Summary
In this post I argue that geopolitical events involving Russia and Norway will result in an increase of cyber operations by the former against the latter. I expect three types of operations to increase: 1) Intelligence collection. 2) Signaling. 3) Preparation for future operations. Norway should respond on several levels; internationally, bilaterally, and within its own borders. I conclude that there is no silver bullet, but rather a lengthy effort is required.
Background
In this post I use Norway as a case study. The scenarios described should be applicable to the rest of the Nordic and the Baltic countries as well.
In a recent exam one question was whether Norway was sliding from a buffer between the US and Russia to a springboard for US troops. This is the position of Tormod Heier in his paper “Avoiding War: How Should Northern Europe Respond to the US-Russian Rivalry?” [1]. I reasoned that while previous self-imposed restrictions put in place by Norway have been eased or lifted during the last couple of years, there is little evidence that Norway will act as a springboard. Rather, I posit that Norway and the rest of the Nordic countries are moving into a position as strongholds. How this is perceived by Russia is entirely another question.
Regardless whether you follow Heier’s analysis or mine there is an increase of military activity and capability building in Norway.
What does this have to do with cyber? States now use the digital domain to reach their goals. For instance, espionage used to be conducted by spies. As new technologies came about (e.g. radio and cable) new avenues for states to spy on each other opened up. The same holds for the cyber domain: it is merely another scene where states exercise their craft. Thus, it’s my opinion that events in international relations cause ripples in the cyber domain.
Based on this I submit three possible outcomes affecting Norway:
- Increased intelligence collection
- Increased signaling
- Preparation for future operations
This list is of course not complete in terms of possible courses of action Russia might take. Rather, these outcomes are what I judge to be most likely in the near future. These outcomes are aggressive. However, judging by former Russian activity in cyberspace [2, 3] and their base view of being in constant conflict with the West [4] the items I list are well within what can be expected.
1. Increased intelligence collection
Russia will want to keep closer tabs on the undergoing transition in Norway. As the Norwegian Intelligence Service report for 2020 stated [5, 6], Russian intelligence is monitoring amongst other things Norwegian and allied military activity, new military infrastructure, and political decision making. One of the means of gathering intelligence is through cyber operations. An example would be for Russian intelligence to compromise a government institution, move through the network to find whatever they are looking for, and exfiltrate that information. With more allied activity on Norwegian soil the number of such intelligence operations are likely to increase.
2. Increased signaling
What does signaling entail? First, a definition is in order. “Signaling is the purposive and strategic revealing of information about intent, resolve, and/or capabilities by an actor A to alter the decision of another actor B to improve the chances that an outcome desired by A is reached when the outcomes of A and B are dissimilar” (emphasis added) [7]. The recipient must interpret a message from the signal, else no signaling occurred. As you can imagine, recipients don’t necessarily interpret the message the sender intended to convey.
Overall, it’s a tool for a state to communicate with other states in order to attempt change in their behavior.
At first glance you might think that signaling only concerns written or spoken messages. It can be, but it can also be so much more. Firstly, signaling can be either public or private. If private, only the actors involved are aware of the signal (e.g. a secret message passed between two states). In public signaling, no attempt is made to keep it hidden. Here are two examples:
- State A can signal towards state B their intent, resolve, and capability to defend their ally state C by stationing troops in their territory. This is a quite clear signal for state B, and they should be able to interpret it as state A intended. Clearly, Europe/US – Russia is what I had in mind in this example.
- State A uses a new type of weapon to take out an enemy bunker signaling to other states their capability of doing so. Arguably, this is what the US did when using the MOAB in Afghanistan [8]. As the saying goes, the proof of the pudding is in the eating.
Can states signal using the cyber domain? Yes, but there are questions about how effective it is as raised by Ben Buchanan in his book The hacker and the state [9]. Nonetheless, it is my belief that Russia will want to use cyber as one facet of their signaling efforts.
It is my opinion that Russia will use signaling as part of a strategy of deterrence. Seeing that Norway is moving away from being a buffer between NATO and Russia to something else, it would be in Russia’s interest to at least slow down this transition. This follows the logic as laid out in structural realism where Russia doesn’t want the balance of power in the north to shift in their disadvantage.
As shown in previous operations it’s clear that Russia has offensive and destructive cyber capabilities. As far as I know of open reporting none of these have targeted Norway directly (though it got hit by NotPetya AS everyone else). Norway will feel the hammer coming down soon enough, and some analysis points in the direction that this is already happening.
Dragos, a US based cyber security company focusing on industrial infrastructure, released a whitepaper in March 2020 [10] looking at the Norsk Hydro ransomware incident [11, 12] and what makes it stand out as perhaps-something-else-than-a-criminal-undertaking.
