On the morning of January 14, 2022, in the midst of a vast massing of Russian military forces on the borders of Ukraine and the global community scrambling to avert invasion, a two-pronged cyberattack suddenly crippled scores of Ukrainian websites, injecting malware and leaving a taunting message to “be afraid and wait for the worst.”
Russia denied involvement and the sites were restored within hours, but the attack had accomplished its psychological objectives, according to retired U.S. Navy Capt. Scott Jasper, a Senior Lecturer in the Department of National Security Affairs at the Naval Postgraduate School (NPS).
“The recent dual cybersecurity incidents in Ukraine are consistent with the Russian concept of Information Confrontation,” he said. “The defacement of more than 70 websites with threatening messages was intended to create psychological effects, while the concurrent emplacement of destructive code in computers of at least two government agencies was aimed to create technical effects if Russia chooses to invade.”
This recent cyber attack is one of countless such attacks allegedly perpetrated by Russia or its proxies in recent years. Operating in the “gray zone” of legal ambiguity just below the threshold of open conflict, Russia has been able to maintain deniability - and avoid direct retribution - as it strives to sow discord and threaten critical infrastructure.
Jasper has devoted his career to taking on this unseen adversary. Since beginning his Naval career tracking Soviet submarines from the back of a P-3C Orion to becoming one of the nation’s preeminent cyber policy experts, he has sought to understand – and meet – the challenges of Russian aggression.
His most recent book, “Russian Cyber Operations: Coding the Boundaries of Conflict” (Georgetown University Press), will be published in paperback with a new preface this Spring. In it, Jasper provides a foundational analytic framework with which to effectively meet and deter these challenges. Through examining Russian cyber operations in the context of asymmetric conflict and competition, he proposes a new international strategic policy geared towards negating Russian efforts.
“This book is a must-read as the possibility for future cyber engagements with Russia grows,” retired Gen. Keith Alexander, the first commander of U.S. Cyber Command and former director of the National Security Agency, noted in the book’s forward.
“In reply to Russian cyber operations that act as aspects of conflict or components of competition, Jasper examines actual cyber campaigns and incidents to understand how Russia exploits technical means and legal regimes to evade attribution and retribution,” Alexander stated. “[...] To counter these operations that routinely and adeptly fall below the threshold of an armed attack, Jasper evaluates methods for cost imposition and argues for robust solutions for resilience to withstand attacks.”
Strategically, Jasper said, the goal of the Russian Federation is to restore its Great Power status.
It views the United States and its allies and partners as rising opposition to what it terms “an independent foreign and domestic policy.” In response, Russia seeks to weaken the West and its cyber operations provide a means to do so, notably including diminishing democracy, gaining strategic advantage and causing chaos.
“What I wanted to do is to better understand how Russia uses the explicit exploitation of technical means and legal ambiguity,” Jasper said. “I evaluate how Russia does this to avoid provoking meaningful responses that would change its behavior.”
Understanding this is critical to formulating an effective response based on the various options available.
Depending on the situation and whether the act rises to the level of armed conflict or is merely a form of competition, imposing cost or improving defenses may be the more appropriate response.
“The book looks at these two elements, whether you’re in conflict or competition, and how cyber operations in many cases stay below the level of conflict and remain a form of competition, which makes it difficult for states to respond,” Jasper said. “In many cases, they’re below the threshold for meaningful response.”
Through multiple case studies, including the 2007 cyber assault by “patriotic hackers” on Estonia, Russia’s interference in the 2016 U.S. presidential election and continued attacks on Ukraine and the U.S. energy sector, Jasper examines how Russia persistently employs cyber operations as a means to pursue its strategic goals and objectives.
Russian cyber operations continue to the present day, either ones conducted through state actors or endorsed by criminal groups in the country.
In reply to their technical complexity and legal ambiguity, Jasper argues to leverage emerging solutions for resilience to withstand attacks and continue operations.
“I am a policy person,” Jasper said. “My goal is to understand the policy dimensions. You need to understand the technical and the legal to make the policy choices in responding.”
Such understanding may prove critical as the current Ukrainian crisis unfolds.