Cyclones in Cyberspace? How Crowdsourced Cyber Warfare Shaped the Russian-Georgia War

“Cyclones in Cyberspace: Information Shaping and Denial in the 2008 Russia-Georgia War” was just published in Security Dialogue, a respected peer-reviewed journal. The article analyzes “the impact of cyberspace on the conflict between Russia and Georgia over the disputed territory of South Ossetia in August 2008.” The authors Ron Diebert, Rafal Rohozinski and Masashi Crete-Nishihata argue that “cyberspace played a significant, if not decisive, role in the conflict–as an object of contestation and as a vector for generating strategic effects and outcomes.”

The purpose of this blog post is to briefly highlight some important insights from the study by sharing a few key excerpts from the study.

Introduction

“Cyberspace is now explicitly recognized in United States strategic doc-trine as being equally as important as land, air, sea, and space […]. Dozens of states are actively developing military doctrines for cyberspace operations (Hughes, 2010), while others may be employing unconventional cyberspace strategies. An arms race in cyberspace looms on the horizon (Deibert and Rohozinski, 2011).”

“The US Department of Defense (2010: 86) presently defines cyber- space as ‘a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications net- works, computer systems, and embedded processors and controllers’. This definition acknowledges the interdependence between the physical and informational realm. It also defines cyberspace as the totality of information infrastructures, which includes but is not limited to the Internet. The constitutive elements of cyberspace can be broken down into four levels: physical infrastructure, the code level, the regulatory level, and the level of ideas. These constitutive elements of cyberspace were all present and leveraged during the 2008 conflict between Russia and Georgia.”

“Operations in and through cyber- space were present throughout the conflict and were leveraged by civilian and military actors on both sides. Russian and Georgian forces made use of information operations alongside their con-ventional military capabilities. Civilian leadership on both sides clearly appreciated the importance of strategic communication, and targeted domestic and international media in order to narrate the intent and desired outcome of the conflict.”

“The Internet played an important role as a redistribution channel for media and communications, including news, influential blogs, and rumors. The impact of this media was so effective in the eyes of the Georgian authorities that they decided to censor Russian television broadcasts in major Georgian cities, and to filter access to Russian Internet sites.”

Information Denial

“Both sides (or their sympathizers) employed computer network operations, consisting of attacks designed to disable or degrade key infrastructure, and exploitation or hijacking of government computer systems. In particular, numerous Georgian websites and a few Russian media sites were subject to large-scale distributed-denial-of-service (DDoS) events. The command-and-control (C&C) servers responsible for the DDoS against Georgian systems and websites, as well as other forms of malicious hacking, originated from networks located within the Russian Federation.”

“The Russian government has never claimed responsibility for these activities, and it remains unclear whether these operations were coordina-ted, encouraged, or officially tolerated by Russian authorities. This ambiguity is itself an important emergent property of war fighting in the cyber domain.”

“The DDoS surge and SQL injection-based intrusions against Georgian systems beginning on 8 August were later followed by a series of crowd-sourced DDoS activities targeting Georgian government websites and resources, coordinated on Russian hacker forums. It is unclear whether these activities were sanctioned and organized as a component of a broader political strategy, whether they occurred as a result of informal coordination by the Kremlin’s communications staff and its networks of contacts with the Russian IT community (which includes quasi-criminal groups), or whether they occurred as a result of autonomous third-party actions.”

“In an attempt to mitigate the effects of the DDoS events, Georgian authorities sought assistance from the governments of Estonia, Lithuania, and Poland. Reportedly, Estonian officials put Georgia in contact with a community of cyber-security professionals who provided consultations (Stiennon, 2008). Georgia attempted to counter the effectiveness of the DDoS surge by implementing filters to block the Russian IP addresses and protocols used by the attackers. This effort was successfully countered, and the DDoS surge shifted to foreign servers and software to mask the IP addresses (Bumgarner and Borg, 2009). Georgia’s next step was to mirror several government websites, including that of Georgia’s president, on servers located in the countries that came to its assistance, which conse-quently also became the target of Russian DDoS events.”

