Let us review, if only in brief, some of the facts as they are presently understood. Two years ago, a shadowy company based in Russia called the Internet Research Agency began buying Facebook ads in bulk. An estimated 11.4 million people across the United States saw these ads, both before and after the U.S. presidential election. Many millions more read the messages and conspiracy theories circulated by hordes of angry bots, hecklers, and trolls on social media, obscure blogs, and web sites. These messages were largely in the service of advancing the political aims of Donald Trump. We do not—cannot—know precisely how much they affected the choices of voters, but we can state that these exertions were deliberate and systematized, part of a sprawling effort that many now believe could only have been orchestrated by one country: Russia.
Since November, when Donald Trump shocked the world—and likely even the Kremlin—by winning the presidency, Twitter, Facebook, Google, the FBI, the CIA, and three separate congressional committees have launched investigations to piece together a narrative of Russia’s meddling. And yet obscured by the flurry of recriminations, resignations, calls to impeach, to protest and counterprotest—all the blithering turmoil that signifies American political life in 2017—are the deeper ramifications of what Russia has done.
We know about hot wars, when states fight one another. We know about cold wars, when states menace without striking, or by using client states in the developing world as fodder in bloody proxy wars. The response to Russia’s interference in our election evokes such episodes in American history. In December, when President Obama expelled 35 diplomats from the Russian Embassy’s compound in northwest Washington, the conventional wisdom held that it was a “proportional” response designed to deter Russian aggression in the future. It adhered to Cold War notions about containment, deterrence, and balances of power. But it was also political theater. High-level “signaling” will do little to deter cyberattacks in the future.
“The United States needs a new paradigm that goes beyond old models of containment—models of warfare based on the assumptions of conventional or nuclear conflict,” says Joshua Kertzer, an international security analyst at Harvard. Today, wars are no longer simply hot or cold. Some modern conflicts are not primarily about territory or resources but about digital infrastructure and control of information. Ours is a world in which Russian belligerents can attack the smartphones carted abroad by U.S. soldiers, and in which “threat researchers” believe hostile hacker networks are sharing malicious code, bringing economies of scale and corporate efficiencies to global conflict. Adversaries do not seek to attack their opponents physically but merely to destabilize them. They favor assaults on the beliefs a population holds about its own government—what makes a country a country—and on a population’s ability to distinguish fact from fiction. Although these conflicts can, in some cases, be as destructive as a hot war, they do not conform to the international codes that governed how those clashes were fought and won in the twentieth century, making them hard to define and even harder to prevent.
There are still many unanswered questions about what constitutes cyberwarfare. “Rarely has something been so important and talked about with less clarity and less apparent understanding,” said Michael Hayden, the former director of the NSA, in 2011. As the United States scrambles to investigate how and why Russia was able to influence the election with such apparent ease, we will first have to understand the broader strategy, their rules of war—a set of military tactics tested in 2007 in the small, Eastern European nation of Estonia. Russia prevailed in this, its first major act of cyber-enabled information warfare against a rival state. And with its weapons and strategies now battle-tested, it turned elsewhere for conquest.
It began at exactly 10 p.m. on April 26, 2007, when a Russian-speaking mob began rioting in the streets of Tallinn, the capital city of Estonia, killing one person and wounding dozens of others. The incident had powerful echoes for today’s conflicts in the United States. The Estonian government had announced that a bronze statue of a heroic World War II Soviet soldier was to be removed from a central city square. For Estonians, the statue had less to do with the war than with the Soviet occupation that followed it, lasting until independence in 1991. For the country’s Russian-speaking minority—25 percent of Estonia’s 1.3 million people—the removal of the memorial was one more sign of ethnic discrimination. Russia’s government warned that the statue’s removal would be “disastrous” for Estonia.
That evening, Jaan Priisalu—a former risk manager for large Estonian banks who was working closely with the government on its cybersecurity infrastructure—was at home in Tallinn with his girlfriend when his phone rang. On the line was Hillar Aareleid, the chief of Estonia’s cybercrime police.
“It’s going down,” Aareleid said curtly. Along with the street fighting, reports of digital attacks were beginning to filter in. The web sites of the parliament, major universities, and national newspapers were crashing. Priisalu and Aareleid had suspected something like this could happen one day. A digital attack on Estonia had begun.
