Could Putin Wage Cyberwar Without Using Cyber Weapons?
Recently the President warned business leaders that Russia has “a very sophisticated cyber capability” and “may be planning a cyberattack against us.” I agree, but I also think any such cyber-attack may not necessarily be conducted via the hacking/malware weaponry with which many people have become familiar.
As counterintuitive as it may sound, I believe we’ll find that cyberwar really can be waged without directly using cyber weaponry. Allow me to explain how I came to that conclusion, and decide for yourself if you agree.
One of the biggest surprises of the Ukraine conflict to date is the relative dearth of cyberwarfare. Explanations abound (see e.g., here), but experts continue to warn that Russia may “still [be] weighing its options carefully, and is simply waiting for the right time to respond.”
For example, in a news report, Zhanna Malekos Smith, an expert with the Center for Strategic & International Studies – CSIS (and former Ruben Everett Cyber Scholar here at Duke Law), provides this analysis:
Russia might be keeping its more aggressive cyberweapons in reserve, says Malekos Smith. If the ground war stalls and financial sanctions bite, Russia could increase cyberattacks, she says. It could ramp up its assault on Ukraine and target Western nations to inflict on them the same kind of chaos wrought by sanctions, for example by targeting companies and financial markets, she says.
That assessment makes sense. I would also suggest the Russians might be realizing that the “conventional” hack-based cyber assaults are more difficult to accomplish in the current environment than expected.
In my view it is entirely plausible that the cyber defenses of the U.S., NATO, and the Ukraine are stronger than what might have been anticipated by Russian cyber operators. This stength is amplified by the fact that so many nations are united to oppose Russia in every way possible. That global opposition likely includes some important collaborations that help to counter malevolent Russian cyber activity.
Of course, this is no reason for complacency. Among other things, there are the potential dangers resulting from massive Solar Wind hack which penetrated thousands of U.S. Government and private sector computers. Although the aim seems to have been mainly to extract data, it also might have been to leave behind digital “logic bombs”, which some believe could be operationalized with devastating effects.
Beyond “conventional” hacking, Russia may also have other, more unconventional means of attacking cyberspace. Consider this pair of illustrative possibilities: 1) cutting submarine cables and/or 2) employing a destructive electromagnetic pulse. The end result of such effects-based operations would be much the same as a more conventional cyber attack: the loss of cyber capability that modern societies and their militaries depend upon.
Let’s unpack these threats.
Cutting submarine cables
It isn’t popularly understood, but “it is estimated that upwards of 95 percent of intercontinental Internet traffic is carried over [submarine] cables” laying across the ocean floor. Furthermore, the “cables are not hard to find, with their locations being open to the public as global shipping networks have to be aware of their locations.”
What would happen if they were cut? Lots.
For starters, there might be an interruption of the “$10 trillion worth of daily financial transactions dependent on [the cables].” Some predict an even grimmer result. In a 2019 article entitled, “Forget Nuclear Weapons, Cutting Undersea Cables Could Decisively End a War,” Steven Weintz says “[o]ur modern economy could collapse.” He adds:
If…you wish to practice hybrid warfare—disruption and degradation with little overt engagement—then the ability to cut submarine cables at will and at depth gives you a very powerful weapon. Cut up undersea hydrophone networks and you deafen your adversary. Cut Internet cables and you have the ultimate denial-of-service cyber weapon. (Emphasis added).
Notably, there are “150-200 subsea cable faults each year” because of accidents and earthquakes, but a deliberate and calibrated attack could cause serious damage. A June 2021 CSIS report explains how that could be:
There are several conceivable objectives severing a cable might achieve: cutting off military or government communications in the early stages of a conflict, eliminating internet access for a targeted population, sabotaging an economic competitor, or causing economic disruption for geopolitical purposes. Actors could also pursue several or all of these objectives simultaneously.
Russia has authentic capabilities. CSIS outlines Russia’s submarines and surface ships specifically equipped for cable-cutting. Despite a key submarine (the Losharik) being damaged in a fire, significant options remain:
While the Losharik is being repaired, the Russian Navy has other such submarines and is developing unmanned undersea drones, such as the nuclear-powered Poseidon. As for surface ships, the most famous is the Yantar, which is ostensibly a research vessel but is understood to act as a spy ship that could deploy underwater submersibles to attack and destroy sections of cables.
