Ukraine at D+181: Independence Day and six months of war.
N2K logoAug 24, 2022

Ukraine braces for Russian attacks to mark Ukraine's Independence Day, and in retaliation for the assassination of Daria Dugina. Russia attributes that killing to Ukraine and its British and Baltic allies, but the circumstances of the car-bombing remain murky. An assessment of overt and covert influence operations suggests the advantage lies with the overt.

Ukraine at D+181: Independence Day and six months of war.

Today is Ukraine's Independence Day, and the county continues to expect Russian strikes against its towns and cities, the New York Times reports.

"Today marks the 31st anniversary of Ukraine’s independence. Since 2014 President Putin has sought to use a mix of force and coercive diplomacy to increase and solidify Russia’s influence in Ukraine and interfere in its sovereign affairs," the UK's Ministry of Defence wrote in its morning situation report, offering a picture of Russian strategic, operational, and tactical failure. "Russia launched a full invasion of Ukraine six months ago, with the aim of toppling the government and occupying most of the country. By April, Russia’s leaders realised this had failed, and reverted to more modest objectives in eastern and southern Ukraine. The Donbas offensive is making minimal progress and Russia anticipates a major Ukrainian counterattack. Operationally, Russia is suffering from shortages of munitions, vehicles and personnel. Morale is poor in many parts of its military and its army is significantly degraded. Its diplomatic power has been diminished and its long-term economic outlook is bleak. Six months in and Russia’s war has proven both costly and strategically harmful."

Daria Dugina hailed as a martyr at her funeral.

“I consider it a barbarous crime for which there can be no forgiveness,” Russian Foreign Minister Lavrov said of Daria Dugina's assassination. “I hope the investigation will be quickly completed and according to the results of this investigation, of course, there can be no mercy for the organisers, those who commissioned this, and the perpetrators.” Neither Mr. Lavrov nor any other currently sitting members of the government attended the funeral itself, although Sergei Prigozhin, the oligarch who runs the Wagner Group and the Internet Research Association, was among the mourners.

Estonia dismisses Russian accusations of involvement in Dugina assassination.

Estonia's Foreign Minister Urmas Reinsalu dismissed FSB allegations that the Baltic country was harboring ultranationalist media personality Daria Dugina's assassin Saturday as a "provocation." Other Estonia sources thought it likely that the car bombing was carried out by the FSB itself. The head of the International Center for Defense and Security (ICDS) Indrek Kannik said, "It is possible that this was the FSB's own operation, since these people had become a threat. At the same time, it is convenient to blame it on the Ukrainians. Now we are seeing that Estonia can also be dragged into this."

Since Russia's FSB has identified Estonia as complicit in the assassination (a contention Estonia rejects, and that few observers find credible), further Russian cyber actions against Estonia are likely. Galina Antova, Co-Founder of Claroty, commented on last week's attempted distributed denial-of-service attacks against Estonian sites. "This attempted attack on Estonia is disappointing, but expected, the fact that the attack targeted both public and private organizations shows that the red line is disappearing. We’ve known for years that Russian nation-state cyberattackers have been lurking in behind the scenes, and it’s easy to envision how whole sectors of the economy could be affected. In the U.S., where much of our critical infrastructure is privately owned, business leaders have a crucial role to play in protecting national security. Washington is very aware of the shifting strategies, tactics, and implications of escalating cyber warfare—but the onus is on private owners to protect the private critical infrastructure here in the U.S." 

Lessons for the fifth domain from six months of hybrid war.

The Atlantic Council has published a set of twenty-three lessons to be learned from half a year of Russia's war against Ukraine. Six of them have particular relevance to cybersecurity:

  • "Lesson for wartime strategic communications: Influence operations are a day-in, day-out job." (Offered by Jennifer Counter, nonresident senior fellow at the Scowcroft Center’s Forward Defense practice.) Russia has not succeeded in influence operations, but Ukraine has. "The beauty of what the Ukrainians have accomplished is that a vast network of people who follow the government’s messaging lead and further spread the campaign in ways that their individual networks can understand—thus building new advocates and reinforcing Ukraine’s base of support." The Russian influence campaign has relied upon large-scale disinformation, and it hasn't worked. The Ukrainian approach offers a clear contrast. "In large part, the Ukrainian government uses firsthand accounts and video clips as evidence, which further reinforces its message; and crucially, it has not resorted to large-scale mis- and disinformation asRussia has. Overall, the cohesion and duration of the Ukrainians’ campaign can, and should, be used as a template for what the United States and its allies can accomplish with an influence strategy, communications discipline, and a willingness to grind day-in, day-out to meet the end goal."
  • "Lesson for hybrid warfare: Don’t ignore the fundamentals." (From Arun Iyer, a nonresident senior fellow at the Scowcroft Center for Strategy and Security’s Forward Defense practice who served in a variety of operational and operational leadership assignments in the US Department of Defense from 2005-2020.) Conventional military failures, particularly in tactics and logistics, have marked the Russian invasion. It's also been marked by intelligence failures. "Russia’s intelligence apparatus miscalculated both the resolve and capability of Ukraine, as well as the level of support for Ukraine from the international community. This has contributed to staggering Russian losses on the battlefield and horrors against the Ukrainian people perpetrated by an unprofessional Russian military. There have also been similarly poor results in the function of sustainment (the military term for keeping operations going until objectives are achieved).... Similar shortcomings have resulted in poor control of the information domain: Russia’s “Z” and “anti-Nazi” campaigns have been easily countered by a competent Ukraine that clearly knows its adversary and is able to effectively respond to its messaging through social-media campaigns coupled with broader outreach to the global community. In looking at Russia’s experience, the United States and its allies should ensure that the fundamentals of waging (hybrid) warfare are not ignored."
  • "Lesson for global intelligence: Russia is not ten feet tall." (From Marc Polymeropoulos, a nonresident senior fellow in the Forward Defense practice of the Atlantic Council’s Scowcroft Center for Strategy and Security who worked for twenty-six years at the Central Intelligence Agency.) "Six months ago, there was a plethora of doom-and-gloom analysis: The notion that the Russian military believed it could take Kyiv in thirty-six hours was reportedly shared not only by Putin but also by Western academic and intelligence-community analysts. Almost everyone got this fantastically wrong. Except, of course, the one entity that mattered most: the Ukrainians, who fought bravely and nearly unanimously believe they’ll win. A quick Russian blitzkrieg turned into a morass that will go down in military history, with 80,000 Russian casualties and no end in sight to Putin’s “special operation.” Now we see that the Russian military is a Potemkin village—corrupt, unfit, and fundamentally lacking in basic principles of logistics."
  • "Lesson for would-be invaders: You can’t hide preparations for a full-scale invasion." (Offered by Eto Buziashvili, a Georgia-based research associate for the Caucasus at the Atlantic Council’s Digital Forensic Research Lab.) Intelligence is now a commodity. Open sources now show collection and analytic capabilities that formerly would have been possessed only by advanced nation-states. Russian official media themselves pretty clearly telegraphed Moscow's intentions, as did social media posts. "In the four months leading up to the invasion, Kremlin-owned online outlets increasingly reported that Ukraine was preparing to attack the eastern Donbas region—or even Russia itself. The DFRLab monitored these open sources on a daily basis to measure the frequency of this messaging; in the pre-invasion period, Russian online coverage of the narrative about an impending Ukrainian attack rose dramatically, with a nearly 50 percent increase in January 2022 over the previous month. The narrative also became increasingly hostile—accusing Ukraine of planning a chemical attack in the Donbas, for example. Meanwhile, footage from social media, particularly Telegram and TikTok, documented ongoing Russian troop movements and deployment along Ukraine’s border. The spread of hostile Kremlin narratives in those final months before the invasion were in sync with the spread of Russian troops on the ground, with Russia essentially preparing domestic and international audiences for the invasion alongside actual military preparations. Through the combined open-source intelligence analysis of Russia’s behavior both online and offline, it became clear that Putin’s intentions were hiding in plain sight." 
  • "Lesson for cybersecurity: The private sector should play a critical military-operational role in cyberspace." (By Franklin D. Kramer, a distinguished fellow and board director of the Atlantic Council who has served as a senior political appointee in two administrations, including as assistant secretary of defense for international security affairs.) Ukraine has proved surprisingly resilient in the face of hostile Russian cyber operations, and this has been due in large part to its own preparations, shaped by lessons learned from more than a decade of hostile Russian gray zone operations. "But Russia’s invasion of Ukraine has generated a new role for the private sector, which is engaging in direct cyber combat against Russian cyber attacks and in support of Ukraine’s military and governmental functions. While Ukraine has its own capable cyber defenders—who, for example, stopped an attack against the Ukrainian electric grid—those efforts have been complemented by private-sector firms that have worked with Kyiv both by helping to identify and disable malware and by taking additional actions to create a much more defensible Ukrainian cyberspace. Both Microsoft and Cisco have published reports detailing defensive cyber efforts and European cybersecurity firms such as the Slovakian firm ESET have also been engaged. Ukraine’s cybersecurity defense has additionally been enhanced through the use of Starlink terminals and the transfer of Ukrainian governmental functions to cyber clouds outside Ukraine. The actions that these private companies have undertaken foreshadow the critical role such firms will play in future twenty-first-century conflicts."
  • "Lesson for US homeland security: Ignoring the home front is a serious mistake." (From Thomas S. Warrick, nonresident senior fellow at the Scowcroft Center for Strategy and Security’s Forward Defense practice.) The inherently deniable and ambiguous character of cyber conflict tends to spread its effects beyond the immediate theater of operations. The US got off to a good start, but emphasis may have faded in recent months. "After an initial burst of activity culminating in late April and early May, efforts by the US Department of Homeland Security (DHS) to counter Russia’s hybrid war in the United States appear to have faded—even amid a Russian “avalanche of disinformation,” as the Atlantic Council’s Digital Forensic Research Lab has documented. The last update to the Cybersecurity and Infrastructure Security Agency’s “Shields Up” webpage was dated May 11, and the most recent entry in CISA’s “Russia Cyber Threat Overview” was dated April 20. The last Russia-specific public alert, “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure,” was revised May 9. While DHS and the FBI are in frequent communications with agencies, companies, and individuals targeted by Russian cyberattacks, the public is often unaware of this quiet but vital activity. So more needs to be done by DHS and others to get the American people to understand and better resist the Russian hybrid-warfare campaigns that promote divisive propaganda and social-media manipulation. Russia’s hybrid-warfare strategy, which uses disinformation even more than cyberattacks, seems designed to wear down Western democracies’ opposition to Russia’s aggression. Senior DHS and administration officials should speak out more publicly on what Americans can do to counter Russian disinformation, cyber threats, and other Russian hybrid-warfare targeting of the civilian population. The home front—specifically, unity in the United States and NATO in opposing Russian aggression against Ukraine—is a vital source of national power. Ignoring it, or treating Ukraine as almost entirely a military and diplomatic crisis, could be a perilous mistake."