Estonia boasts the most technologically advanced system of government in the world. Every citizen possesses a digital identity—an identification number and login code for access to completely digitized interactions with the state. Estonians can vote online, file taxes, check medical records, access the national health care system, and receive notifications of most government attempts to access their personal records. The Estonian national ethic is built on the idea that every citizen is transparent, and the state is, too. This makes Estonia extremely efficient—and extremely vulnerable. “We live in the future. Online banking, online news, text messages, online shopping—total digitization has made everything quicker and easier,” Priisalu said. “But it also creates the possibility that we can be thrown back centuries in a couple of seconds.”
Over the next two nights, as the street battles began to ebb, the attacks on Estonia’s technological infrastructure picked up. Estonian authorities didn’t recognize the effects right away. It wasn’t until the national defense minister realized he was unable to log on to his political party’s web site that they knew they had a major problem on their hands. Then the mail server for the parliament crashed. News sites began to falter. Some of the country’s most widely read publications disappeared altogether.
Priisalu began to analyze the streams of data besieging the country’s institutions. Vast “botnets,” agglomerations of linked and captured computers running bots, were attempting to bring down computer systems with automated queries, as part of a large DDoS (distributed denial-of-service attack). “Mail-bombing” email barrages and volleys of status and location queries overloaded servers around the country, bringing crucial parts of the Estonian internet to a halt. Some web sites, according to the BBC, were “defaced,” redirecting users “to images of Soviet soldiers and quotations from Martin Luther King Jr. about resisting ‘evil.’” “War dialing,” in which automated phone calls target a company or institution, placed a virtual blockade on phone numbers for government offices and the parliament. On May 10, Hansabank, the largest bank in Estonia, a country where 97 percent of the population used digital banking, had to temporarily cease online services and international card transactions.
The intensity of the digital firepower arrayed against Estonia was massive. One thousand data packets per hour were traveling through the country’s networks on the first day. On the second day, it was two thousand per hour. At its highest point, it was four million—per second. Ordinary computer users, many of them with no prior hacking experience, volunteered to become “script kiddies,” wielding premade freeware code scripts to contribute to the attack. Botnets cost money; to fund them, there were online accounts that anyone could pay into. The attacks seemed somehow to have been outsourced, the costs of the aggression crowdfunded.
The government was baffled. Were the attacks the opening moves of a military invasion? Estonia had recently joined NATO, over the vocal protests of its Russian neighbor. Should it activate Article 5, the mutual defense clause of the security group’s charter?
Finally, on May 19, 2007, the attacks came to a sudden stop. The Estonians had implemented a simple, almost absurdly sad solution: They pulled the plug. The most wired country in the world severed its international electronic connections and largely disappeared from the internet, bringing what military historians now call the First Internet War or “Web War I,” to an abrupt end. It was a decisive victory for whoever had perpetrated the attacks.
No one has ever claimed responsibility for what happened in Estonia, but it soon became apparent to Priisalu and many others that Russia was to blame. Russia had an obvious, and publicly stated, political motive: its opposition to the removal of the statue. More important, the events in Estonia helped crystallize an emerging consensus that cyberattacks could constitute warfare. The attacks on its digital infrastructure had paralyzed the parliament, shut down banks, and fueled violence in the streets. It was, Priisalu concluded, undoubtedly an act of war.
Perhaps more telling was that the strategies used in Estonia had already been included in a Russian manual of war. In 1998, Sergei P. Rastorguev, a Russian military analyst, published Philosophy of Information Warfare, which included a lengthy version of this telling anecdote:
Once there was a fox that wanted to eat a turtle, but whenever he tried to, it withdrew into its shell. He bit it and he shook it, but he wasn’t getting anywhere. One day he had an idea: He made the turtle an offer to buy its shell. But the turtle was clever and knew it would be eaten without this protection, so it refused. Time passed, until one day there appeared a television hanging in a tree, displaying images of flocks of happy, naked turtles—flying! The turtle was amazed. Oh! They can fly! But wouldn’t it be dangerous to give up your shell? Hark, the voice on television was announcing that the fox had become a vegetarian. “If I could only take off my shell, my life would be so much easier,” thought the turtle. “If the turtle would only give up its shell, it would be so much easier to eat,” thought the fox—and paid for more broadcasts advertising flying turtles. One morning, when the sky seemed bigger and brighter than usual, the turtle removed its shell. What the turtle did not understand: The aim of information warfare is to induce an adversary to let down its guard.
