Show Hide image

Delude and conquer: inside the Russian messaging strategy

Cyberattacks, leaks and fake news have changed the electoral landscape. Dr Lucas Kello and Philipp von Saldern wonder if, this year, Russia will win every election in Europe.


The French television network TV5 Monde is the Francophone equivalent of CNN or BBC World News – a global, 24-hour current affairs network. It claims to be one of the three most widely available TV networks in the world. On 8 April 2015, without warning, all of TV5’s international channels went off-air.

It quickly became clear that the outage was the result of a cyberattack. Responsibility for the hack was claimed almost immediately by a group called the ‘Cyber Caliphate’, ostensibly from the Islamic State; the group also hacked TV5’s website and Facebook page, where it posted jihadist propaganda. However, the sophisticated methods used – systems were compromised weeks in advance using espionage techniques, custom software was written to target the encoders used by the TV station – pointed elsewhere. French and US security services found that the most likely perpetrator was a group that had previously launched cyberattacks on the White House and other NATO governments. The hackers collectively referred to themselves at the time as “Pawn Storm” or “APT28”. More recently, the group has identified itself by another name: Fancy Bear.

Following its actions against the World Anti-Doping Agency, the Democratic National Congress, and the governments of the Netherlands, Germany and the Ukraine, Fancy Bear has been linked by security researchers to Russian foreign intelligence, with a number of security firms stating publicly that it is likely to be sponsored by the Russian government.

At the time, the motive for the TV5 hack was unclear. It was suggested that Russia – if it was Russia – may have been testing its capabilities. In the light of other attacks, however, it could be viewed as having been a test not only of Fancy Bear’s ability to disable a major TV network, but also of its ability to push a message – about immigration and French military involvement in Syria – into other media and social networks.

Since TV5, other major cyberattacks have displayed this two-pronged form. The theft of data from the servers of the Democratic National Congress prior to the US presidential election was not just a theft; the stolen emails and documents were not exploited privately but released publicly, in a manner and to a schedule that benefited Russia’s preferred candidate in the US presidential election. A declassified version of the findings of the CIA, FBI and NSA recognised the two-pronged approach, stating that it “blends covert intelligence operations—such as cyber activity—with overt efforts by Russian government agencies, state-funded media, third-party intermediaries, and paid social media users”.

It is impossible to say exactly how many votes were decided by the “Russian messaging strategy,” described in the US intelligence community’s report. But it is certainly true that Moscow’s preferred candidate won.

Towards the end of the intelligence report, the Russian messaging strategy is described as “the new normal”. Following its (real or perceived) success in the US, “Moscow will apply lessons learned from its campaign aimed at the US presidential election to future influence efforts in the United States and worldwide.” This year, the Russian messaging strategy could bring down a target more valuable to Putin than even the US presidency: the EU.

In March and April, the Dutch and French elections offer the chance for Russia to “boost”, in the language of social media marketing, candidates that would call referendums on their EU membership.

“There are at least four ways in which a foreign adversary can subvert the democratic elective process”, says Dr Lucas Kello, senior lecturer in international relations and director of the Cyber Studies programme at Oxford University. An adversary can manipulate voters using an overt public message – “disseminating unfavourable news, real or fake, about the target candidate to diminish his or her popular support,” or “by unobstructively but demonstrably penetrating voting or registration machines with malware in order to erode public confidence in the voting outcome.” They can affect how many people vote, “by attacking voter registration systems to diminish turnout among sectors of the electorate that tend to favour the target candidate,” and, finally, they can directly compromise the result by “attacking voting or vote counting machines with malware to alter the voting results.”

In Holland, voter confidence may already have been eroded. Earlier this month, the interior minister Ronald Plasterk announced that all votes in the March election will be counted by hand. Elections become more complicated under the Russian messaging strategy; a government that protects itself against one of the attacks Kello describes automatically calls into question the integrity of its own electoral process.

