An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.
Bringing order through CHAOS: a framework for understanding Russian cyber operations and disinformation during the 2020 U.S. elections and beyond.
With a few days left before the U.S. presidential election, U.S. government agencies and social media companies are taking steps to enhance U.S. resilience and defend democracy against another episode of Russian interference. These efforts address only some aspects of Russia’s playbook, which is multidimensional and continuously applied. To visualize the main elements of Russia’s playbook and enable the discovery of patterns in Russia’s behavior across cases, this article offers a framework that can bring order to the chaos of Russia’s activities, through CHAOS (Cyber, Hype, and Associated OperationS). This framework may serve to draw predictions about what to expect during and after the 2020 U.S. elections and in future Russian interference. CHAOS can also facilitate improvements in policy to address each activity.
Russia’s election interference playbook.
There is no doubt that Russia launched a coordinated campaign against the 2016 U.S. elections. Russia’s interference was unprecedented in its magnitude, but it was not unique in terms of the tools, tactics and objectives that the Russian government and affiliated groups used. Russia has employed similar maneuvers across the Western world. Figure 1 shows some elections with known Russian interference.
Figure 1. Cases of Recent Russian Election Interference
The key components of the Russian interference toolbox are cyber operations against election infrastructure and related targets (primarily phishing attacks, website defacements and DDoS attacks), and disinformation campaigns (defined as the deliberate creation and proliferation of content that includes fabricated information). Disinformation and propaganda (biased information that does not need to contain fake news) are parts of Russian psychological operations – which aim to influence the minds of an adversary’s military, civilian population, and decision-makers. This includes you, dear reader, unless of course, you are a comrade reading this from 22 Kirova Street in Moscow or one of its affiliates. In this context, both cyber intrusions resulting in the leaking of exfiltrated data, known as hack and leak operations, and disinformation may be parts of psychological operations and tools of warfare.
The Russian government facilitates the spread of disinformation or controversial content among the population of a state it targets through Russian-sponsored media such as RT and Sputnik which, together with the Russian government, form the overt arms of Russia’s propaganda. The Russian government also uses covert methods to spread messages on social media through proxy and unattributed channels and by using trolls (paid bloggers who tend to conceal their links with the Russian government), bots (automated accounts) or other witting and unwitting proliferators. The propaganda content and its volume may change – a large quantity of messages, not only quality of content, is a part of Russia’s “firehose of falsehood.”
Hacks and disinformation are only parts of Russia’s playbook, which Russian doctrine calls information warfare, and includes a range of other activities. These can be political, economic, social and military operations such as the imposition of sanctions as in the case of Russia’s information warfare operation against Estonia in 2007 or the political support for a disinformation campaign as in the “Lisa case” in Germany in 2016. Information warfare can also be conducted alongside military activities as during the Russo-Georgian war in 2008.
Russia uses information warfare to achieve various foreign policy objectives, such as to destabilize, coerce or attain information superiority over a potential adversary. In this context, elections in western states provide ample opportunities for Russian actors to deepen existing divisions within the population by generating content in support of and in opposition to controversial issues. When Russia conducts information warfare during elections, Moscow does not necessarily aim to swing the election in favor of one candidate over another. This might be one of Russia’s objectives – and Russia is known to have supported extremist political parties and candidates – but it is not the only one. Russian strategic doctrine dictates that Moscow’s long-term objective is to sow confusion and erode public trust in democratic governance and institutions. Therefore, Russia’s information warfare likely continues after elections.
Visualizing Russia’s information warfare playbook against elections, and beyond: introducing CHAOS.
To make sense of the range of Russia’s information warfare activities and discern relations and patterns between them, it may be useful to apply a framework that visualizes them in one simple figure. Here comes CHAOS. The framework synthesizes Russia’s doctrine and identifies:
- Cyber - a chronological list of the main known stages of the most effective cyber operation(s) during Russia’s information warfare
- Hype (in media) - a day-by-day count of media articles about the main political candidates or parties running for elections published in Russian state-sponsored media available to the population of the targeted state. This coverage exemplifies Russia’s overt propaganda campaign.
- Associated OperationS supported by the Russian government during the period of the information operation:
- Political - activities by Russian government representatives, for example, visits of Russian official delegations and diplomats, speeches of Russian senior leaders related to the particular case
- Economic - activities conducted by commercial entities or government-owned entities involved in commerce and focused on distributing, consuming or producing services or resources, for example, Russian-initiated cancellation of goods and services toward the targeted country
- Social - activities probably supported by a government but conducted by non-government employees, such as protests. This category includes leaks of accurate or fake information without proven support from the Russian state, but clearly supporting its objectives
- Military – activities conducted by the Russian military, such as deployment of forces
- Mitigation policies – policies to mitigate or counter Russia’s interference introduced by the targeted state
- Relevant events – events that the Russian government did not organize but which could affect Russia's decision-making regarding the particular information warfare campaign. For example, summits, elections and similar events relevant to the case
As Russia’s operations aim to sow distrust and influence decision-making in a targeted state by disruptive activities and narratives, or in a way to cause chaos, the acronym CHAOS seems an appropriate simplification of Russia’s complex operations.
