Russia’s toolbox for undermining democracy: Cyber warfare
Part One in a series of essays by Toomas Ilves, former president of Estonia and currently the Bernard and Susan Liautaud Visiting Fellow, Center for International Security and Cooperation, Freeman Spogli Institute for International Studies
Excerpted from testimony for Senate Judiciary Subcommittee on Crime and Terrorism on March 15, 2017.
Authoritarian regimes have a long history of undermining, subverting and overthrowing democratic governments. My country of Estonia declared its independence from the Soviet Union in 1918, but in 1940, Soviet troops staged simultaneous coups in all three Baltic countries. They replaced our governments with their own marionettes, followed by fake elections in which 99 percent of the electorate voted for communist candidates.
These methods for undermining democracies we already know; we have seen them for at least a century. This essay is the first in a short series discussing new methods of interference, influence and attack.
Cyber warfare: The latest weapon
Sam Colt said about his .45 revolver in the 19th century that it was the great equalizer: Weaker and smaller didn’t matter if the smaller had his weapon. Today information technology is the great equalizer. Small nations such as my own can be powerhouses in providing digital services to citizens, developing quickly and leaving large, far richer countries way behind. Unfortunately, the equalizing nature of IT holds true as well for countries and entities whose purposes and goals are nefarious.
Virtually every history of cyber warfare begins by describing an attack on Estonia, six months into my presidency. In 2007, my country’s governmental, banking and news media servers were hit with distributed denial-of-service (DDOS) attacks. In a DDOS attack, networks of bots from hijacked computers send out massive numbers of signals to specific addresses, designed to overload servers until they can no longer handle so many pings and they shut down. DDOS attacks are mounted by the same people using the same technology as spam, but instead of sending spam mails to massive numbers of addresses, shotgun-style, DDOS attacks target specific servers. I underline that this activity is criminal: it is done for hire.
Individual and criminal cyber attacks have a long history, of course, but this was different. It was state-sponsored digital warfare, by the well-known definition of the great theoretician Carl Paul von Clausewitz as “the continuation of policy by other means.”
This was, as far as we can tell, the first time a nation-state had been targeted using digital means for political objectives (in our case, as punishment for moving a Soviet statue unloved by the populace). The next year, in the Russian war against Georgia in 2008, DDOS attacks were coordinated with kinetic attacks, meaning real military actions ― a new development in hybrid warfare where targets were blinded by DDOS attacks and then bombed or shelled.
It is important to keep in mind, however, is that DDOS attacks do not breach the targets’ computers; they are not, strictly speaking, “hacking.” They simply render servers and websites inaccessible. Which of course is enough to do plenty of damage. DDOS attacks reached a new level in October 2016, during the so-called Mirai attacks which created major internet site outages in the US and Europe. The attackers used millions of IoT (Internet of Things) devices to shut down the DYN domain server, which translates URLs into the IP addresses that actually locate each site — and without which those sites cannot be accessed by users.
In the wake of DDOS attacks and their paralyzing impact, the focus of cybersecurity shifted to more elaborate possibilities, including the use of malware to shut down critical infrastructure: electricity and communication networks, water supplies, even disrupting traffic light systems in major cities. This requires “hacking” as we know the term — breaking into a computer system, not just blocking access. Indeed, the potential danger to critical infrastructure became the primary focus of government and private sector concern, including in my own country, where we were already quite aware of cyber power.
This kind of cyber attack could shut down a country, rendering it open to conventional attack. In 2010 the Stuxnet worm, which spun Iranian plutonium-enriching centrifuges out of control, warned us of the power of cyber to do serious damage to physical systems. Leon Panetta, Secretary of Defense from 2011 to 2013, warned in 2012 of the potential of a “cyber-Pearl Harbor.” Subsequent cyber operations, such as the shutting down of a Ukrainian power plant, showed that such concerns were hardly unwarranted.
At the same time I should also note that one could already do considerable damage to national security and the private sector without disabling infrastructure. The hack of Sony and of the Office of Personnel Management, in which the records of up to 23 million past and present federal employees were accessed, are good examples of an extremely dangerous breach that endangers a country’s national security or its commerce.
All of these concerns fall into the broad rubric of symmetrical warfare. Whatever they did to you, once you figured out who “they” were, you could do back to them. Moreover, the U.S. Department of Defense has explicitly said in its cyber strategy that a cyber attack need not be met in the cyber domain; a kinetic response is just as possible.
Today, unconstrained by the limits of kinetic war, by the range of missiles and bombers, by the logistics needed to support an armored division, we can succumb instead to digital aggression. In the digital age, physical distance no longer has any meaning. The range of threats we have seen in the past decade since Estonia was attacked — from DDOS attacks to wiping out communications or power grid infrastructure to disrupting elections are all independent of distance from the adversary. Which leads me to suggest that we need a new form of defense organization, a non-geographical but a strict criteria-based organization to defend countries that genuinely are democracies. In different contexts, both Madeleine Albright and John McCain have proposed a community or league of democracies. Neither proposal went far at the time. But the threats then were minor. Could such an organization do the job to face this new threat? I proposed already 5 years ago at an Atlantic Council event at the Munich Security Conference that we consider a cyber defense and security pact for the genuine democracies of the world. After all, Australia, Japan and Chile, all rated as free democracies by Freedom House, are just as vulnerable as NATO allies such as the United States, Germany or my own country.
It will take much hard work to create such a pact — but those who would undermine our democracies are already hard at work.