“US cyberspace was also affected, as components of the Georgian government such as the Ministry of Foreign Affairs were shifted to Blogspot and the websites of the president and the Ministry of Defense were moved to servers operated by operated by Tulip Systems (TSHost), a private web- hosting company based in Atlanta, Georgia (Swabey, 2008; Svensson, 2008a). The Georgian expatriate CEO of TSHost contacted Georgian officials and offered the company’s services without notifying US authori-ties. Soon after the Georgian websites were transferred to TSHost, the US-based servers were subject to DDoS. The CEO of TSHost reported these attacks to the FBI, but the company never received US government sanction for migrating the websites (Svensson, 2008b). Moving hosting to US-based TSHost raised the issue of whether the USA had violated its cyber neutrality by permitting Georgia to use its information services during the conflict.”

Deliberate or Emergent?

One of the study’s principle research questions is whether the Russian campaign in cyberspace was deliberate and planned. The authors consider there possible scenarios: (1) the actions were deliberate and planned; (2) the actions were ‘encouraged’ or ‘passively encouraged’ by state agents; or (3) the actions were an unpredictable result and dynamic emergent property of cyberspace itself.  The resulting evaluation of each scenario’s probability suggests that “Russian citizens, criminal groups, and hackers independently organized and/or participated in a self-directed cyber riot against Georgia out of patriotic sentiments.”

“Civilians have voluntarily engaged in warfare activities without the approval or direction of states throughout the history of armed conflict. What makes the actions of civilians in cyberspace different are the characteristics of the domain, where effects can be generated with ease and at rapid speed. Quite simply, collective action is easier and faster in cyberspace than it is in any other physical domain. If this scenario was the case during the Russia–Georgia war, it would signal the emergence of a new factor in cyberspace operations – the capacity for a group other than the belligerents to generate significant effects in and through cyberspace. The unpredictable nature of such outside participation–global in scope, random in distribution–can lead to chaotic outcomes, much like the trajectory and phase of a cyclone.”

Conclusion

“There was leverage gained in the conflict by the pursuit of information denial. Even in environments where the communication environment is constrained, societies are heavily dependent on cyberspace and feel its strategic importance most acutely by its absence. Information-denial strategies are more closely associated with countries of Asia, the Middle East, North Africa, and the CIS–as opposed to the West, which is more comfortable with information projection. Information denial also tends to fit more comfortably within semi-authoritarian or competitive authoritarian countries than democratic ones.”

“The tendencies toward information denial also challenge some of the widespread assumptions about the relationships between new information and communication technologies and conflict. In recent years, a conven-tional wisdom has emerged that links cyber- space with a high degree of transparency around modern wars. Our research suggests that the opposite is more likely to be the case as states and non-state actors aggressively pursue military objectives to shape, control, and suppress the realm of ideas.”

“The tendency toward privateering is very strong in cyber conflict. There is already a large and growing illicit global computer-crime market. This market is attractive to some states because it allows them to execute their missions once removed and clandestinely, thus offering plausible deniability and avoiding responsibilities under international law or the laws of armed conflict. Outsourcing to private actors in cyberspace is an example of what we have elsewhere called ‘next- generation cyberspace controls’ (Deibert and Rohozinski, 2010c). Although we found no direct evidence of cyber-privateering in open sources in this case, it is certainly a possibility. Indeed, some countries may actively cultivate cyber-privateering as a strategy precisely to confuse the battle space and muddy attribution.”

“[…] the scope and scale of contingent effects related to the character of the cyberspace domain present a qualitative difference for international con-flicts. An emergent property related to today’s global information and communications environment, inherent in its complexity, dynamism, and dispersed character, is for acts of cyber warfare to be highly unpredictable and volatile.”

“Although states may plan or ‘seed’ campaigns in cyberspace, such campaigns have a tendency to take on lives of their own because of the unavoidable participation of actors swarming from edge locations (see Der Derian, 1996). We refer to this dynamic as ‘cyclones in cyberspace’ – a phenomenon clearly evident in the August 2008 conflict both in terms of the piling-on of outside participants and the confusion and panic sown in Georgia by its own filtering choices.”

“Cyclones in cyberspace invariably internationalize any cyber conflict. […] As cyberspace penetrates those regions of the world where conflict and instability are ripe and authoritarian regimes prevail, the propensity for more cyclones in cyberspace is high and should concern international security researchers and policymakers.”

For more on cyber war, please see my earlier bog post on “Cyberconflict and Global Politics: New Media, War, Digital Activism.”