CHAOS allows for the visualization of the main elements of Russia’s information warfare playbook and shows how they interact. For comprehensiveness, CHAOS bases the analysis of Russia’s propaganda and disinformation efforts only on overt sources such as Russia’s state-sponsored media. These sources may be more reliable indicators of trends in Russian state-sponsored rhetoric than analyses of Russia’s troll and bot behavior on social media due to the incomplete data on the operations of the latter. In the case of the 2016 U.S. elections, social media platforms released detailed databases of Russian activity that enabled researchers to analyze Russia’s campaigns. In other cases of Russian interference, however, such as during the Bulgarian elections in 2016 or Montenegro’s elections in 2016, such databases are difficult to compile.
CHAOS and the 2016 U.S. elections.
Figure 2 applies CHAOS to the 2016 U.S. elections and describes the activities related to Moscow’s information warfare operation in that period, which was personally ordered by Russian President Putin. The Russian government used its state-sponsored media channels and Western social media platforms to deliberately plant and disseminate disinformation among U.S. audiences, designed to increase tensions on divisive issues, erode the social cohesion of the American public, and harm the electability of various candidates, most notably Hillary Clinton. Figure 2 depicts chronologically the main political, social activities and cyber operations – the intrusion into the Democratic National Committee (DNC) as the main successful cyber operation. The figure also indicates some of the major mitigation policies by the U.S. To analyze the overt arm of Russia’s propaganda and assess potential patterns of the volume of Russian media coverage during this campaign, the figure illustrates the number of articles about the two main political candidates – Hillary Clinton and Donald Trump – in Russian state-sponsored media Sputnik News, available in the United States during the examined period. The figure also shows the portion of this media coverage that included information leaked as a result of the DNC hack.
Figure 2. Russia’s CHAOS during the 2016 U.S. Elections
The analysis shows that there was a marked increase in media coverage – which was critical of candidate Clinton and favorable to candidate Trump – in the month prior to the elections. A large portion of these articles in October and early November included a reference to the documents released as a result of the DNC hack, which shows that they played a role in Russia’s media coverage before election day.
Notably, Russia’s media coverage about the political candidates did not stop after the election. It actually increased in comparison to the media coverage before the elections. The coverage included articles portraying Hillary Clinton as a weak presidential candidate who lacked the support of members of the Democratic party.
CHAOS and the 2017 French elections.
In the period before the 2017 French presidential elections, actors associated with the Russian government launched a propaganda campaign and likely initiated a series of cyber operations against the presidential campaign of Emmanuel Macron and in favor of presidential candidate Marine Le Pen. Figure 3 applies CHAOS to this case and juxtaposes the analysis of pro-Kremlin Sputnik News France coverage during the election campaign and the main events against the Macron campaign. A notable tactic was the release of fake documents two hours before the final televised Macron-Le Pen debate, claiming Macron had an offshore bank account – news that spread on social media but was quickly debunked. Figure 3 also illustrates some of the policies by French government agencies and the Macron campaign that may have facilitated the relative minimal spread of the leaked data on social media and its minimal coverage on Kremlin-sponsored media in comparison to the spread of the leaked information from the DNC hack.
Figure 3. Russia’s CHAOS during the 2017 French Elections
CHAOS shows that the amount of coverage about the two main candidates increased in the period preceding the elections and significantly spiked on the days of each election round and the two days immediately following election day. The coverage was markedly negative towards Macron and positive towards Le Pen. In addition, the coverage about the Macron leaks did not constitute a major part of the coverage about the two candidates in that period – partially attributed to strong media ethics and government policies against such reporting in France.
Regarding leaked information, Russia’s involvement was less clear than in the U.S. case. In France, it was U.S. white supremacist and similar groups, whose agendas were in line with Russia’s objectives, that amplified the leaks.
Furthermore, consistent with the analytical conclusions in the case of Russia’s interference in the 2016 U.S. elections, the volume of coverage about President Macron and Le Pen after the elections increased in comparison to the period before the elections. Such strategy is in accordance with the aims of Russia’s information warfare doctrine, which dictates that such operations be continuous. The post-election coverage features articles about potential election fraud, such as information about low voter turnout, damaged and stolen ballots, as well as protests against Macron’s victory, likely aimed to instill distrust in the French election outcome and democratic institutions in general.
CHAOS and the 2020 U.S. elections.
What can the two cases tell us about what we could expect during the 2020 U.S. elections? From the preliminary analysis, we could draw some tentative conclusions:
- In neither case did Russian cyber threat actors compromise critical election infrastructure and the general aim was not to exert technical but psychological effects. The main cyber operations in each case targeted campaigns of political candidates and were of the hack and leak type. So far in the 2020 U.S. elections there is no confirmed Russian involvement of a hack-and-leak operation (although there are promising vectors) but as the French elections showed, fake leaks can be a part of information warfare and leaks do not have to constitute a main part of Russia’s overt propaganda campaign.
- Even without proven Russian involvement, actors such as U.S. white supremacist groups, can amplify disinformation and propaganda, consistent with Russian interests.
- The U.S. population is likely to be subjected to an increased volume of negative media coverage from Russian media related to the candidates and especially coverage on divisive topics after the election. Considering that disputing the legitimacy of the election outcome that a prominent theme in the case of France where the winner was not a pro-Russian candidate, if Joe Biden, who advocates a strong stance against Russia, wins the 2020 elections, it is likely that Russian sponsored media coverage will emphasize this issue (we are already seeing such narratives in Russian media).
These two cases tell us more than I have outlined here. Additional cases also reveal other patterns of Russian activities and effective mitigation policies. The next stage of this research will elaborate on these two cases and will apply CHAOS to a dozen more, including the cases listed in Figure 1 above. The research will be released in the form of a PhD dissertation and a book in the next few months. Stay tuned!