The Subversive Trilemma
The Subversive
Trilemma
Why Cyber Operations Fall
Short of Expectations
Lennart Maschmeyer
为了
三
几十年,
states have engaged in cyber conºict, yet the strategic utility of cyber opera-
tions remains unclear. Strategic utility refers to measurable contributions to-
ward a state’s political goals or shifts in the balance of power.1 Similar to the
1920s–1940s air power debates, scholars have expected new technology to rev-
olutionize conºict and provide independent utility.2 When warplanes ªrst
出现了, some experts predicted the end of conventional warfare because air-
planes were able “to strike mortal blows to the heart of the enemy at lightning
speed.”3 Similarly, when the World Wide Web gained popularity in the 1990s,
some analysts predicted a future of cyberwar in which “neither mass nor mo-
bility but information” would become decisive.4 Subsequent theorizing envi-
sioned strategic cyber strikes similar to strategic aerial attacks, shaping fears of
a “cyber Pearl Harbor.”5 There is, 然而, a key difference between the two.
Lennart Maschmeyer is a senior researcher at the Center for Security Studies at ETH Zürich.
The author thanks Ronald Deibert, Jesse Driscoll, Nadiya Kostyuk, Gabrielle Lim, Jon Lindsay,
Louis Pauly, Irene Poetranto, Max Smeets, Lucan Way, the team at the Citizen Lab at the Univer-
sity of Toronto, the team at the Center for Security Studies at ETH Zürich (especially Alexander
Bollfrass, Myriam Dunn Cavelty, 毛罗·吉利, Enzo Nussio, 和安德烈亚斯·温格), as well as the
anonymous reviewers for their helpful comments on earlier drafts of this article. He is also grate-
ful to Lesia Bidochko, Daria Goriacheva, Oksana Grechko, and Mariya Green for research assis-
坦斯. The author is also indebted to Olga Paschuk for her interpretation services in Ukraine.
最后, the author thanks Lisa Maschmeyer for designing ªgure 1. The online appendix for this ar-
ticle is available at doi.org/10.7910/DVN/IZ65MC.
1. Robert A. Pape, Bombing to Win: Air Power and Coercion in War (纽约: 康奈尔大学
按, 1996), p. 57.
2. 看, 例如, Winn Schwartau, Information Warfare: Cyberterrorism: Protecting Your Personal
Security in the Electronic Age, 2ND版. (纽约: Thunder’s Mouth, 1996); Dima Adamsky and
Kjell Inge Bjerga, “Introduction to the Information-Technology Revolution in Military Affairs,”
Journal of Strategic Studies, 卷. 33, 不. 4 (2010), PP. 463–468, doi.org/10.1080/01402390.2010
.489700; Lucas Kello, “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft,” In-
ternational Security, 卷. 38, 不. 2 (落下 2013), PP. 7–40, doi.org/10.1162/ISEC_a_00138; 和
Jacquelyn Schneider, “The Capability/Vulnerability Paradox and Military Revolutions: Implica-
tions for Computing, Cyber, and the Onset of War,》 战略研究杂志, 卷. 42, 不. 6 (2019),
PP. 841–863, doi.org/10.1080/01402390.2019.1627209.
3. Giulio Douhet, The Command of the Air, 反式. Dino Ferrari (华盛顿, 华盛顿特区: Ofªce of Air
Force History, 1983), p. 15.
4. John Arquilla and David Ronfeldt, “Cyberwar Is Coming!” 比较策略, 卷. 12, 不. 2
(1993), PP. 141–165, doi.org/10.1080/01495939308402915.
5. James P. Farwell and Rafal Rohozinski, “Stuxnet and the Future of Cyber War,” 生存, 卷. 53,
不. 1 (2011), PP. 23–40, doi.org/10.1080/00396338.2011.555586; 理查德·A. Clarke and Robert K.
Knake, Cyber War: The Next Threat to National Security and What to Do about It (纽约:
HarperCollins, 2010); and James J. Wirtz, “The Cyber Pearl Harbor,” in Emily O. Goldman and
John Arquilla, 编辑。, Cyber Analogies (Monterey, 加利福尼亚州。: Naval Postgraduate School, 2014).
国际安全, 卷. 46, 不. 2 (落下 2021), PP. 51–90, https://doi.org/10.1162/isec_a_00418
© 2021 由哈佛大学和麻省理工学院的校长和研究员撰写.