Further, the whitepaper addresses the potential for threat actors to use ransomware not as a way of creating revenue but as a means of delivering a destructive capability that is effective, cheap, and carries plausible deniability. In a virtual conference Dragos presented on the topic of ransomware in industrial environments [13] in which the Norsk Hydro incident is used as a case.
There are two items I would like to highlight from the whitepaper and the presentation:
- The ransomware itself makes it very hard to figure out how to pay the ransom. If you were able to pay it, it would be difficult to apply the key to unlock the affected systems. In all, the ransomware bears the marking of a malware that is intended to make all compromised systems unusable.
- Other companies in Norway were targeted with similar ransomware (and thus the same resulting impact) in the same time period as when the Norsk Hydro incident occurred. These attacks were thwarted when Norsk Hydro shared indicators of compromise with the Norwegian government who in turn shared the information with the community.
No firm attribution exists for this incident. That doesn’t matter for this analysis. It serves as a perfect case in point for the type of attacks that Norwegian organizations should expect to see more of. So, for the sake of argument I’m going to use this incident as if it was conducted by Russian operators.
If viewed through the lens of signaling, how should we understand the Norsk Hydro incident? For me it seems clear that the perpetrator is showing their intent and capability to introduce substantial costs to the Norwegian society by targeting several organizations through destructive cyber operations. Luckily, only one organization was affected.
What message is Norway to receive? In this case, I would submit that the attacker is telling Norway to remember who has the biggest stick in the neighborhood, and that they are able and willing to use it, so think carefully about your next moves.
3. Preparation for future operations
This outcome stands on the following premise: Cyber operations have end goals, such as exfiltration of information or financial gain. Before the end goal is reached there is a range of steps the attacker must successfully undertake. These steps are described in models such as the Cyber kill chain [14] and the ATT&CK framework [15]. Which one you subscribe to doesn’t matter for the sake of this analysis. What’s important is to understand that each step the attacker takes there is an opportunity for the defender to detect and stop the intrusion. Yes, offense has initiative, but defense has the home field advantage. Completing each step undetected and establishing lasting persistence is likely to take time, especially if targeting an organization with a mature cyber security function.
Logic suggests that Russia will want to keep the time from goal identification (e.g. intelligence collection or signaling) to mission completion to be kept as short as possible. Nothing cuts this time span as already having access established. A natural consequence of this reasoning is that Russia will attempt to compromise and establish persistent access to Norwegian assets they deem of likely interest in the future. Examples of such assets are government institutions (civilian and military), political organizations, critical infrastructure, financial institutions, and corporations.
Now what?
What actions should Norway take knowing what’s coming? Is there really anything meaningful to do? I use the four images of analysis as the point of departure in this section. I keep the proposals at the strategic level as operational and tactical courses of action are out of scope of this analysis. There’s a liberal theme to these propositions, with a sprinkle of realism to bring it back.
System level
Norway considers the UN as its first line of defense. As a small state dependent on a stable and functioning international system it’s in Norway’s interest that state obligations and interactions are governed by norms, rules, and institutions, such as the United Nations Convention on the Law of the Sea (UNCLOS). UNCLOS serves as a good example as the “sea domain” is mature and states more or less agree on how to act, how to solve conflict, etc.
The “cyber domain” on the other hand is immature, and little agreement exists on how states can and should behave. There are initiatives by the UN to mature this domain, such as the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) [16]. The former has a set number of participants while the latter is open for all.
Some progress was made by the GGE when it was able to reach consensus on the principle that international law applies to the cyber domain. However, it has not been able to get states to agree on exactly how it applies.
Norway is a member of the GGE for the 2019-2021 period. It has also participated in the OEWG. In addition, Norway was selected as a temporary member of the UN Security Council for 2021-2022.
Norway is in a good position to use all of these avenues to continue maturing the development of norms and understanding of international law in the cyber domain. It is my opinion that in this context Norway can afford to be even more forward-leaning than what it usually is. It has built a lot of political capital from previous engagements that it should try to tap into.
Though important, none of these arenas will solve anything in the short to mid-term. Even if the UN is somehow able to get all states to agree upon a solid framework for state behavior in the cyber domain each and every state can choose to ignore the rules and norms as there are no “higher power” to enforce them (though they may face repercussions by other states). Such is the reality of the anarchic international system.
Bilateral
While Norway sits firmly in “team West” and supports the sanctions against Russia, there is quite a bit of collaboration between these two states, especially in topics concerning the Arctic (e.g. the Arctic Council, the Barents Euro-Arctic Council, and the Barents Regional Council). Consequently, there is a lot of contact between politicians on both sides. This bilateral activity should not be reduced. Rather, I submit that it should increase. Engaging Russia on one topic opens the door to engage on other topics. This should be seen in the context of the effort put in at the UN as an attempt to further the development of rules and norms in the cyber domain.