These submersibles are important because they can hold at-risk cables in very deep water. Accordingly, experts say “Russian activity often clusters around crucial, yet hard-to-reach cables because these are difficult to repair.”
Yet some experts downplay the risks. A 2020 National Interest article contends that a “massive cable attack is probably an over-hyped scenario, at least for a country with as many redundant cables as the United States.” Nevertheless, it concedes that “a more targeted attack against selected cables could cause significant disruptions.”
Nations around the globe are clearly concerned about Russia’s cable-cutting capability. In January of this year the Independent (UK) reported:
The head of the UK’s armed forces has warned that Russian submarine activity is threatening underwater cables that are crucial to communication systems around the world.
Admiral Sir Tony Radakin said undersea cables that transmit internet data are “the world’s real information system”, and added that any attempt to damage them could be considered an “act of war”.
Still, how worried should the world be that Russia might engage in this kind of “cyberwar”? Some experts think it is “unlikely that Russia would go down this route” of widespread cable-cutting. Hopefully they are right, but consider that earlier this month, the Yantar––the sophisticated Russian spy ship with cable-cutting capabilities noted above––left its Arctic base and its mission is unknown.
Electromagnetic pulse (EMP)
Another perhaps even more disturbing threat is that posed by the possible use of a destructive electromagnetic pulse (EMP). An EMP could render useless many of the electronics cyber activity depends upon.
True, EMPs can occur naturally (e.g., via solar flares), but they can also be human-generated through a nuclear detonation, or via non-nuclear technology. These human-generated EMPs, especially when produced by a nuclear weapon, can be much worse than naturally occurring EMPs.
How is it that EMPs are so dangerous? The Congressional Research Service describes the EMP phenomena as an “an instantaneous, intense energy field that can overload or disrupt at a distance numerous electrical systems and high technology microcircuits, which are especially sensitive to power surges.”
Some experts think an EMP attack against the United States “could blackout the national electric grid and other life-sustaining critical infrastructures for over a year—killing 9 of 10 Americans by starvation and societal collapse.” Still, there is debate about how serious the EMP threat is (see e.g., here and here).
And, yes, fortunately there are ways to mitigate the risks of an EMP (even at home––see here and here), but much more needs to be done to limit the U.S.’s vulnerability. And that vulnerability exists: a March 24th article referenced a 2014 Congressional hearing and made this sobering assessment:
While this [EMP] doomsday scenario has been depicted in books and movies, widespread preparation for a nuclear EMP is sorely lacking. Even the US government acknowledges this in various unclassified reports.
1) Nuclear EMP
As noted above, detonating a nuclear weapon can produce an EMP devastating to electronics, and do so without necessarily causing the kind of destruction to buildings and other objects one normally associates with nuclear explosions. Moreover, humans are generally not harmed by an EMP.
Why? To generate a damaging pulse, it is not necessary to have a surface blast that kills and destroys; in fact, a high-altitude detonation that doesn’t do so is actually more effective for EMP purposes.
Dr. Peter Pry, the Executive Director of the EMP Task Force on National and Homeland Security, explained in a 2021 report, Russia: EMP Threat, that:
Any nuclear weapon detonated in outer space, 30 kilometers or higher, will generate a high-altitude electromagnetic pulse (HEMP). No blast, thermal, fallout or effects other than HEMP are experienced in the atmosphere and on the ground. A nuclear detonation at 30 kilometers altitude will generate a HEMP field with a radius on the ground of 600 kilometers, damaging all kinds of electronics, blacking-out electric grids and collapsing other life-sustaining critical infrastructures. Detonated at 400 kilometers altitude, the radius of the HEMP field will be about 2,200 kilometers, large enough to cover most of North America. (Emphasis added.)
Would Russia risk the unpredictable consequences of the use of a nuclear weapon? In a March 21st report, the Congressional Research Service (CRS) discussed a June 2020 Russian Federation nuclear weapons policy document:
This document does not call for the preemptive use of nuclear weapons during conventional conflicts. But it does not completely resolve the question of whether Russia would escalate to nuclear use if it were losing a conventional war. It notes that, “in the event of a military conflict, this Policy provides for the prevention of an escalation of military actions and their termination on conditions that are acceptable for the Russian Federation and/or its allies.” (Emphasis added.)
On March 26th, Dmitry Medvedev, the former Russian president and deputy chairman of Russia’s security council, was reported as describing the circumstances where Russia would consider using nuclear weapons. They included a situation where “an act of aggression is committed against Russia and its allies, which jeopardized the existence of the country itself, even without the use of nuclear weapons, that is, with the use of conventional weapons.”
