Overcoming the damage of disinformation

Photo: (CC) http://en.putin.kremlin.ru/2014-04

Cyberspace, characterised by its ubiquity and anonymity, allows malicious actors to influence not only the public discourse within their own country but to operate outside of its borders and remain undetected.

Maybe the boldest operation of this kind was launched in 2016 with the aim of influencing the outcome of the American presidential election in favour of Donald Trump. This information operation included hacking of the Democratic National Committee’s servers, releasing information unfavourable to Hillary Clinton via proxies, buying targeted ads on social media platforms and operating an army of trolls with the aim of amplifying pro-Trump and anti-Clinton messages. Thanks to recent investigations, intelligence reports and indictments of several Russian operatives, we now have a better picture of the scale and tactics of Russian operations.

Roots of the conflict

If we were to trace the roots of the current conflict, we could perhaps start in the late 1990s when the United States and Russia started to realise the technological, economic, political and military potential of cyberspace. Back then, the US was unquestionably the technological hegemony of the world. The US military invented the precursor of the internet in the 1960s and in the 1990s, and when the internet went global, American tech companies were the dominant force behind its development and expansion. The governance of the internet, including the setting of technical standards and maintenance of the central internet address system, was not (and still is not) controlled by an international body, but by a consortium of mostly American technology companies and universities as well as private corporations under American law.

Even more importantly, American hegemony extended to the realm of information. Due to the borderless nature of the internet, any society with access to the global computer network was increasingly confronted with American news, movies, music and other expressions of American and western culture. Not every country was happy about this growing western cultural influence. China started developing a filtering system – labelled the Great Firewall of Chinese – with the aim of creating its own cyberspace and limiting access to unwanted content. Russia did not immediately take such drastic steps, but official documents from the late 1990s show that its leaders were not too happy about American technological and cultural dominance.

Already in September 2000, in a document called the Information Security Doctrine of the Russian Federation, Russia formulated the aim of protecting its national interest in the “information sphere”. Contrary to the American approach, which viewed cyberspace mainly from a technical perspective, the Russians regarded cyberspace as the backbone of an information sphere; a much wider concept which regards the sphere as a “system-forming factor of societal life [which] actively influences the state of the political, economic, defence and other components of Russian Federation security”. While the West regarded information in terms of its value for human rights (freedom of speech) and democracy (the free flow of information in the marketplace of ideas), the Russian government perceived information as a means of influencing internal affairs and therefore as a threat to the cultural rights of its citizens and to its national interest.

Information as a weapon

The Russian Military Doctrine of 2010 names information warfare as a characteristic element of modern conflict, while the National Security Strategy of 2015 diagnoses rising tensions between states in the global information sphere which is caused by the desire of certain states to use the internet to achieve geopolitical gains through the manipulation of public consciousness and the falsification of history. In view of such threats, the achievement of cultural sovereignty and the protection of Russian society from destructive information became the highest priority. Feeling threatened by American technological and informational dominance, Russia decided to fight back using the same weapon it accused the US of employing against it – information.

During this period, three factors played into Russia’s hands. First, Russia was catching up with the US in terms of internet technology and was taking the lead in the realm of information control and manipulation. During the riots in Estonia in 2007 and the war with Georgia in 2008, Russian hackers demonstrated the vulnerabilities of internet-reliant societies and poorly-secured government websites to cyberattacks and outside manipulation. Since then, the Russian state has invested heavily in the development of cyber capabilities, both for espionage and offensive purposes. Second, the rise of social media broke the monopoly on information held by traditional media and made it possible to disseminate false information to a large audience at a very low cost. Techniques for information manipulation were first employed internally on Russian websites and social media networks where employees of the so-called Internet Research Agency and associated companies posted false messages under fake aliases to drum up support for the government and discredit critics. Third, since the US government did not share the view that information may be used as a weapon, neither it nor US technology companies were prepared to detect and counter disinformation campaigns launched from outside the US.

Since 2014 Russian malicious activities against foreign targets in cyberspace, such as espionage and hacking, have been expanded to include political and electoral interference operations, first mainly in Ukraine, later in the EU and the US. These operations, known as “Project Lakhta,” were co-ordinated and partly financed by Yevgeniy Prigozhin, a Russian oligarch and close ally of Vladimir Putin. The project’s stated aim was to conduct “information warfare against the United States” and for this it was equipped with a substantial budget. In 2016 it amounted to 720 million roubles (approx. 10 million euro) and included expenses such as setting up proxy servers, registration of domain names, advertisement on Facebook and Instagram and money for individual bloggers and activists.