Advice to his fellow Russians from Vladimir Rudolfovich Solovyov.

Vladimir Rudolfovich Solovyov continues to advise his fellow Russian citizens through his chat show on Rossiya 1. Julia Davis captures some of Vladimir Rudofovich's recent counsel as, "Do what you're told, and if you can't, kill yourself!" His strategic advice is, as he describes it, "terrorism." He would say, to the Ukrainian government, "You have 3 days.for all civilians to leave Kharkiv, Mykolaiv, Odesa. 3 days. If it's not done, we tear it all down, block by block. 3 days." We note that Mr. Solovyov broadcasts from a secure neighborhood in Moscow.

The Telegraph reports polling that suggests such narratives may be losing some of their audience. The fraction of the population in Russia watching the news on state-run television has fallen from an invasion-week 86% to current levels of about 65%.

Not all coordinated inauthenticity is Russian.

Stanford's Internet Observatory this morning blogged about its investigation of the takedown, by Twitter and Facebook's parent Meta, of two coordinated networks of inauthentic accounts. "In July and August 2022," the Internet Observatory wrote, "Twitter and Meta removed two overlapping sets of accounts for violating their platforms’ terms of service. Twitter said the accounts fell foul of its policies on 'platform manipulation and spam,' while Meta said the assets on its platforms engaged in 'coordinated inauthentic behavior.' After taking down the assets, both platforms provided portions of the activity to Graphika and the Stanford Internet Observatory for further analysis."

The investigation found "an interconnected web of accounts on Twitter, Facebook, Instagram, and five other social media platforms that used deceptive tactics to promote pro-Western narratives in the Middle East and Central Asia." These efforts amounted to disparate campaigns conducted over approximately five years. "These campaigns consistently advanced narratives promoting the interests of the United States and its allies while opposing countries including Russia, China, and Iran. The accounts heavily criticized Russia in particular for the deaths of innocent civilians and other atrocities its soldiers committed in pursuit of the Kremlin’s 'imperial ambitions' following its invasion of Ukraine in February this year. A portion of the activity also promoted anti-extremism messaging."

The study draws two lessons in particular. First, the range of tactics available to, or at least used by, coordinated campaigns using inauthentic personae is limited; the tricks have been seen before. "The assets identified by Twitter and Meta created fake personas with GAN-generated faces, posed as independent media outlets, leveraged memes and short-form videos, attempted to start hashtag campaigns, and launched online petitions: all tactics observed in past operations by other actors." And, second, these campaigns seem not to have had much reach. "The vast majority of posts and tweets we reviewed received no more than a handful of likes or retweets, and only 19% of the covert assets we identified had more than 1,000 followers."

The generally successful Ukrainian operations provide an interesting contrast.