In France, ANSSI director Guillaume Poupard described last month “a real strategy that includes cyberattacks, interference and leaked information.” The current favourite – strongly pro-European candidate Emmanuel Macron – has become the main target. Macron’s campaign manager, Richard Ferrand, said this month that “hundreds and even thousands” of direct hacking attempts had been made from within Russia. At the same time, Macron has been subject to a deluge of unsubstantiated coverage, including reports that he is an “agent of the American banking system”, and that he is backed by a “very rich, gay lobby”. Wikileaks – the website that released the hacked emails of the DNC – claims to have thousands of hacked documents on Macron. If this is true, it is likely that they will be released at a time designed to cause maximum damage to his campaign. Votes that do not go to Macron may then head further right, to the vociferously anti-EU Marine Le Pen.

One of the things that makes the Russian messaging strategy so effective is that it is at least partly legal. As Dr Lucas Kello points out, “International law does not prohibit interstate espionage. Although almost all domestic penal codes criminalise the unauthorised access to a computer system to seize its data, no international treaty forbids this activity. Disruptive or destructive cyberattacks may breach treaty obligations, but only if they produce consequences that are similar to an act of war or a use of force.” This, says Kello, is new territory for diplomacy. For the first time, one nation can replace another’s government without invading. “One of the distinguishing features of virtual weapons is that they can significantly affect national security – for example, if they alter electoral outcomes – without satisfying those rigid legal criteria.”

Following the Dutch and French elections, the grand prize for the Russian messaging strategy will become available in September, when Germany elects its next Chancellor. The relationship between Angela Merkel and Vladimir Putin has never warmed beyond a frosty mutual tolerance. Merkel grew up behind the Iron Curtain in East Germany. In a Stasi document from 1984, an informant described the young Merkel as “very critical” of the Soviet Union, which she saw as “a dictatorship”. Putin was an agent of that dictatorship, as a KGB agent in Dresden. As heads of state, the tone for their meetings was set in 2007, when Putin had his large black labrador brought into a meeting with Merkel – who is known to have a profound phobia of dogs. The German Chancellor’s response was withering. “He’s afraid of his own weakness,” she explained of the incident, reflecting that “Russia has nothing, no successful politics or economy. All they have is this.” As the most powerful woman in the EU, Merkel presided over an economy 13 times the size of Russia and enjoyed a strong relationship with the US. A decade later, with a pro-Putin president installed in the White House and the EU’s second-largest economy preparing to leave, Merkel does not hold so many aces.

“There is a serious threat of interference in our upcoming federal elections,” agrees Phillipp von Saldern, President of the Cyber Security Council of Germany. “But, and this is very important, such attempts can come from everywhere. Different parties could be interested in attacking our elections. These could be private actors - script-kiddies, hacker-syndicates, criminal organisations or even companies. On the other hand we have other states or organisations with strong ties to a state.”

The first step in protecting elections against attacks, says von Saldern, is to consider “every attacker, no matter what background he has. To avoid direct attacks as the one on our Bundestag, we have to keep our security-measures as up-to-date as possible. This requires constant knowledge transfer between different authorities on a federal level, as well as with our “Länder”[local government] authorities, but also with our economy and with international partners.”

“Protection against fake news,” he adds, “is just possible, if we cooperate with the platforms where they are posted, such as Twitter or Facebook, and if we find clear regulations about their responsibilities. We also need to sensitise our society to the subject of fake news, so that our citizens proof properly what they read and are willing to report suspicious information.”

Facebook and Twitter, he says, have “a responsibility to prevent [fake news]. Major platforms, such as Facebook currently have already announced, that they will do more to prevent fake news on their pages, but it is still unclear how this should work. To my opinion the only way to hold such online-platforms to their responsibility are clear regulations from our state.”

“Time is running out,” he concludes. “It is very urgent that our government acts here as soon as possible.”

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

Inside the National Cyber Security Centre

The new chief executive of the National Cyber Security Centre, Ciaran Martin, and other senior members of NCSC staff give their take on a more open, more outgoing arm of GCHQ.

The GCHQ base in Cheltenham is a building the size of Wembley stadium, bristling with security cameras, patrolled by armed guards and surrounded by tall fences that are topped with razor wire. The organisation’s new London headquarters, however – the National Cyber Security Centre – occupies two floors of a glass-walled office building in Victoria. It’s a very smart, new office building, but there is a distinct lack of razor wire, and none of the receptionists appear to be carrying automatic weapons.

