cyberwarcrime and punishment
sci-fi and reality, war and peace, airborne leaflets and a new paradigm in hybrid warfare.
2049, 28 December. 19:42:34. The robot’s arm suddenly started behaving defiantly. It positioned itself at an unsafe angle and uncooperatively executed the needle pericardial insertion. You try to insert a catheter to drain excess fluid, but it completely ignored your intentions. The surgery is performed remotely, so you have to mobilize another surgical system to replace the current one. But the hospital’s power network is experiencing excessive electrical harmonics, leading to an abrupt power loss. You felt a rapid increase of blood flow in your face, your hands started shaking — something you never experienced before. It is too late for you to do anything or call anyone for help. This is your first patient in your life to die in the operating cube. The patient was a Swedish investigative journalist, who 2 months ago exposed a foreign government’s involvement in the recent assassination of a political figure. You started wondering if those two events are related...
2015, 23 December. 15:29:48. A charming city of Ivano-Frankivsk woke up to a sunny but very cold day. Built in the 17th century with close ties to Poland, the city is located at the foothills of the marvelous Carpathian Mountains, which everyone visits during Christmas. Today feels special, it is your last work day at PrykarpattyaOblenergo before the vacation. Working in one of the major energy providers as an engineer allowed you to learn more about the flow of power at substations across the region as well as defense system layers for security and reliability. While trying to navigate the screen’s interface to log off, you saw the mouse start glitching. In a few seconds, you lost yourself, staring at the phantom mouse that was clicking on the switch breaker. All attempts to address the issue have failed, no playbook. Surreal, you are panicking. It is devastating to see someone manipulating the interface, disconnecting seven 110kV and twenty-three 35kV substations. You realize just a second ago 3,000,000 people lost electricity. The only thought you have is, ‘what if someone just died because of me?’
While one is a fiction story and the other is a real-world example, what is the true difference between them?
For the past many months, I worked with a group of lawyers, investigating Russia’s sponsored cyberattacks on critical infrastructure. We brought the first in history legal case of cyberwar crimes to the International Criminal Court. The arguments went beyond the legal framework on how to prosecute cyberattacks as war crimes. It included a substantial amount of admissible evidence of Sandworm’s activities as well as a consistent pattern of Russia’s military doctrine with their targeted attacks in armed conflicts. Yet no accountability mechanism on the international level has been set to deter harmful cyberattacks against civilians.
Our work was covered by Wired (“The Case for War Crimes Charges Against Russia’s Sandworm Hackers.”) and appeared on Wikipedia. Unfortunately, I can’t share any details related to novel legal issues of substantive law or any OSINT (open-source intelligence) process that was involved due to security reasons. However, the astounding amount of information made me ponder warfare at large, from the first conceptions of airborne leaflets to the major paradigm shifts of hybrid warfare.
“Information is power. Those who possess knowledge will rule the world,” - said the head of my Ukrainian school during our history class trip to Munich. She said it in the context of encouraging us to pursue science. At that time I didn’t quite attend to those words, but the more I was exposed to open-source intelligence and related projects, I could truly appreciate what her words meant.
Indeed, every revolution in history had redefined our relationship to knowledge and warfare. The sustained process of wearing down an opponent to the point of continual losses of personnel and materiel required both armies and weapons en masse — something that industrialization and mechanization enabled. Information revolution gave a rise to what we now know as hybrid warfare, including psychological terror and belligerent cyberattacks in armed conflicts.
But to understand the evolution of hybrid warfare we must go back to the first models of information warfare (IW), which were prevalent in the Soviet Union during the Cold War. The paper, “Information Matters: Informational Conflict and the New Materialism” from King’s College defines IW as “contingent upon information, rather than information technologies, as is sometimes supposed. Information warfare may certainly include information-technological practices like electronic warfare but also incorporates psychological warfare, economic information warfare, and propaganda.”
Certainly, the most popular method of IW was airborne propaganda leaflets. They were usually dropped by cluster bombs, dissipating pieces of small announcements and messages all over the cities. They were intended to psychologically affect civilians and alter human behavior. For instance, the US Army spread 40 million leaflets over Japan during WW2 and a billion during the Korean War. Russia used leaflet bombs during the First Chechen War in 1994 too, which for some reason pieces of appeals to the public of Chechnya landed in Ukraine in the last few months:
Scottish psychiatrist James Brown once tried to explain leaflets' ineffectiveness, “Propaganda is successful only when directed at those who are willing to listen, absorb the information, and if possible, act on it.” Though over time airborne leaflets lost their effectiveness due to radio and TV, the idea of intentionally misleading people and manipulating their thoughts has persevered. Today the traditional practice of leaflets transformed into disinformation campaigns on social media and targeted cyberattacks. But there is a quite significant caveat.
