Russia knows how to spread chaos and outrage in American politics, but Russia may pose a far greater threat to the U.S. economy and the infrastructure it depends on. The president’s Council of Economic Advisers estimates that hostile cyber actions against American private industry cost the U.S. economy as much as $100 billion per year. The U.S. Treasury Department recently sanctioned a range of Russian companies and individuals for “working at the behest of the Russian Federation and its military and intelligence units to increase Russia’s offensive cyber capabilities.” What the U.S. now faces is not just an economic threat or an information warfare threat, but a direct challenge to our national security from cyber-enabled economic warfare (CEEW), a concerted effort to target the pillars of the U.S. economy to undermine Washington’s ability to defend its citizens and project power abroad.
While the U.S. must work harder to protect its political system from Russian influence operations, an emphasis on the electoral impact of cyber attacks should not obscure their significance as a form of CEEW. Russia’s 2007 attacks on Estonia may be one of the earliest cases of cyber-enabled economic warfare. One of the most alarming components of the widespread DDoS and malware attacks was the sustained assault on Estonia’s largest bank, which temporarily had to cease operation and shut down ATM access. A decade later, when Russian hackers crippled the Ukrainian electric grid, too many experts focused on how the attacks made Kiev look, while overlooking adverse economic effects that undermined Ukraine’s national security.
Cyber-enabled economic warfare is hardwired into the Russian legal system. It’s no accident that Russian law establishes the Federal Security Service (FSB)—the successor to the KGB—as the licensing authority for encryption activities. By design, the laws and regulations governing information systems, telecommunications, and encryption give the Kremlin and its security services tools to consolidate power internally and engage in aggressive activities abroad. The FSB can even require private companies to provide direct assistance to its online endeavors at home and abroad. Perhaps with this in mind, the European Union recently called on its members to ban malicious technology and telecommunications equipment and software including products from Kaspersky Lab.
When Vladimir Putin was a KGB officer in East Germany, he ran “illegal intelligence” networks, training and controlling agents deep undercover in foreign countries. Today, Russia’s intelligence agencies follow that same model. Camouflaging Russian state-backed cyber operations within private sector firms would be an efficient strategy and one consistent with Russian intelligence operations.
Aggressive cyber operations are also consistent with Russia’s strategic doctrine. In 2013, General Valery Gerasimov laid out Russia’s view that to achieve political goals, a state must leverage all elements of its power including cyber and information operations. The purpose of these tools is not just to shape the information space in Russia’s favor, but to actively degrade the response capabilities of its adversaries. Since the American economy is the foundation of our national power, it has naturally become a premier target for the Kremlin.
To inform the U.S. approach to countering Russian CEEW, the intelligence community should evaluate Russian methods and intentions more closely: To what extent is the Kremlin supporting the establishment and expansion of Russian companies for the express purpose of gaining access to the IT networks of its adversaries? What do they intend to do with that access? Is Moscow forcibly grafting information and espionage operations onto otherwise private companies? Are Russian venture capital firms’ investment strategies in Silicon Valley leading to potential influence and access to sensitive information and technology?
There are practical steps the U.S. government should be implementing in the meantime. For instance, the U.S. Computer Emergency Readiness Team within the Department of Homeland Security (DHS) should create a watch list of software companies believed to be acting on behalf of, or are being used by, adversarial states in ways that pose a security risk to U.S. entities. The team already provides timely information on key security vulnerabilities and as such could host a similar watch list. DHS should also extend its ban on Kaspersky Lab software to include Kaspersky code embedded in the products of other companies.
Additionally, the intelligence community and the private sector need to form secure and trusted partnerships so that the intelligence community can collect and disseminate (with proper source protection) information about Russian or other threats to private sector companies.
Our adversaries are today using what can generously be described as coercive mercantilism as an instrument of national power. For a nation that is the leading bastion of free market economics, this threat is particularly potent. Nations like Russia and China are using and augmenting their own technological sectors at the expense of U.S. national security and economic power. By identifying the threats and taking actions to mitigate their impact – largely by plugging the holes that exist in our own system – we can better ensure that our adversaries’ efforts to undermine the United States will fail.
Boris Zilberman is deputy director of congressional relations and a Russia analyst at the Foundation for Defense of Democracies and is the author of ‘Kaspersky and Beyond: Understanding Russia’s Approach to Cyber -Enabled Economic Warfare’.