The tactics employed were simple, yet effective. Between 2016 and 2018 Russian-controlled trolls and bots used social media and other internet platforms to introduce and amplify extreme messages on both sides of the political divide in western countries, relating to immigration, gun control, LGBT issues, the Confederate flag and the Women’s March. Their main targets were radical groups and internet users dissatisfied with the social and economic situation and who were susceptible to content aggravating the conflict between minorities and other social groups. Operatives were instructed to use messages and language tailored to the preferences of certain groups (e.g. liberals, sexual minorities) and to use pictures and infographics over long written texts. Liberals were mostly active at night, while conservatives checked social media more often in the morning, so operatives were told to adjust their posting patterns accordingly. When posting on social media, the operatives were mostly using articles taken from American websites but were instructed to amplify certain texts and give them a clear narrative.

Cozy Bear, Fancy Bear and the American presidential election

Project Lakhta’s influence operations were often flanked by espionage and hacking activities conducted by Russian intelligence agencies, most prominently the GRU, Russia’s military intelligence agency. Over the years, the agency has acquired considerable technical capabilities to conduct espionage and sabotage operations in cyberspace. Cyberattacks against the Ukrainian power grid and the NotPetya ransomware attack have both been attributed to Russia. To hide their true identities, Russian intelligence operatives posed as independent hacktivist groups calling themselves “Sofacy”, “Cozy Bear” or “Fancy Bear” (according to western intelligence services, “Cozy Bear” is run by the Foreign Intelligence Service (SVR), while the GRU stands behind “Fancy Bear”).

Within the GRU several operative units, such as Units 26165 and 74455, working from their headquarters on Komsomolskiy Prospekt and Kirova Street in Moscow, were tasked with hacking into computers of Americans, corporations, international organisations and their employees in order to obtain confidential information. The agents employed a wide-ranging array of hacking techniques from sending email messages containing malicious programmes (“spear phishing”) through creating false account authentication cookies (“minting”) to close-access cyber operations, including gaining entry to closed networks through poorly secured wi-fi routers. Victims of hacking activities included technology giants such as Google and Yahoo.

The operatives were looking especially for personal email accounts of prominent persons connected to politics and business, but also for financial information about PayPal accounts, Bitcoin wallets, etc. If financial account information had been found, the hackers would log into these accounts and use them to buy server space, domain names, VPN access and other technical means to hide the true origins of cyber activities and pretend that these activities originated from within the US. If the hackers found information which was thought to be compromising in a political smear campaign (for example, email messages), this information was often “leaked” through proxies and later amplified by the trolls and bots employed by Project Lakhta.

How Russia used hacking, espionage and influence operations on social media to achieve political goals is best seen in the context of the 2016 American presidential election. It is now established that the GRU hacked the servers of the American Democratic National Committee; GRU operatives then leased a virtual private server and registered the domain dcleaks.com through a service which anonymised the registrant which they paid for using bitcoin (presumably from a hijacked bitcoin wallet) in order to hide their identity. In June 2016 the GRU started to release emails stolen from members of the Clinton campaign on DCLeaks. The GRU also created the online persona Guccifer 2.0, giving it the identity of a Romanian hacker. On June 15th 2016 members of the GRU Unit 74455 started publishing documents stolen from the DNC on a website created and supposedly run by Guccifer 2.0.

After the stolen documents were disseminated, members of Project Lakhta would use social media personae they created and controlled to amplify their spread and produce stories and messages attacking Hillary Clinton and the DNC. Although the GRU’s activities during the presidential elections of 2016 are the best documented, it is safe to assume that Russian intelligence services used the same tactics against European targets. Russian hackers have stolen data from the servers of the German Parliament, have broken into the computers of Dutch ministries and have targeted the election campaign of Emmanuel Macron in France.

What can the West do to protect itself?

Given the aggressive behaviour of the Russian intelligence services it is worth asking the question what western states can do to protect themselves and how they can best respond. From a legal perspective, the situation remains ambiguous. While breaking into computer systems and stealing data is prohibited by criminal law, posting false information is not. Moreover, once stolen data is accessible to the public, dissemination by reporters, activists and regular citizens cannot be stopped by means of law enforcement. Similarly, international law, as currently applicable to cyberspace, seems to offer little assistance. States have agreed in principle that international law is applicable in cyberspace and that egregious violation, such as the use of force through cyberspace or interventions into internal affairs, are prohibited.

