/ Published September 21, 2020
Russian Cyber Operations: Coding the Bounds of Conflict by Scott Jasper. Georgetown University Press, 2020, 214 pp.
The Stuxnet operation covertly affected Iranian nuclear ambitions while the NotPetya malware damaged Ukrainian systems and global infrastructure during the most well-known state-based cyberattacks. During the United States 2020 presidential election, the US had the same concerns as in 2016 of Russian internet troll farms attempting to manipulate public opinion. Confronting these arising problems requires understanding Russian cyber operations from strategic and technical perspectives. Fortunately, Dr. Scott Jasper examines these topics in Russian Cyber Operations, exposing the ways, means, and ends underlying Russia’s various influence and attack events. Analyzing which Russian cyberspace actions breach armed conflict evaluations based on the Tallinn Manual and international norms, the model continues building on his previous work, Strategic Cyber Deterrence. The book explores Russian cyber practices through discussing recent active operations; ways where continuing operations affect international security dynamics; and, finally, US defensive options. The selected analytic framework allows Dr. Jasper to interweave Russia’s strategic aspirations with tactical events. Each chapter highlights a case study demonstrating how the Russians applied the principle during recent operations. The work demonstrates exceptional documentation, careful research, and an appreciation for the subject matter’s complexities. Those considering the strategic implications arising from state-based cyberattacks or any aspect of international tensions should add this volume to their reference list.
Dr. Jasper applies the strategic framework throughout the work based on groups possessing the technical means to conduct an attack and then whether attacks violate either legal standards or international norms. The technical aspect investigates the means used for intrusion, evasion, and deception and touches briefly on phishing and stolen credential attacks before reverting to a generic malware description as “malicious code intended to perform an unauthorized process” (p. 14). This oversight proves unimportant later as the work focuses more specifically on legal interpretation and US strategic approaches. The legal framework uses US Code, the UN Charter, and Tallinn Manual 2.0 as written and published by the International Group of Experts to establish standards. The most used standards include violation of a state’s sovereignty, intentional wrongful acts against a state, or the breach of existing international legal obligations. Technical and legal guidelines combine across the case studies to prove that Russian actors possessed the technical means and intended to commit wrongful, damaging acts.
Launching into well-documented events, the Cyber Operations section addresses asymmetry, hybrid attacks, and information warfare with separate chapters. Each involves a state use of cyberattacks against an unprepared enemy. The asymmetry chapter documents the 2007 Bronze Soldier event—where Russian patriots used distributed denial of service against Estonia to prevent removing a World War II memorial—before discussing the 2008 Georgian invasion. In evaluating hybrid warfare, a word for which no Russian doctrinal equivalent exists, Jasper substitutes the Gerasimov doctrine, an adaptive approach advocating military interventions at all societal levels. Hybrid warfare cases feature the 2014 Crimean and Ukrainian social media manipulation as well as the target tracking tool installed on Ukrainian military Android devices. Both events are analyzed as excessive intervention and unlawful use of force. The section’s final chapter on information warfare assesses the 2016 Russian propaganda campaign and the Republican and Democratic campaign data breaches during US presidential elections. Though not violating the standard for an armed attack, the election interference events were still deemed unlawful as acts restricting the state’s freedom of choice. Each section presents an interesting case while focusing more on whether an act breaches the legal standard than how those acts are technically achieved or integrated.
Continuing the strategic approach, the book’s middle section reviews how state behavior creates reaction through discussing organizations like the Group of Seven and the UN Group of Governmental Experts (GGE) on Information Security. Jasper evaluates coordination between these groups as the primary method to establish norms and standards. The NotPetya case again demonstrates covert Russian actions as violating Ukrainian sovereignty, although the author questions whether damaging another state’s private industry rises to a force-level event. Delving deeper into NotPetya’s actions, Jasper suggests that neither Trump nor Obama’s US diplomatic actions achieved the desired effect; legally indicting known Russian hackers and enforcing sanctions both failed to reduce Russian cyber campaigns. Finally, the text suggests that the 2018 Department of Defense Cyber Strategy was designed to employ forward defense concepts to counter future Russian activity, even if many of those actions are not yet public.
The final section leans away from the analytic framework and case studies to suggest how future security strategies may offset projected Russian activity. The author first discusses how the National Institute for Standards in Technologies (NIST) Risk Management Framework (NIST 800-53) appears as one security standard for compliance options before mentioning Lockheed Martin’s cyber kill chain. The cyber kill chain describes a rough format for how attackers penetrate and escalate privilege within a system. NIST cybersecurity practices appear frequently in US federal government compliance standards, but Jasper misses a step here through not using the same international standards applied during the book’s first half. A standard chosen from either the European Union Agency for Cybersecurity (ENISA) or something associated with the UN GGE might have been more appropriate. The last two chapters continue those trends, demonstrating the Mitre Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework; potential automated defenses; and how future technical offset might change cyber implementation. The technical offset chapter investigates a 2018 intercept of Ukrainian vessels by the Russian Navy, which was interesting yet unrelated to the overall cyber topic.
Dr. Jasper starts strong, with clear examples and excellent discussion about several past cyber events, notably the Bronze Soldier in Estonia and the Georgian invasion. After the strong start, I felt the book’s latter sections moved away from the stated goal of exploring Russian cyber operations to focus on US strategic counters. After the two initial events, the only detailed attack reference was NotPetya and its Bad Rabbit predecessor. When selecting this work, I had expected detailed discussions about recent Russian cyberspace technical practices and strategic aspirations rather than a US policy debate. The book could have been immensely improved by taking a chapter or two to evaluate various players in Russian cyber or to compare known advanced persistent threats and their place as either government or military entities. Another missing feature was any comparison against multiple events either textually or graphically.
Overall, Russian Cyber Operations: Coding the Boundaries of Conflict effectively combines and categorizes several previous strategic theories under a common cover. The three sections allow the reader to review Russia’s past actions, consider how states interact, and then move forward to US strategic options. Well referenced, with many current news and scholarly article links, the book demonstrates where future Russian cyber operations might affect US policy implementation. The text does fall short of the intended goal to comprehensively discuss Russian cyber operations, but my overall impression remains positive. I would recommend this book to those working federal government strategy or international relations and less to those pursuing cybersecurity fields. At the end of the day, I did enjoy the work and will be adding Russian Cyber Operations to my own cyber policy reference list.
Dr. Mark T. Peters II, USAF, Retired
"The views expressed are those of the author(s) and do not reflect the official policy or position of the US government or the Department of Defense."