Addressing Hybrid Threats

by Gregory F. Treverton

NOTE: The views expressed here are those of the author and do not necessarily represent or reflect the views of SMA, Inc.

  • Pro-Kremlin Russian media soon labeled the Russian troops that had moved into Crimea in 2013 as “little green men,” “polite people,” or even “polite, armed men,” despite wearing unmarked military fatigues and bearing arms.
  • As fighting flared in Eastern Ukraine after 2014, Ukrainian soldiers were subjected to a barrage of spam messages on social media: “Your battalion commander has retreated. Take care of yourself,” or “You will not regain Donbas back. Further bloodshed is pointless,” or “Ukrainian soldier, it’s better to retreat alive than stay here and die.”
  • In 2015 and 2016, the U.S. Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign were all targeted by Kremlin-sponsored cyber espionage operations, CozyBear and FancyBear, linked to Russian intelligence. The documents and information stolen from these networks were then shared via a persona and website created by the Russian government, Guccifer 2.0 and DCLeaks.com, and later via Wikileaks and mainstream media outlets.
  • In May 2016, a Facebook page called Heart of Texas encouraged its quarter million followers to demonstrate against an urgent cultural menace—a new library opened by a Houston mosque. “Stop Islamization of Texas,” it cried. But the other side organized as well. A Facebook page linked to the United Muslims of America said that group was planning a counter-protest for the same time and place. In fact, while the United Muslims were a real group, the Facebook page was not its doing. Both the anti- and pro- demonstrations had been organized by Russian trolls.

These are hybrid threats in the 21st century. Most of them are not strikingly new. The exception is the virtual or digital realm, which empowers new tools and lowers the entry cost of using them—think of web posts by comparison to planting articles in traditional newspapers during the Cold War. The goal of hybrid threats is to achieve outcomes without actual war, though the tools may run to threats of violence. The target is opposing societies, not combatants. Thus, the distinction between combatants and citizens, blurring for decades, breaks down almost entirely. And the tactic is the simultaneous employment of the range of possible instruments, from threats of war to propaganda and everything in between.

The focus of attention is Russian hybrid threats and operations, for good reason: it has been the most active and most brazen. An analysis by the German Marshall Fund’s Alliance for Securing Democracy found that the Russian government has used cyberattacks, disinformation, and financial influence campaigns to meddle in the internal affairs of at least 27 European and North American countries since 2004. To be sure, other countries have not been strangers to hybrid threats, and those uses are discussed here as well.

The range of hybrid tools is wide, as illustrated by the two cases of Russia’s intervention in Ukraine and the operations in the 2016 U.S. elections. This table lays out the range:

Tool Salient Points
Propaganda Enabled and made cheaper by social media, also targeted at home
Fake news “Lisa” was portrayed as a Russian-German raped by migrants
Strategic leaks Macron emails leaked 48 hours before the election
Funding organizations China opened Chinese think-tank in Washington
Political parties Russia supports sympathetic European parties on right and left
Organized protest movements Russian trolls organized both pro- and anti- protests in Houston mosque case
Cyber tools: Espionage, Attack, Manipulation New tool in arsenal: espionage is old tactic with new, cyber means. Attack has targeted critical infrastructure, notably in Estonia in 2007. Manipulation is next frontier, changing information without the holders know it.
Economic leverage China sought to punish South Korea for accepting U.S. anti-missile system
Proxies and unacknowledged war Hardly new, but “little green men” in Ukraine slid into actual combat
Paramilitary organizations Russian “Night Wolves” bikers intimidate civilians

Both the Ukraine and U.S. elections cases drive home the point that hybrid attackers did not create the vulnerabilities they exploited. Ukraine’s political and economic circumstances made it extremely vulnerable to Russian actions, and the deeply polarized American political context of 2016 was an open invitation to Russian meddling. One dimension of vulnerability is proximity and access—plain in the case of Ukraine. A second is societal and political fault-lines: again, this was most obvious in Ukraine, where almost a third of the populations was Russian-speaking. Another fault-line may be generational, with younger people far from memories of the Cold War but very close to social media. So, too, Moscow may have tried to create the warring demonstrations in Houston, but the divide it played on was real.

For Russia, hybrid threatening is its strategy. Vladimir Putin has been crystal-clear about his strategic objectives—to dominate Russia’s “near abroad” and to see Russia recognized as a major global power. Russia sees the United States and NATO as the leading challenges to its interests and security, espe­cially since 2012, but knows it would lose any major military confrontation. So, too, it cannot win an economic competition; its Eurasian Economic Union is hardly likely to be a pole of attraction. As a result, Russia seeks to create confusion, chaos, and uncertainty among the institutions of its adversaries. It will work to have people, especially inside Russia, look to the west and say “see the West, they are just as corrupt and just inept as you think Russia is. Yet, look at us, we held our ground in Syria, we took back the Crimea our rightful territory, we protect ethnic Russians in Belarus and the Ukraine.”

For other nations engaging in hybrid threats, the goals are less clear, and probably more opportunistic. For China, the aims are to distract from, say, its actions in the South China Sea. It has concentrated on cyber tools, pursuing some combination of espionage, signaling capabilities, or preparing to add cyber friction in the event of conflict. For instance, Chinese allegedly conducted crippling distributed denial of service (DDoS) attacks against Filipino government networks after the International Court of Justice in The Hague rejected China’s historical territorial claims. For other nations, like Saudi Arabia and the emirates feuding in the Gulf, hybrid threats are a relatively low cost, low risk way to signal capabilities or embarrass opponents.