51
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 52
World War II demonstrated the terribly destructive capacity of aerial bombing,
conªrming its combat effectiveness (or the capacity to destroy target sets).6
最后, scholarly debate has primarily examined “whether the destruc-
tion of target sets attains political goals.”7 In contrast, “cyber wars” remain hy-
pothetical, the combat effectiveness of cyber operations remains unproven,
and scholars increasingly question their utility in warfare.8
反而, a new “cyber revolutionary” school of thought asserts that informa-
tion technology revolutionizes conºict short of war by increasing the effective-
ness of nonmilitary instruments. Lucas Kello argues that “the virtual weapon
is expanding the range of possible harm and outcomes between the concepts
of war and peace,” creating a novel strategic state of “unpeace.”9 Despite its
different focus, this new revolutionary thesis rests on remarkably similar as-
sumptions about the operational effectiveness of cyber operations as the cyber-
war theories that preceded it. Operational effectiveness concerns the capacity
to produce desired effects against a target set. As I will show, cyberwar and
cyber revolution scholars expect three key properties of information technolo-
gies to provide superior operational effectiveness: the speed of communica-
的, the global scope and scale of computer networks, and the ease of online
anonymity.10
Information technology has produced signiªcant economic
efªciencies, and revolutionary scholars expect comparable gains in effective-
ness by employing the technology in conºict. A key instrument of utilizing in-
formation technology in security competition is cyber operations, which I
deªne as the exploitation of vulnerabilities in information and communica-
tions technologies (ICTs) to produce desired outcomes against adversaries.11
Because the revolutionary thesis posits that information technology increases
效力, its adherents expect cyber operations to expand the independent
strategic utility of instruments short of war. As Richard Harknett and Max
6. Pape, Bombing to Win, p. 56.
7. 同上。, p. 57. See also Phil Haun, “Foundation Bias: The Impact of the Air Corps Tactical School
on United States Air Force Doctrine,” Journal of Military History, 卷. 85, 不. 2 (四月 2021),
PP. 453–474.
8. Erik Gartzke, “The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth,” 国际米兰-
national Security, 卷. 38, 不. 2 (落下 2013), PP. 41–73, doi.org/10.1162/ISEC_a_00136; Thomas Rid,
Cyber War Will Not Take Place (纽约: 牛津大学出版社, 2013); Brandon Valeriano and
Ryan C. Maness, Cyber War versus Cyber Realities: Cyber Conºict in the International System (新的
约克: 牛津大学出版社, 2015); Jon R. Lindsay, “Restrained by Design: The Political Econ-
omy of Cybersecurity,” Digital Policy, Regulation, and Governance, 卷. 19, 不. 6 (2017), PP. 493–514,
doi.org/10.1108/DPRG-05-2017-0023; and Erica D. Borghard and Shawn W. Lonergan, “Cyber Op-
erations as Imperfect Tools of Escalation,” Strategic Studies Quarterly, 卷. 13, 不. 3 (落下 2019),
PP. 122–145, https://www.jstor.org/stable/26760131.
9. Lucas Kello, The Virtual Weapon and International Order (新天堂, 康涅狄格州: Yale University
按, 2017), PP. 75–78.
10. I discuss these assumptions and their origins in detail in this article.
11. Exploitation enables both passive information collection and active effects. This study focuses
on active effects (IE。, manipulation, disruption, or damage of targeted computer systems).
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 53
Smeets conclude, “cyber operations and campaigns can be pivotal in world af-
fairs by independently . . . supporting the maintenance or alteration of the bal-
. without having to resort to military violence.”12 Just
权力的力量 .
as cyberwars failed to manifest in practice, 然而, empirical evidence for
this cyber revolution remains scarce. 相反, a growing body of re-
search shows how cyber operations seem to fall short of their promise, both in
warfare and conºict short of war.13
.
I argue that the reason for this shortfall lies at the operational level of
conºict, whereby actors deploy combinations of tactics to attain strategic
goals.14 Stephen Biddle has shown how operational mechanisms are crucial for
determining the strategic utility of new technologies in conventional war, 和
I contend the same applies to cyber conºict.15 Prevailing expectations tend to
focus on the strategic promise of new technology, but they overlook the op-
erational mechanisms required to fulªl it. 在本文中, I show that the mis-
match between promise and practice is the consequence of the subversive
nature of cyber operations, whose operational trilemma limits strategic utility.
Cyber operations produce outcomes by exploiting vulnerabilities in com-
puter systems and the way they are embedded in modern societies.16 This
mechanism is commonly known as hacking.17 Hacking may appear to be a
novel instrument, yet its primary reliance on exploitation reveals its parallels
to subversion.18
Subversion is an understudied instrument of power used in nonmilitary co-
vert operations. 最后, the ªeld of international relations lacks a theory
12. 理查德·J. Harknett and Max Smeets, “Cyber Campaigns and Strategic Outcomes,》杂志
Strategic Studies (2020), p. 24, doi.org/10.1080/01402390.2020.1732354.
13. Erica D. Borghard and Shawn W. Lonergan, “Cyber Operations as Imperfect Tools of Escala-
的,” Strategic Studies Quarterly, 卷. 13, 不. 3, (落下 2019), PP. 122–145, https://www.airuniversity
.af.edu/Portals/10/SSQ/documents/Volume-13_Issue-3/Borghard.pdf; Jon R. Lindsay, “Stuxnet
and the Limits of Cyber Warfare,” 安全研究, 卷. 22, 不. 3 (2013), PP. 365–404, doi.org/
10.1080/09636412.2013.816122; Jason Healey, 编辑。, A Fierce Domain: Conºict in Cyberspace, 1986 到
2012 (维也纳, Va.: Cyber Conºict Studies Association, 2013); and Rebecca Slayton, “What Is the
Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment,” 国际安全,
卷. 41, 不. 3 (冬天 2016/17), PP. 72–109, doi.org/10.1162/ISEC_a_00267.
