacking into theirs, we will expel Russian companies from our countries or find other, comparable avenues of creating real, tangible costs. There should be more personal sanctions targeting people associated with Russia’s cyber and information warfare activities, but also those who simply order or encourage or justify them. We need to show there is some kind of price without feeling the need to be equally aggressive and equally cyber militarist.
Regardless of how we respond, the sound and fury hides the fact that Russian hacking is not some kind of existential threat to the West. We need to stop treating it like one, and instead consider specific responses to a specific problem.