The NCSC’s open environment is illustrative of its approach, particularly where businesses are concerned. While much of its operational work will remain classified, the NCSC will invite people from the private sector to train within its walls. Following an official opening by the Queen, Philip Hammond delivers a speech in which the digital economy is mentioned before national security, and in more detail.

“The private sector is piling in extensively here today,” agrees Ciaran Martin, the NCSC’s chief executive. “We’re getting 100 private sector people in to work here,” he adds, referring to the Industry 100 initiative, which will “embed” 100 workers from across the private sector in the NCSC to share expertise. “It’s not one of those areas where the private sector is telling the government to back off – they’re asking to work with us, and we’ve got plenty to learn from them.”

The NCSC will also be heavily involved in securing the public sector, too, helping to co-ordinate cyber defences across bodies from the MoD to the smallest local council. “Local government is a major concern for the NCSC,” says Martin, “but let me be nice to local government. They are under significant financial pressure, they’ve got all sorts of obligations, and this can be quite complex stuff. There are 380-odd local authorities in Great Britain. Some of them, like Birmingham, are the size of decent-sized companies, and some of them are very small. If you’re a small local authority, I think that in the past, organisations like mine have been slightly too lecturing towards you about what you’re not doing right, and not sympathetic enough to the fact that if you’re trying run, for example, a small rural local authority, you’ve got lots of citizen data but you’ve got lots of other responsibilities, and it’s quite hard to get the right people and the right tools in place. It’s quite hard to even know where you can look for help.”

Martin aims to change that by introducing simple, effective tools that will help public bodies of all sizes secure themselves. “One of the things that we’re proudest of, which we’ll be rolling out later this year – and which has been exhibited in front of the Queen today – is WebCHeck. What WebCHeck does is, it scans websites for vulnerabilities and it says “here’s where you’re good, here’s where you’re bad, here’s where your certificates are out of date.” It gives you a report that’s automatically generated, and it tells you how to fix it. We’re giving that to local government for free.”

These NCSC-developed tools will also become available to small businesses, too. The centre recently built a tool to eliminate spoof emails that appeared to be from HMRC; “The code that we used to stop HMRC spoofing, we’re making freely available today. That means that if you run a small business with an internet domain address, you can work out who, if anybody, is spoofing you and what you might be able to do to thwart them. We’re trying to do things that make it that little bit simpler for people who may not have the resources and time of a larger government or private sector organisation, just to make it a little bit easier to take sensible, risk-based decisions and make the improvements that will help. Because every little helps, in cyberspace – if you raise the bar a little bit, attackers can go elsewhere.”

The NCSC’s technical director, Dr Ian Levy, says blunt instruments are still too effective in cyberspace. “It’s important to differentiate the sophistication of the attack with the level of the impact. The two are not correlated; you can have a really, really simple attack that causes a lot of national impact. Take TalkTalk as an example – a very, very simple attack had a huge effect across a large number of people. Whether it should have done is another discussion, but it did. It changed the public consciousness; a lot of the very sophisticated attacks don’t have that same sort of impact on a large number of people. Some of them are not about disclosing large amounts of personal data, or stealing, or making money – they’re about traditional statecraft, and that has a much lower impact on your average population. It can have a national security impact, but one of the things we need to change the narrative of is the difference between the sophistication of an attack and the impact of that attack.”

State-level attacks

While much of the NCSC’s work will be in making the UK a “hard target”, as Martin describes it, for cybercriminals of all kinds, the centre remains a part of GCHQ. Its work will also encompass the new possibilities digital technology has opened up for espionage, diplomacy and war. At the centre of one of the exhibits shown to the Queen and other visitors on the opening day is a grey box, about the size of a biscuit tin, a few lights blinking on its front. Easily ignored by the passing dignitaries, this box is of particular significance in security circles. It is a programmable logic controller, or PLC. These controllers are found everywhere moving parts need to be automated and controlled – in factories, power stations, aeroplanes, trains, and automatic doors. In 2010, a mysterious and highly sophisticated piece of malware appeared that targeted one specific model of PLC, in a very specific configuration, and caused it to malfunction, causing serious damage to the equipment it controlled. The equipment it targeted was later identified as the enrichment technology used in the Iranian nuclear programme.