Rastorguev was saying that one of the most effective weapons in modern conflict was information—or more accurately, disinformation, like the fake news and social media posts that U.S. audiences have been reading about since the election last fall, or the stories that whipped Estonian protesters into a frenzy in 2007. The core concept of cyberwar, then, has to be understood as something broader than hacks or defacement of web sites. It is psychological manipulation, executed with targeted digital disinformation designed to weaken a country from within. “The Russian theory of war allows you to defeat the enemy without ever having to touch him,” says Peter Pomerantsev, author of Nothing is True and Everything is Possible: The Surreal Heart of the New Russia. “Estonia was an early experiment in that theory.”
Since then, Russia has only further developed, and codified, these strategies. The techniques pioneered in Estonia are known as the “Gerasimov doctrine,” named after Valery Gerasimov, the chief of the general staff of the Russian military. In 2013, Gerasimov published an article in the Russian journal Military-Industrial Kurier, articulating the strategy of what is now called “hybrid” or “nonlinear” warfare. “The lines between war and peace are blurred,” he wrote. New forms of antagonism, as seen in the Arab Spring and the earlier “Color Revolutions,” could transform a “perfectly thriving state, in a matter of months, and even days, into an arena of fierce armed conflict.”
Russia has deployed these strategies around the globe. Its 2008 war with Georgia, another former Soviet republic, relied on a mix of both conventional and cyberattacks, as did the 2014 invasion of Crimea. Both began with civil unrest sparked via social media—followed by tanks. Finland and Sweden have experienced near-constant Russian information operations. Russian hacks and social media operations have occurred during recent elections in Holland, Germany, and France. Most recently, Spain’s leading daily, El País, reported on Russian meddling in the Catalonian independence referendum. Russian-supported hackers had allegedly worked with separatist groups, presumably with a mind toward further undermining the EU in the wake of the Brexit vote.
Certain patterns have emerged from these conflicts, allowing experts to draft a rough model of the techniques Russia uses to destabilize its opponents. First, people’s trust in one another is broken down. Then comes fear, followed by hatred, and finally, at some point, shots are fired. The pattern was particularly striking in Crimea. People posted reports on Facebook about gross mistreatment by Ukrainians; dramatic messages circulated on Instagram about streams of refugees fleeing the country. Billboards suddenly appeared in Kiev bearing pro-Russian slogans; demonstrations followed. Rising suspicion and mutual mistrust split Ukrainian society. In a matter of months, fighting broke out. Russia used the conflict as a pretext to send in “aid convoys,” presenting itself as a benevolent responder in an emergency.
Russia has used the same strategies against its own people. Domestically, history books, school lessons, and media are manipulated, while laws are passed protecting the Russian population’s personal data from foreign companies—an essential resource in today’s global information-sharing culture. According to British military researcher Keir Giles, author of NATO’s Handbook of Russian Information Warfare, the Russian government, or actors that it supports, has even captured the social media accounts of celebrities in order to spread provocative messages under their names but without their knowledge. The goal, both at home and abroad, is to sever outside lines of communication, so that locals get their information only through controlled channels.
We spoke with Priisalu on a couple of occasions earlier this year, and he recounted the story of the Estonian attack. At the end of one meeting, he pressed to adjourn the conversation. There was time for one last question. What should we be most afraid of? Priisalu considered this for a moment. “Information warfare,” he said.
Since 2007, Estonia has established itself as a global hub for thinking about cyberattacks, and more broadly, about what constitutes an act of war in the internet age. Priisalu has been at the forefront. In 2008, he helped found the Cooperative Cyber Defense Center of Excellence, a NATO-funded international research center in Tallinn that brings together cybersecurity experts from around the world. Each year, the group hosts “Locked Shields,” the world’s largest global cyberwar exercise. In this year’s simulation, 25 member states enlisted representatives to fight off thousands of simultaneous attacks on a virtual country called “Crimsonia.” The progress of the battle was rendered visually and beamed onto giant screens. Some “soldiers” came in suits, others in sweatshirts—but most logged in from home.