Obviously, it is hard to know exactly what circumstance Russia would consider as “jeopardiz[ing] the existence of the country.” Could sanctions be a trigger? The Kremlin has said the U.S. “definitely has declared economic war against Russia and is waging this war.” Writing in War on the Rocks, two experts warned:
Putin has declared the sanctions “akin to a declaration of war.” No nuclear armed power has ever faced the possibility of regime collapse due to economic pressure. It is conceivable that the Russia regime might consider nuclear use if economic pressure were significant enough to threaten its existence.
Furthermore, does Putin consider his own political survival on par with the continued existence of the Russian state? If so, President Biden’s gaffe suggesting “regime change” in Russia is concerning (even though repeatedly “walked back” by U.S. government officials).
Personally, I think any use of nuclear weapons is very unlikely. If the Russians were, however, to use them as an EMP weapon, they might detonate a smaller, tactical nuclear weapon––perhaps over the high seas––understanding its effect would be limited to a smaller area, but also believing it would be strategically effective.
Why? Though electronics would be rendered inoperable in a given region––perhaps a major coastal city––the absence of immediate deaths, injuries, or destruction of buildings and other objects could complicate the response of the U.S. and/or NATO. Would the Western allies counter with their own nuclear weapons where the only effect of the Russian use was an EMP? If the EMP producing device was exploded over the high seas, and not the territory of the U.S. or a NATO member?
The Russians might think, for example, that they could use a low-yield tactical nuclear device to generate an EMP effect in order to wage cyberwar against the U.S. or a NATO ally, and do so without triggering a strategic nuclear response. However, they should recall, as the Washington Post reported recently, that in 2017 Air Force Gen. John E. Hyten warned “if somebody employs what is a nonstrategic or tactical nuclear weapon, the United States will respond strategically, not tactically, because they have now crossed a line.”
As I say, I think it is very unlikely that the Russians would “cross the line” as I believe deterrence will hold. To be clear, however, any use of nuclear weapons, tactical or otherwise, would have terrible consequences not just in the near-term, but also for long-term, nuclear non-proliferation efforts.
2) Non-nuclear EMP
Many countries are around the world are developing high-powered microwave weapons which, although not nuclear devices, are designed to produce EMPs. These directed-energy weapons, also called e-bombs, emit large pulses of microwaves to destroy electronics on missiles, to stop cars, to detonate explosives remotely, and to down swarms of drones. Despite these EMP weapons being nonlethal in the sense that there’s no bang or blast wave, an enemy may be unable to distinguish their effects from those of nuclear weapons. (Emphasis added.)
In a Forbes article from February, the author discussed Russia’s Iskander missile and argued:
[I]in some ways the most significant warhead option is the EMP warhead, which has been mentioned repeatedly in descriptions of the Iskander but with no details given. This is a non-nuclear warhead that generates an intense pulse of broadband electromagnetic energy, destroying electronics but causing no other damage in the target area. Such “E-bombs” have long been discussed but never used in action. A Pentagon report from 2003 suggests that one could knock out phones, computers, cars and everything else that relies on electronics in an area of several square miles. (Note the “Pentagon report” is actually from the State of Washington.)
The way ahead?
It is impossible to know what Vladimir Putin may be planning at this point, but recall that he issued this threat:
“Whoever tries to interfere with us, and even more so to create threats to our country, to our people, should know that Russia’s response will be immediate and will lead you to such consequences as you have never experienced in your history.”
Unfortunately, we must assume that all options are on the table as far as he is concerned and conduct ourselves accordingly. That means preparing for unconventional approaches to “cyberwar,” such as the examples this essay describes (but still not forgetting about the potential of the more familiar “conventional” malware-centered means).
We also need to appreciate that as horrified as we, in the West, are about the war in the Ukraine, Russians seem to see it differently (although they are apparently blocked from seeing media showing the destruction). In a March 29th New Yorker article, Joshua Yaffa points out:
In one survey, sixty-five per cent of respondents approved of Russia’s actions in Ukraine; in another, the figure was seventy-one. But one thing seems clear: the war, at least as sold and narrated to the Russian people, appears to be decently popular. Even independent polls show approval well above fifty per cent.
