The Center for European Policy Analysis (CEPA) recently published a 38-page study, Russian Cyberwarfare: Unpacking the Kremlin’s Capabilities by two esteemed researchers, Irina Borogan and Andrei Soldatov. The opening premise is that Russia has not demonstrated its cyber warfare adroitness in support of its invasion of Ukraine. Whether the Russians tried, and their efforts failed due to the capabilities of Ukraine’s cyber defenders or because leadership meddling disrupted the execution strategies of the professional cyber warriors, hasn’t yet been revealed. What is evident is that the Ukraine example has called into question the Russian playbook being technologically focused and suggests that the political quotient is much more in play than perhaps previously suggested.
The authors take the reader through a tour de force on the history of cyber operations, outlining the roles played by the “Key Russian cyber actors” which included, the Federal Security Service (FSB), 16th Director of the FSB—Center for Intelligence in Communications (FAPSI), Foreign Intelligence Service (SVR), Military Intelligence Service (GRU), Presidential Administration/Security Council, and the Russian cybersecurity companies. They continue how Russian collaboration and coordination in offensive cyber operations is best described as “remarkably fluid and informal.” Providing an informal definition of the playbook being exhibited, though it is likely not etched in pencil, let alone granite. The four identified system of cyber operations per the authors include:
For those lacking a firm grounding in the evolution of Russian cyber operations, the report walks you through exemplars from 1991 through 2016 when the involvement of Russia in influencing and affecting elections in the West was laid bare, and the year ended with an internal dustup and arrests within the FSB and Russian private sector of personnel involved and believed to have let the cat out of the proverbial bag to the West, specifically the United States. The walk through Russian cyber operations continues from 2017 to 2022 and includes the creation, within Russia, of the National Computer Emergency Response Team (CERT).
Of particular note, especially given the current exodus of cyber talent from Russia by those who are voting with their feet in response to Russia’s invasion of Ukraine and the resulting embargos and crippling sanctions, is the manner in which Russia has historically addressed its cyber and information operations personnel pipeline.
As in the West, a finite number of individuals are available to fill an ever-increasing number of cybersecurity or cyber operations roles. The report suggests the personnel shortage is not an issue in Russia (pre-Ukraine invasion).
In 2015 the Ministry of Defense set up the ARSIB (Association of CISOs) as a means to raise the collective tide within the Russian cybersecurity world. The ARSIB hosts the CTF competitions at universities and also hosts multiday hackathons. The country’s polytechnic schools historically are given resources to produce talent and the recruitment of personnel both within the ethical cyber community, as well as the resident criminal cyber community is a natural segue, snapping up the talent from the academic pipeline. The authors posit that today, the Kremlin is much like the Soviet era in the manner in which acquiring talent is concerned, with the creation of education pipelines, to “make sure that enough talent and resources are available for Russia’s cyber operations on a global scale.”
One of the recommendations made by the authors which should absolutely resonate with every CISO who has hired personnel who have recently emigrated from Russia is to provide them training opportunities that touch on ethics and the rule of law.
Russia’s strength comes from its creation of cadres of personnel to fill their pipeline, that is until such time as the flow of trained personnel to the West causes shortages of personnel.
In closing the report draws four conclusions:
Copyright © 2022 IDG Communications, Inc.
Copyright © 2022 IDG Communications, Inc.