Priisalu has also helped build Europe’s first volunteer cyberarmy. In 2011, his network of freelance cyberfighters was consolidated into a new sub-unit of the Estonian military’s armed reserves, the paramilitary Estonian Defense League. The logo of the Estonian Cyber Defense Unit (CDU) depicts an eagle with a sword in its right claw and a shield in its left, and above it, an @ sign. The names of its members and the size of its ranks are secret. In an emergency, they will take up battle stations at their computers.
While Estonia’s CDU focuses on technical hacks, governments must also contend with their social media equivalents—disinformation, fake news, leaks, and hateful internet comments. These modern forms are just as much a part of cyberwar as hacking. And in Estonia, preventing attacks on social media is the job of Anton Asper, an advertising executive with a secret part-time career as a cyberwarrior. (Asper is not his real name.)
“Look around, do you see any machine guns here?” The conference room in Anton Asper’s ad agency is enormous; the ceilings are 15 feet high, and artworks hang on the cement walls. At the end of the room there are plate-glass windows, through which a handful of stylishly dressed people can be seen putting together presentations on Apple computers. Asper’s office is somewhere in Estonia—the location must remain secret, just like Asper’s real name. None of his employees suspect what he does alongside his career as an advertising executive: “It’s a battle, but I don’t use guns. I fight with this,” he says, tapping his MacBook.
Asper’s collaboration with the Estonian CDU is a loose one. He leads his own volunteer team called Propastop. Its two dozen members have a simple mission: to counter false information related to Estonia. Propastop operates a web site with several social media accounts devoted to investigating propaganda and viral fake news reports that cause social unrest.
Asper started Propastop in 2015, after the Crimea crisis, when well-equipped fighters wearing camouflage without insignia appeared in eastern Ukraine. During the invasion, Asper was sitting nervously in front of the television, aware that Estonia was, like Ukraine, a former Eastern Bloc country that had shifted its orientation westward, provoking Russia. During the attacks on Estonia in 2007, the Russian media had been decrying Estonians as fascists. Now the same thing was happening in Ukraine.
He started looking around. He found nothing similar on Estonian web sites. Then he opened Russian-language pages about Estonia and found a barrage of media reports, social media accounts, and blogs that depicted “eSStonia” as an aggressive puppet of the West, which abused minority populations and was secretly preparing to attack Russia with NATO troops. He found propaganda messages migrating out of forums and social media accounts onto Russian-language television, and vice versa. It shook him. With each step, the information grew more shrill, and the facts less verifiable. It was what we would now call “fake news.” Asper identified nine of the most prevalent story lines and arranged them like a bingo board, with phrases like “Estonia is a pointless pseudo-state,” “Russians are persecuted in Estonia,” and “Estonia is a foot soldier of the USA.” Asper has grown used to looking at these narratives every day. “You can only protect yourself from propaganda by training your eye. You can’t really fight its spread,” he said.
The United States has adopted some of Estonia’s programs in its own efforts to combat cyber incursions. In 2009, the U.S. government established its own Cyber Command Center, under the NSA, at Fort Meade in Maryland. In July, the Trump Administration split the command off as an independent agency with a proposed $647 million annual budget, 133 operational teams, and as many as 6,200 workers. Likewise, the Department of Defense has developed its own cybersecurity infrastructure, with dedicated digital “national mission teams” and “combat mission teams.” But the next step in the West’s collective defensive strategy is to develop a consensus about what, legally, constitutes an act of cyberwar.
In 2009, 20 academics, legal scholars, and security experts were convened to write the Tallinn Manual, a nonbinding document that examines how parties to a digital conflict are legally allowed to behave. What does sovereignty mean on the internet? What constitutes “territory” and what is considered an “incursion?” Ultimately, the definition of war appears to function online in much the same way it does offline. A conflict becomes a war when a state system is at risk and life is threatened. In 2011, the U.S. government implemented its own framework, declaring a cyberattack similar to an act of war, punishable by conventional military means. Three years later, NATO opened a second cyberwar research center specializing in strategic communication—StratCom for short—in Riga, Latvia. In September, NATO opened a third center, this one for “hybrid threats.” France, Sweden, Germany, and other countries have also set up similar offices. NATO has published several analyses of “information warfare” in the last year, addressing, in large part, what is now being called “social engineering,” or how state and nonstate actors can exploit available media channels, from Instagram to television talk shows. A recent study on “robotrolling,” for example, found that the majority of Russian-language tweets about the NATO presence in Eastern Europe are actually written by bots.