In thinking about the future, the virtual realm has dramatically lowered the cost of propaganda, and cyber operations are also relatively cheap. Those attributes will make the tools all the more attractive to Russia as its economy declines, and they will also tempt other nations. Advancing technology will surely open new opportunities for hybrid threateners. For instance, the planted posts, tweets, and bots so far have been almost entirely text. But that will change: technology, especially Artificial Intelligence, is making it easier to fake someone speaking. This will take fake news into the realm of audio and video, which in turn will complicate the task of attributing, and responding to, fake propaganda.

At the upper level of hybrid threats, the future will see, as in Ukraine, new combinations of cyber and kinetic operation. Imagine targeted soldiers receiving a demoralizing message, like those spammed to Ukrainian soldiers. Ten minutes later, the soldiers’ compromised phones access recent contacts and send “killed in action” messages to their families. Shortly after, their families keep calling the soldiers, distracting them from duty. Another demoralizing message—“retreat and live”—is followed by the shift from cyber to kinetic action as the compromised phones reveal the soldiers’ location and they are targeted by an artillery strike.

In responding to hybrid threats, the first imperative is perhaps the Hippocratic oath: do no harm. Open societies are inherently vulnerable, yet it is imperative that they stay open. All the national good practices in preparing for, and countering, hybrid threats share a number of features:

  • They are “whole of government,” indeed “whole of society.”
  • Their starting point is an assessment of national vulnerabilities—not necessarily an easy task given the political sensitivities that may be involved in examining, say, ethnic or linguistic divides.
  • They pay special attention to, especially, the cyber realm. Hybrid threats is a very good one among several reasons to be more serious about cyber defenses
  • They are creative in reaching out to the private sector. That is imperative in the cyber realm, where infrastructure assets to be protected are in private hands. But Estonia’s Cyber Defence Unit, part of the larger, and volunteer Estonian Defence League is suggestive of the possibilities, as is the help that private sector analysts provided in the U.S. elections case.
  • They depend on shared situational awareness. In some countries, that has required changing laws to give intelligence services somewhat more authority to collect information, both inside and outside the country.

The three watchwords in defending against the weaponized information of hybrid threats are awareness, metrics, and responses. The western nations had been focused on technical threats in cyberspace. As a result, the propaganda dimension of the Russian intervention in the U.S. elections in 2016 came as a sur­prise, even though it shouldn’t have. A group of outside analysts tracking the online dimensions of the jihadists and the Syrian civil war came upon interesting anomalies, as early as 2014, and made the con­nection to Russia. Now, the western nations are aware of the threat, as France demonstrated in its own elections by quickly identifying Russian meddling, and even mounting a kind of counter-attack in social media.

Second, it is important to respond quickly to particular information operations, once discovered, both to minimize their impact and to deter other states or groups that might want to emulate the attack. To be sure, chasing every false fact is impossible, but the Macron campaign in France illustrates the value of countering fake news as fast as possible.

Practitioners and researchers emphasize a number of points in thinking about how to respond:

  • Again, respond with the whole of government—and beyond. Preparing for hybrid threats cannot be left to the defense ministry alone. For all the limits on what governments can—and should—do, the history of the American radios broadcasting into the Communist countries during the Cold War is worth mining. In retrospect it was more successful than its operators thought at the time.
  • Be skeptical of metrics. For all the concern, thus far Russia operations in Europe seem to have had most effect on those who were already sympathetic to Moscow.
  • Be careful about targets. It is worth noting, for instance, that the first target of Russian operations is the Russian people.
  • Play on strength. Time and again, the same point arises: a great strength of the western democracies is their free presses. That argues against mimicking adversaries by circulating fake news or undermining the credibility of quality journalism.
  • Recognize the contest is a long one. The distinction between peace and war is indeed blurred. There are likely to be neither unconditional surrenders nor unqualified victories.
  • Work with target countries. This might focus on building transparency and fighting corruption, and on internal security reform and defense institution-building. Here, there is considerable post-Cold war experience on which to draw.
  • The Russians are coming. The U.S. case makes plain that the Russians have both will and capacity to intervene in other nations’ elections.
  • Thus, pay close attention to early warning. The FBI, apparently, warned the DNC in the fall of 2015 of potential hacks into its information systems. It did not, however, make clear that it suspected those were Russian-government sponsored operations. By contrast, and no doubt partly because of the U.S. case, the Macron campaign in France was attentive to hacking and cyber security at least from December 2016, the first round of the election.
  • Tighten links across the public-private divide. This is a great challenge of the cyber realm in any case. It is easier with regard to elections to the extent that elections plainly are a public good and a government
  • Likewise, pay close attention to the infrastructure of elections. The decentralization of election machinery in the United States was probably an operational advantage (if a forensic liability), for it complicated the attackers’ challenge. In any case, the danger of being hacked is increased the more voting is virtual (and the less there are ways to check results after the fact in the way that paper ballots did).
  • In the end, though, the Russians aren’t ten feet tall. For instance, in early 2017 when Russia made allegations of rapes in the Baltic by NATO soldiers, Germans to boot, Lithuania was ready. Its parliament immediately dismissed the story as spurious. And the Macron campaign’s “counter-offensive” at least demonstrates that those attacked have options.
Published on June 4, 2018 by

Dick Eassom, CF APMP Fellow