Norway should not fall into the trap of thinking that it can “reset” the relationship with the Kremlin like e.g. France seems to be a proponent of. Russia must be treated as it is, not as we wish it to be. Norway must strike the balance of cooperation with allies (e.g. participating in sanction regimes) whilst not poking the bear (e.g. going solo on attribution).
State
Two domestic laws are key for the Norwegian state in this context:
- The national security act. A refurbished version entered into force the first of January 2019.
- The intelligence service act. A brushed up version has been highly debated due to its inherent conflict with the protection of personal information. It has been approved but is yet to be implemented.
I won’t spend time describing these regulations. What’s important to note is that Norway has taken steps to modernize regulations such that it better fits the reality, both in terms of technological advancements made in the last decades, as well as the current threat landscape. The theoretical outcome is that the security services will be better positioned to face off with Russian cyber operations.
This is a positive development, and there are likely other laws that are ripe for review as well.
Individual
The person that can bring most to the table in this setting is Ine Marie Søreide Eriksen Søreide [17]. A career politician, she has extensive experience working in the foreign affairs committee in the parliament, as minister of defense, and currently as the minister of foreign affairs. She is considered a highly competent and effective politician and enjoys a solid reputation internationally.
Should Norway prioritize cyber issues (as I hope it will) Søreide Eriksen as a diplomatic asset should be put front and center of the effort.
Conclusion
In sum, Norway should expect to see an increase in cyber operations conducted by Russia. Some of these will be what you might call business as usual (intelligence collection is considered accepted behavior amongst states). Others are likely to cause an outcry due to their destructive nature. Most organizations will avoid the worst impact, and some will get Hydro’ed.
No short or mid-term fixes are readily available. It is my opinion that states, and especially the more powerful ones, do not want to reach a consensus on state behavior in the cyber domain as it will limit their room for maneuver. However, apathy will not bring change. Norway should play the long game and continue working internationally and bilaterally on cyber issues. Estonia is a prime example on how a small state can bring positive contributions into the discussion.
I don’t foresee Russia causing physical destructive effects, e.g. turning off parts of the power grid. Yes, evidence points to Russia doing so in Ukraine. Norway and Ukraine are not comparable; the former is part of NATO and enjoys the accompanying deterring effect, while the latter is not, and is bogged down in a conflict with Russia.
Endnotes
As I’m wrapping up this post the US Marines threw a wrench into the equation; they just went from having up to 700 marines stationed and thinking of establishing their main base for Europe in Norway to moving all but 20 logistical personnel out of the country [18, 19, both in Norwegian]. US presence is being drastically reduced in Norway, though they will return for joint exercises. Politicians are downplaying the move, but it should be clear for everyone that a gap in Norwegian deterrence opened up wide.
At the same time B-52 trained alongside Norwegian aircrafts [20], a US submarine (USS Seawolf) [21] paid a visit to the northern town of Tromsø, and a US spy plane flew close to the Russian border in the Barents Sea [22]. The cherry on the top is an ongoing espionage-turned -diplomatic spat between Oslo and the Kremlin [23].
How this affects the tension between Norway and Russia and the outcomes as described in this post remains to be seen. Indeed, it’s a volatile situation to keep track of.
References
[1] https://arcticreview.no/index.php/arctic/article/view/1218/2863
[4]https://www.researchgate.net/publication/313423985_Handbook_of_Russian_Information_Warfare
[5] https://forsvaret.no/fokus
[6] https://cyberinthemiddle.com/2020/05/30/norwegian-threat-report-for-2020/
[7] Gartzke, E., Carcelli, S., Gannon, J., & Zhang, J. (2017, August 22). Signaling in Foreign Policy. Oxford Research Encyclopedia of Politics. Retrieved 12 Aug. 2020, from https://oxfordre.com/politics/view/10.1093/acrefore/9780190228637.001.0001/acrefore-9780190228637-e-481
[8] https://www.bbc.com/news/world-asia-39598046
[9] Buchanan, B., 2020. The Hacker And The State. 1st ed. Harvard University Press.
[10] https://www.dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf
[11] https://www.hydro.com/en-NO/media/on-the-agenda/cyber-attack/
[13] https://youtu.be/3PNZu9J1oqc
[14] https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
[16] https://dig.watch/processes/un-gge#view-7541-3
[17] https://www.politico.eu/list/politico-28-class-of-2019-the-ranking/ine-marie-eriksen-soreide/
[20] https://www.airforcemag.com/b-52s-deploy-to-europe-train-in-norway/
Cyber in the middle 