Political influence operations and espionage, including the theft of emails, are well below the threshold of the use of force. Some legal scholars argue that, at least with respect to the American presidential campaign, Russian actions might have amounted to an intervention into internal affairs. According to the jurisprudence of the International Court of Justice, an intervention consists of two elements: first, it has to affect the domain réservé, that is the sphere of state activity which is not regulated by international law and protected from outside influence; second, there has to be an element of coercion against the will of the state within this protected sphere. While the political process in general – and presidential elections in particular – falls within this protected sphere of internal affairs of a state, it is questionable whether the release of stolen emails has had a coercive effect on the state in such a way that the state has felt compelled to undertake certain actions against its will. This question is currently debated within the community of international legal scholars, but it seems that even the US government (at least the current administration) does not regard the Russian cyber operations against the US presidential elections as an intervention within the meaning of international law.

Some scholars (including this author) further argue that even if the DNC hack and the subsequent release of stolen emails did not amount to an intervention, it nevertheless violated US sovereignty. Sovereignty protects the exclusive authority of a state within its borders and prohibits other states from exercising power and authority on another state’s territory. Hacking into computers located on US territory would therefore constitute the exercise of Russian state authority on US soil and violate American sovereignty. The problem is, however, that some western states, including the US and the United Kingdom, argue that currently there is no rule prohibiting the violation of a state’s territorial sovereignty in cyberspace. Such a rule would not only prohibit Russian (or Chinese) hacking activities against servers located in the US, UK and so forth, it also prohibits the US and UK from conducting such operations themselves. Given that both the US and UK have advanced cyber capabilities and are using them against targets abroad – for instance ISIS or Iran – it seems that they would not be willing to consider these low-intensity operations as violations of international law.

Nevertheless, western intelligence and law enforcement agencies, together with their respective governments, seem to have realised that in order to convince their own populations of the threat posed by Russian intelligence operations, more transparency is needed. Furthermore, to deter Russia from conducting more operations, the West would need to show off their own capabilities. American law enforcement started to file criminal indictments against Russian companies and agents working for the GRU and Project Lakhta and involved in influence operations against the West. These indictments of Russian agents and companies serve three purposes. First, they form part of a naming and shaming approach intended at turning worldwide public opinion against Russia and thereby exerting pressure on Russia to stop its activities in cyberspace. Second, the indicted persons are being put on sanctions lists, preventing them from travelling to western countries, using their assets and conducting financial transactions. And third, the detailed information contained in the indictments shows off the cyber capabilities of American intelligence services and is meant to function as a deterrent to Russia.

Cyber hygiene

It is clear that there is still much to be done to protect the West from Russian political influence. Apart from the UK, France, the Netherlands and maybe Germany, it remains unclear whether other EU states have the technical capabilities to detect and counter Russian operations. The EU itself, while it has set up programmes to counter disinformation, could do much more to actively protect European citizens against fake news and political influence. One of the keys ways to successfully counter political influence operations lies with technology companies and social media. Facebook and Twitter have been much too late to admit the methods by which their platforms have been used and abused to influence political opinion in America and Europe. It seems quite evident that self-regulation does not go far enough to prevent social media services from being abused by troll farms and bots.

In the end, however, it is the responsibility of every citizen to employ basic “cyber hygiene” to prevent the spread of false information and to protect the free exchange of ideas as a prerequisite of the democratic process. We can do this by being cautious about dubious websites citing unverified facts, by encouraging civility and good manners on social media, by blocking and reporting bots and trolls, and by treating political opponents not as enemies, but as people with whom we may disagree, but who have the same right to participate in the democratic process as we do.

If we believe conspiracy theories, shady blogs and websites with sensationalist titles rather than reputable media who verify their sources, we only have ourselves to blame for the state of our democracy and public discourse. After all, you would not click on a link sent to you in an e-mail by some Nigerian prince promising you millions of dollars in return for clicking. Or would you?

Przemysław Roguski is an international lawyer based at Jagiellonian University in Kraków where he is an assistant lecturer at the department for public international law and a lecturer and coordinator for the school of German law. He is a graduate of Johannes Gutenberg-Universität Mainz and Trinity College Dublin and a German Assessor.

disinformation, Kremlin, Russia, Russian cyber operations