These measures are far from perfect. Again, the example of Estonia is instructive. In 2007, the Estonian government announced that it had tracked one source of the attacks to an IP address owned by the Russian government. But it could never definitively prove anything. Kremlin officials argued, with some validity, that the source could have been a zombie computer, controlled by another entity. (Many of the bots and computers pushing fake news during the presidential election were also located inside the United States.) This is one of the reasons information warfare can be so difficult to combat. Governments no longer need to launch or even orchestrate attacks. It is enough to enable the action. And it insulates the government from retaliation. That’s why, even with all the money and time that has been poured into studying Russia’s actions during the American election, it’s too soon to say if what happened qualifies as an act of war. “It would take five years and millions of dollars to answer that,” says Keir Giles, the British military researcher.
The lack of an easily verified culprit may help explain why such attacks persist in the United States. Many people are unaware that during the white supremacist protests in Charlottesville—another outpouring of ethno-nationalist rage spurred by the removal of statuary—pro-Russian Twitter accounts, many of them automated, retweeted thousands of posts with hashtags like #Charlottesville, #Antifa, and #Trump. These accounts pushed false reports about who drove the vehicle that plowed into a crowd of anti-racist counterprotesters and killed Heather Heyer. It wasn’t a white supremacist Trump supporter behind the wheel, according to these reports, but a left-wing critic of the president. More recently, an online analysis conducted by the Alliance for Securing Democracy, a research group established after the presidential election to track Russian influence-operations in social media, found that URLs promoted by 600 Kremlin-connected Twitter accounts were spreading conspiracy theories about the Las Vegas shooting in October or blaming left-wing actors for the killing.
That these attacks are still happening, without any reliable way of stopping them, simply underscores the fact that cyberwar is a new norm of hostile international relations. We live now in a world where any person, anywhere, has the potential to act as an aggressor, or become a target, in an action triggered by a foreign adversary. Giles believes the West should prepare itself for massive, determined, and personalized disinformation attacks, with messages targeted at individuals and made to look as if they are being sent by people they trust. The world may soon have to contend with individualized warfare.
Most worryingly, Western democracies are uniquely susceptible to this form of attack. The key insight of autocratic governments like Russia’s may be the recognition that democracies have a weakness: They are open societies committed to free speech and expression. That characteristic is and continues to be exploited. What’s more, other countries are already aping these techniques in their own struggles. Russia is the world’s most open cyberwarfare aggressor—but it’s far from the only one. Iran, Israel, North Korea, and the United States, and perhaps other countries, are all active. These conflicts often play out between familiar rivals: Russia and the United States, Iran and Israel, North and South Korea. It may be that information warfare simply reinforces old rivalries. But at the same time, it will likely have a deep and lasting impact on the fabric of the societies that come under attack. When social media and information itself are weaponized, the bonds of trust in society and within institutions are undermined, and the task of assuring information integrity becomes a matter of national security.
The question is how the West can maintain the core values of freedom of speech and the free flow of information while protecting itself from the constant presence of malevolent geopolitical actors. For centuries, Eastern European countries such as Estonia relied on walls, watchtowers, and fortresses to keep out invaders. The United States became the world’s most powerful country in part because it was insulated from foreign threats by vast oceans on two sides. In the internet age, those traditional borders are less effective. To survive in the era of information warfare, the West will have to create new, safer borders capable of withstanding cyberattacks. Blockchain technology, the underlying protocol of cryptocurrencies such as bitcoin, might, for example, function as a sort of digital fortress protecting the secure exchange of information online. Whatever form these defenses take, democratic countries will have to focus more resources on finding and spreading potent and reliable technologies, whether in partnership with private companies, or in government cyber labs in Estonia or the United States. But we will also have to accept the sobering reality that these attacks, like guerilla warfare and suicide bombings, aren’t going away. They are the new costs of living in a connected world.