When in 2009 Russia invaded Georgia thirty-eight major websites of the national bank, parliament, foreign affairs, supreme court, and the president’s site went down. At the same time, Russia bombed Georgia’s telecom infrastructure and cell towers. Khatuna Mshvidobadze, who at that time held the position of the Deputy Director of NATO Information Center under Georgia’s Ministry of Defense, described her experience of the day in Andy Greenberg’s book “Sandworm”:
Mshvidobadze walked a block to a busier street nearby and found a scene of utter societal breakdown. The power outage had left the streetlights dark so that only the headlights of cars illuminated sidewalks. Drivers were frantic, ignoring all traffic laws and plowing through intersections with dead traffic signals—preventing her from even crossing the street. As she tried in vain to flag a taxi, other desperate pedestrians ran past her, some screaming in fear or crying.
Four days later, cyberattacks would stop — the day when Russia agreed on a cease-fire. It is quite dystopian imagery of the country that is simultaneously experiencing physical and cyber attacks. Just like that, Georgia became the first country to experience hybrid warfare.
The Russian military doctrine cracked the secret code. Instead of trying to change human behavior through ineffective methods like leaflets, the state would use cyber attacks as the means to change the conditions under which human behavior would be inevitably changed by force. Deliberately disabling the electricity and communication network of the entire country means no access to credible information, heat, transportation, food, and water. Cyber means enable the state to remotely disorient the entire population of another country. This causes asymmetry in warfare and it is quite unsettling how denial of basic needs attacks, a sort of new way of psychological terror, is deployed at an unprecedented scale.
Cyberwar blurs the line between war and peace as much as it blurs the line between fiction and reality at the beginning of the post. In 2014 media represented Ukraine’s war as the armed conflict in the east, but I would argue it was a full hybrid invasion: while the eastern part of the country faced physical armed conflict, the western experienced series of Russia’s sponsored mass cyberattacks, turning off electricity and heat during winters for millions of civilians. Even President Zelensky in one of his interviews (19:40-22:55) attributes the start of the 2022 war in Ukraine not to the 24th of February, but to October. The interview is all in Ukrainian and there are no English subtitles, so I translated the most relevant parts here:
“We lived in a constant war that was hybrid…The pressure from cyberattacks on national banks, the Ministry, our intelligence, and legal bodies was there way before the full invasion. We knew that there was a preparation, one way or another. But neither our partners’ intelligence nor we could have known completely the scope and the volume of what we see now. It is one thing to know that tanks would come from the Belarusian side, it is another if Russia would invade Belarus. But it is completely another matter if both countries would invade. The devil in details. So no one knew the details completely… To be honest, I think and would attribute the invasion to October. All the messages we got and the first steps we observed — financial, economic, cyber, blocking, the deficit of gas, the decreased volumes of energy supply, etc. Though in principle it would be fairer to say it all started in 2014, I think in this context the hybrid art of attacks started this war in October.“
The modern theory of Russian warfare finds its roots in the foundational 2013 essay written by Valery Gerasimov, the Chief of the General Staff of the Russian Armed Forces and First Deputy Defence Minister. It is also referred to as Gerasimov’s Doctrine or the chaos theory. He wrote, “The rules of war changed… Frontal clashes between large groupings of troops (forces) at the strategic and operational levels are gradually becoming obsolete. Remote non-contact impact on the enemy is becoming the main way to achieve the goals of the battle and operation.” The ultimate objective is to create constant confusion within the enemy’s state through invisible terror, unrest, and conflict to exert control. One way to do so is to form a strong “internal opposition” in your enemy’s state. A certain pool needs to be formed to create political tension and recruit supporters who would sincerely believe in the correctness of their actions. Such tension of supporters would need to approach some kind of critical mass sufficient to create controlled chaos within the country. This is the Gerasimov Doctrine in the playbook, but who would know that corruption sometimes can play a double side?
The major omission of the doctrine lies on an assumption that society is a static variable. It is not. There is no doubt Ukraine has become a platform for the full implementation of the doctrine. However, in 2022 all efforts that were supposed to go to the creation of “internal opposition” faded away soon after the Russian politicians stole that money for themselves. Moreover, a thorough analysis of cyberattacks on power grids exposed not only consistent patterns of targeted attacks but also brought larger investments in cybersecurity in the country over years. People became less vulnerable to social engineering tactics and more educated about their cyber hygiene. This drove a major behavior shift on a societal level that resisted all the attempts for chaos. McKew in Politico wrote, “the Gerasimov Doctrine also makes it inherently fragile. Its tactics begin to fail when light is thrown onto how they work and what they aim to achieve.”
Cyber warfare is oftentimes an invisible space — you never know until it does significant damage. It is also usually hidden in the context of physical armed conflict. But the good news is humans are really good at learning from mistakes and developing much more resilient and robust systems in place so that it would never happen next time. Ukraine has learned lessons from 2014 and today despite physical war and constant cyberattacks on the railway system, trains and power grids became much more resistant and now still operating, evacuating millions and improving infrastructure every day. In fact, the same Sandworm group attempted a blackout in April 2022 in Ukraine. This culture strongly reminds me of the analogous history of safety development in the aviation and car industries. Car seatbelts, introduced by Volvo, were set as a gold standard only after the Swedish conducted a study on road fatalities. The redesign of the rudder control system in planes was driven by investigative findings from the crashes of USAir 427, United Airlines Flight 585, and Eastwind’s Flight 517.
This inevitably makes me think about lessons to be taken away for AI safety development, which I will talk about in the next post.