Add to this the conclusions of two scholars writing in The Conversation:
Not all Russians support the war in Ukraine and the government that dragged them into it. But all Russians are suffering from the sanctions and the crisis. Their common suffering is a dangerous thing: It is all too familiar; it makes them angry, and some are eager to strike back.
Furthermore, Russia may think a limited cyberwar is already ongoing and that they can “strike back” in the cyber realm without initiating an all-out war with the U.S.
Consider this: In reporting about U.S. cyber operations allegedly underway, the New York Times indicated that the U.S. doesn’t consider cyber disruptions as “acts of war,” and further suggested an American view that even permanent cyber disablements were not, at this point anyway, necessarily a definitive casus belli (but “more problematic”).
Specifically, the Times said:
All of this is new territory when it comes to the question of whether the United States is a “co-combatant.” By the American interpretation of the laws of cyberconflict, the United States can temporarily interrupt Russian capability without conducting an act of war; permanent disablement is more problematic.
The danger here is that both the U.S. and Russia might misinterpret each other’s cyber warfighting, with the result being unintended but catastrophic escalation. While this is a strong incentive to develop more robust and mutually accepted cyber norms, that cannot happen in the near-term.
Accordingly, the best course of action now is for the U.S. and NATO to robustly support the peace effort, even if it is uncomfortable to do so. The U.S. and other nations, for example, have had differences with Turkey, the nation currently hosting the peace negotiations, but it is uniquely situated to play a productive role.
For his part, Ukrainian President Volodymyr Zelensky says his nation is prepared to discuss key issues: “Security guarantees and neutrality, non-nuclear status of our state. We are ready to go for it.” The U.S. and NATO need to support his negotiating position as strongly as they can and, in particular, avoid rhetoric which could inflame the situation and make a settlement more distant.
No one should underestimate the challenges of negotiating a peace. In an excellent War on the Rocks article yesterday, Dr. Tom Hill, executive director of the Center for Peace Diplomacy, outlines the difficult work to come.
Hill concedes the “history of peace negotiations shows that the path to a stable peace agreement is often paved with failed talks that teach the parties what is fantasy, what is reality, and where the real bridges between them might lie.” He adds:
Much like confrontations on the battlefield, talks are relational and a learning process for the participants. Support for and participation in talks should be embraced, even when prospects seem poor, because the belligerents and the many great-power stakeholders are going to need to learn how to end this war.
Many dangers remain. Despite the failures of the Russian military in the Ukraine—not to mention the paucity of cyber successes in the conflict so far––it is a grave mistake to underestimate Russian power, as well as their ability to adapt. Reports are emerging, for example, about alleged Russian hacks of satellites, so we need to be prepared to resiliently respond to a wide range of cyber threats.
In any event, David Ignatius soberly observes:
Putin’s military failures have been exhilarating to watch. The bad guy seems to be losing. But we shouldn’t kid ourselves. Putin’s menace increases at home and abroad as he is cornered.
Consequently, it is imperative that we find a way to peace even if it is imperfect. So long as it can be reconciled with the core interests of the Ukrainian people who have suffered so much, as well as our own fundamental principles, we can hope to honorably avoid more carnage.
Finally, it can be hard to think of something as seemingly as recent as the emergence of cyberwar as already having “conventional” and “unconventional” dimensions, but history shows that military challenges can spur technological innovation that can create new capabilities. In fact, the internet itself is a “war baby“ in that it began as a military project aimed at ensuring communications during war.
However, innovation can, in turn, lead to surprise…and surprise in war can be catastrophic for the side that suffers it. Many have come to think of cyberwar almost exclusively in terms hacks, data thefts, and various kinds of malware, but our dependence on cyber capabilities can still be upended in unexpected ways by an adversary who thinks outside the proverbial box.
In a superb essay, Surprise and Shock in Warfare: An Enduring Challenge, a trio of scholars point out that an “increasingly technological future battlefield…appears to present more opportunities to both achieve surprise and to be surprised.” Accordingly, “avoiding surprise requires constant mental vigilance [and this] echoes earlier Roman and Byzantine military guidance, namely that a general should never have to say, ‘I did not expect it.’”
So, yes, we need to expect (and prepare for) adversaries who may lack our prowess in “conventional” cyber operations yet who are shrewd enough to sufficiently adapt to figure out way to wage cyberwar, even without relying on cyber weaponry. As the ancient Chinese philosopher Lao Tzu warned: “There is no greater danger than underestimating your opponent.”
Remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!