The Future of Russia's Cyber Power
We were in Stockholm last week speaking about Russian cyber—and here are some of the takeaways.
Global Cyber Strategies was in Stockholm last week, for several Russia-focused speaking engagements that included a presentation at MidnightSun, the largest capture-the-flag (CTF) hacker competition in Sweden. There, I spoke about the future of Russia’s cyber power and some findings from our open-source analyses. Here are some of the takeaways — from Russian strategic issues to currently open questions about the Russia-Ukraine War’s cyber and information dimensions. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
Understanding Russia’s future “cyber power” depends on many factors ranging from the Kremlin’s growing paranoia about “information war” and revolution within Russia, to continued turf wars and rivalry among the security services, to the “brain drain” of tech talent from Russia, to Ukrainian and Western cyber defenses.
Russia’s Future Cyber Power
Russian officials do not think about “cyber” in the same way as Western ones. In the West, there is a relatively clear conceptual line drawn between cyber operations — technical activities to disrupt networks, steal data, and more — and information operations — focused on the spread of human-readable content.
By contrast, Russian officials place both of these categories under the broad concept of “information security,” which encompasses technical cybersecurity, information control, regime security, “social and moral stability,” “patriotic values,” and the overall creation, dissemination, and consumption of information in an environment. As Gavin Wilde and I wrote earlier this year, there is almost “no water’s edge” to the idea. Hence, when Russian state actors think about and execute cyber operations, they (1) do so with a different framing than the West might think and (2) often integrate or pair cyber operations with information operations, such as with hack-and-leaks.
The Russian government also draws on actors far beyond government units when conducting cyber operations. As I detailed in a 2022 report for the Atlantic Council’s Cyber Statecraft Initiative, actors in the Russian cyber web include state agencies, state-created front companies, state-hired cybercriminals, state-encouraged patriotic hackers, state-coerced technology companies and developers, and even some private military companies, among others. The state’s involvement with these different groups — and coming from different levels and parts of the Russian government — varies over time and even within each category of actor. Discussing “Russian hackers” therefore demands far more specificity about relationships with the government.
In this talk, I made many points about the future of Russia’s cyber power, including:
Russia’s tech “brain drain” has massively accelerated since February 2022 and presents an even greater problem for the Russian officials and private-sector leaders who want to build up domestic technology capacity and expand the Russian technology sector’s global reach, such as in Latin America.
It is very difficult — and likely far too soon — to draw conclusions from the Russia-Ukraine War about Russian cyber power. The same goes for drawing conclusions about the role of cyber and information operations in war generally. Analysts have put forward numerous hypotheses about the war and cyber thus far, which range from arguments that Russia lived up to cyber expectations to arguments that Russia failed miserably to arguments that we’re using the wrong metrics to evaluate Russia’s cyber “performance” altogether. There is no single, clear, definitive answer, and explanations cannot be reduced to one factor.
Don’t lose the political, geopolitical, economic, bureaucratic, and operational picture. For instance, there is a tendency in some Western analyses to assume that Russian cyber and information operations are run by a well-orchestrated, highly coordinated machine, when that is not in fact the case. Russia has no centralized cyber command, and state agencies running cyber and information operations may not coordinate (or coordinate well) with one another and have overlapping remits (i.e., target focus areas). Similarly, the challenges facing Russia’s private-sector cyber companies — a topic I closely track and regularly write about — and their economic problems have difficult-to-quantify effects on state cyber capability development, too. Thinking the Russia-Ukraine War should necessarily have cyber as a huge component, or thinking that Russia should be able to seamlessly execute cyber operations within that frame, is a considerable leap.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.