The display also contains a laptop. Tap a button, execute a command through the malware on it, and a light on the PLC changes from green to amber. In December 2015, an unknown hacker tapped just such a button. Moments later, the lights in 230,000 Ukrainian homes went off.

A member of NCSC staff who declined to be named said that his greatest worry with regard to this type of attack was that it could be used on the gas grid. “If the gas network was depressurised,” he told me, “it could take up to a year to get it back.” These are the more worrying scenarios the NCSC must imagine and plan for; a winter without central heating would bring the NHS to its knees, at the very least.

Jacqui Chard, the NCSC’s Deputy Director for Defence and National Security, says that a national security level cyber incident could take many forms. “It’s about the impact across government or across citizens,” she explains, adding that at the most serious level, the NCSC helps to plan against and prevent attacks that would cause “serious damage, loss or disruption of critical services or systems for the nation – which could be critical national infrastructure, the parliamentary system, defence, our finance institutions, or our transport system.”

“From a defence point of view,” Chard says, the most serious type of cyberattack would be one that looks like an enemy preparing the battlefield, that “impacts on the strategic planning for our military forces. Or, if we were subject to attacks on our soil, how we’re going to co-ordinate – so, if communications between government at the highest level were affected. That’s where we’re focusing for the biggest risks for the country at the moment.”

While attacks of this type are fortunately still mostly theoretical, it does look increasingly as if cyberweapons are capable of causing loss of life on a similar scale to the kinds of weapons that are bound by international treaties. Steps in this direction were taken in 2015, when the Chinese government agreed with the US and UK “not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information” (in the words of the China-UK statement). Asked why she thinks this statement did not include a statement on national security, Chard replies that “The business agreements that we’ve made are a matter of national security. They’re for our prosperity as a country, so we absolutely see those as part of that.”

The new diplomacy

With the growing power of cyberattacks to cause devastating consequences across borders comes the thorny issue of determining where an attack has originated, who ordered it, and if a government was involved. It is likely that the difficulty of attribution will have profound effects on diplomacy in the future, and a key role for the NCSC will be to provide evidence of the involvement of other nation states.

Both Ciaran Martin and Michael Fallon have spoken publicly about a “step change” in Russian cyber aggression, but Martin says certainty is still hard to come by. “Attribution can be very difficult, and a lot of the detection work on state attacks is in the classified area of where we work, even though we work a lot in the open. But in general terms, in my three years of looking at these [incidents], sometimes you have direct evidence of named individuals with pictures, and sometimes you have very little clue as to even what country an attack might be coming from.” Furthermore, “attacks could be coming from within a particular country, but that’s not necessarily the same thing as being sponsored by that country, or even tolerated by the government of that country.”

What makes international relations even more complex is that increasingly, and especially with regard to Russia, technology allows other “actors” to expose secrets and disseminate lies at scale. This is particularly effective when it comes to elections. The extent to which Russia may have been able to influence the US presidential election is the subject of furious debate, but the UK’s political system is not immune to intervention either. Last year, GCHQ revealed that it had tracked and thwarted what Martin calls “activity” with regard to Whitehall servers. “There was activity we noticed,” he says, “because we notice activity all the time, that was in and around institutions that may or may not be related to the possibility of an attack on the election.”

Governments and political parties are going to have to recognise the threat this “activity” represents. Martin says no formal requests have been made by specific parties for help, but that he expects these requests to be made.

Ultimately, he advises that to safeguard British politics, “you need to look at the system as a whole, all the way through from government institutions to parliament, to institutions that are influential in political life, like the media, like think tanks – way beyond political parties, even to high-profile individuals whose views are of interest. It’s about the totality of that. So we’ll publish data and recommendations about how to mitigate these sorts of attacks, and we’ll look at the most aggressive actors and try to find out what they’re targeting. That’s probably better than trying to predict the precise route of attack on the British political system.”

Will Dunn is the New Statesman's Special Projects Editor.