Russian offensive cyber capabilities are as sophisticated as those of other major cyber powers, such as the United States and China, and they likely exceed Baltic states’ ability to defend critical infrastructures. A successful large-scale cyberattack during peace time, or prior to or in concert with a conventional attack – which could disrupt interdependent financial systems or communications or electricity networks, or affect fuel and water supplies – would likely trigger huge economic loss or even chaos. Among the most vulnerable cyber targets are internet-connected industrial control systems in critical infrastructure sectors, and the digitized health sector.
Executing such a high-end, low probability cyberattack requires substantial resources and long-term preparation – vulnerabilities must be identified with the help of cyber reconnaissance and espionage, industrial control systems must be studied, and malware must be developed or customized for specific high-end targets.
However, it is evident that cyber deterrence exists above the threshold of armed attack, but not in the gray zone between peace and war.
It might be easier in this gray zone to affect domestic politics or achieve military effects by physical rather than cyber means. When Russia annexed Crimea, its special forces took over media outlets, telecom infrastructure, TV stations and broadcasting towers. In the past, the FSB, Russia’s primary intelligence service, kidnapped an Estonian security service officer from Estonian territory with physical force. It is therefore plausible that rather than launching high-end cyberattacks against key energy plants, Russia could attempt to suspend distribution of cooling water to a Narva power plant, which provides over 90 percent of Estonia’s electricity. Some experts believe that Russia could cause power outages in this way; power outages coupled with a well-planned and timed disinformation campaign could spur social unrest in Russian-populated northeastern Estonia.
According to the 2015 Russian military doctrine, modern conflicts incorporate conventional force integrated with nonmilitary methods, and cyber offense is one of these nonmilitary tools. Russia therefore is likely to use cyberattacks and electronic warfare to weaken or destroy military targets and key critical infrastructure in the Baltic states before overt or covert military attacks. Key military targets will include NATO and Baltic command, control, communications, computer, intelligence, surveillance and reconnaissance systems, as well as support and logistic systems, and Baltic air defense radar systems. Among key civilian targets will be infrastructure and networks that the military depends on, as well as infrastructure the Baltic governments use for communication. Technical cyberattacks would be coordinated with, and supported by, a constant disinformation campaign, and targeted information and psychological operations.
However, such debilitating cyberattacks targeting military assets are much more demanding than the network-enabled cyber sabotage, espionage and subversion that are likely executed daily. Russia has used a wide range of nonmilitary tools against the Baltics for decades, such as economic pressure, military intimidation, disinformation campaigns, and financial measures.
Working with Russian-speaking criminal groups, Russian intelligence constantly probes Baltic states’ computer networks to identify potential vulnerabilities. It has recently tested technical capabilities to intrude and impair industrial control systems – such as the 2015 and 2015 attacks against Ukraine power grids – and it has allegedly planted malware within critical infrastructure belonging to the energy sector in the West – for example, the HAVEX and BlackEnergy malware discovered in the electric grid in the U.S., Europe, and Ukraine have been linked to the Russian government.
In line with its 2016 information security doctrine, Russia could implement its national interests and strategic priorities – including military and political objectives – in and through the information sphere, which Russians interpret more broadly than does the West. While the West understands cyberspace capabilities as mostly technical, the Russian understanding of the information domain also includes electronic warfare and intelligence capabilities, as well as measures such as disinformation, propaganda, psychological pressure, destabilization of society, and influence of foreign media. Russia has a well-established and generously funded Baltic information presence, including Russian government-funded TV stations, online news portals, and social media networks. The Kremlin uses both Russian and locally established NGOs, government-established NGOs, internet trolls, bloggers and other volunteers, as well as criminal groups that operate botnets to effectively spread disinformation in the region.
Russia is likely also involved in long-term cyber reconnaissance and cyber espionage in the Baltic and Nordic countries to support its influence operations. It may have gathered sensitive information against political and business leaders to compromise them and possibly leak stolen information – in some cases forged information – to the public. The aims of influence operations are to discredit Baltic governments, influence their decision-making, create tensions in the Baltic societies and cleavages between the Baltics and other EU and NATO countries, and ultimately to undermine EU and NATO enlargement.
In Germany and other European countries, Russian security services have successfully breached the parliaments’ systems and email accounts of political parties and politicians. Political leadership in the Baltic states are likely a target of Russian espionage as well, and political parties generally have less protection than government networks. In seeking to support pro-Russian candidates in national elections, Russia is likely to exploit potential issues that would cast doubt on the legitimacy of election results. For example, in Estonia it could organize a disinformation campaign to undermine trust in the internet voting system, known as e-elections.
Given the lessons of two wars in Chechnya, of cyberattacks against Estonia, Georgia, and Ukraine, and from its attempts to manipulate U.S. elections last year – as well as numerous efforts against other European countries – Russian influence operations have evolved into highly sophisticated maneuvers. In doing so, Russia engages people from top layers of society such as senior politicans and executives to the grassroots level such as internet trolls, petty cybercrime groups, marginal political activists and hacktivists, to exploit the potential for protest. For many years Russia has field-tested the close coordination between security services, criminal groups, government-funded media, and other paid and volunteer entities. Western countries, however, only possess rudimentary strategic communication capabilities in comparison.
The Baltic states have fostered their deterrence by denial against Russian government-supported groups through enhancing resilience against technical cyber operations and broader influence operations. Estonia and Latvia use civilian volunteers in cyber defense units of their national guards to help defend against cyberattacks. The volunteers aid the governments in training and finding vulnerabilities in government and critical infrastructure networks. They also serve as rapid-response teams to protect critical infrastructure.
Moreover, Estonia and Lithuania use volunteers to help assess Russian disinformation campaigns and offer advice in countering it. There are NATO Centres of Excellence in Vilnius, Riga, and Tallinn on energy, strategic communications, and cyber defense that conduct applied research and provide training in these fields. All Baltic countries have enhanced special operations and intelligence capabilities, and cooperate closely with strategic partners. They have also fostered regional cyber and energy security cooperation with the Nordic countries, the United Kingdom, Poland, and the United States.
Estonia is considered one of the most advanced countries in cybersecurity, and it plans to establish a cyber command to integrate its military cyber defense capabilities. On national cyber security, it will develop alternative solutions for key vital services and continuity of government functions, even if Estonian territory was lost, through innovative approaches. For example, the Data Embassy project, whereby crucial government data is backed up in servers located around the world to mitigate damage in the incident of a major cyberattack. It also established a Russian-language TV station to increase resistance to disinformation. It has also undertaken research into the sentiments of Russian-speakers and expanded a program to integrate them into Estonian society.
No country can prevent or defend against all sophisticated cyberattacks, even if Cyber Pearl Harbor-type of attacks remain unlikely. However, the, Baltic states have been able to harden resilience against cyber and influence operations in the grey zone between peace and war.