14. Edward N. Luttwak, “The Operational Level of War,” 国际安全, 卷. 5, 不. 3 (Win-
特尔 1980/81), p. 61, doi.org/10.2307/2538420.
15. Stephen Biddle, Military Power: Explaining Victory and Defeat in Modern Battle (普林斯顿大学, 新泽西州:
普林斯顿大学出版社, 2010).
16. Jon Erickson, Hacking: The Art of Exploitation (旧金山, 加利福尼亚州。: No Starch, 2003), PP. 115–
116.
17. Franklin Kramer notes that “cyber attacks—hacking of various kinds—are a fact of modern
life.” Kramer, “Cyberpower and National Security: Policy Recommendations for a Strategic
Framework,” in Franklin D. 克莱默, Stuart H. Starr, and Larry K. Wentz, 编辑。, Cyberpower and Na-
国家安全 (华盛顿, 华盛顿特区: Potomac, 2009), p. 15. See also Ben Buchanan, The Hacker and the
状态: Cyber Attacks and the New Normal of Geopolitics (剑桥, 大量的。: 哈佛大学出版社,
2020), p. 3; and David J. Betz and Tim Stevens, Cyberspace and the State: Toward a Strategy for Cyber-
力量 (阿宾登, 英国: 劳特利奇, 2011), PP. 26–31.
18. 布坎南, The Hacker and the State.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 54
of subversion. Building on existing work in intelligence studies, this article de-
velops such a theory and shows why cyber operations rely on subversion. 它
demonstrates that the deªning characteristic of subversion is its reliance on the
secret exploitation of vulnerabilities in a system of rules. 因此, I deªne
subversion as exploiting vulnerabilities to secretly inªltrate a system of rules
and practices in order to control, 操纵, and use the system to produce
detrimental effects against an adversary. In traditional subversion, states target
social systems. 通常, states have used undercover spies to inªltrate groups
and institutions, establish inºuence within the latter, and then use this inºu-
ence to produce desired outcomes against an adversary.19 Although cyber
operations target a different kind of system, I show that the mechanism of ex-
ploitation has the same subversive characteristics.
Subversion’s reliance on exploitation distinguishes it from warfare and
diplomacy, the two classic instruments of power in security competition. Sub-
version holds great strategic promise because of two key properties of exploi-
站: its secrecy and indirect reliance on adversary systems. Secrecy can be
either covert (the identity of the actor is obscured) or clandestine (the activity
itself is obscured).20 Existing research identiªes two strategic beneªts of se-
crecy: it lowers states’ escalation risks and reputation costs for intervening in
the affairs of their adversaries.21 The indirect nature of exploitation also lowers
resource costs compared to the use of force. It is indirect because subversive
actors produce effects through exploited systems. Subversion leverages an ad-
versary’s own capabilities against its own systems to produce effects. 这些
effects range from inºuencing government policies and public opinion to de-
grading material capabilities through sabotage to undermining institutional
efªciency and effectiveness.22 In short, subversion promises a less expensive
and less risky alternative to warfare that states can use to actively interfere in
19. Paul W. Blackstock, The Strategy of Subversion: Manipulating the Politics of Other Nations (志-
卡戈: Quadrangle, 1964); and Lawrence W. Beilenson, Power through Subversion (华盛顿, 华盛顿特区:
Public Affairs, 1972).
20. 迈克尔·E. DeVine, Covert Action and Clandestine Activities of the Intelligence Community: Selected
Deªnitions in Brief (华盛顿, 华盛顿特区: Congressional Research Service, 六月 14, 2019).
21. Austin Carson, Secret Wars: Covert Conºict in International Politics (普林斯顿大学, 新泽西州: 普林斯顿大学
大学出版社, 2018); and Michael Poznansky, “Feigning Compliance: Covert Action and Inter-
national Law,” International Studies Quarterly, 卷. 63, 不. 1 (行进 2019), PP. 72–84, doi.org/
10.1093/isq/sqy054.
22. Howard L. Douthit III, “The Use and Effectiveness of Sabotage as a Means of Unconventional
Warfare: An Historical Perspective from World War I through Vietnam,” 硕士论文, Air
Force Institute of Technology, 一月 21, 1988, https://apps.dtic.mil/sti/pdfs/ADA188034.pdf;
Beilenson, Power through Subversion, p. 80; Eckard Michels, Guillaume, der spion: Eine deutsch-
deutsche karriere [Giullaume, the spy: A German career] (柏林: Links Christoph Verlag, 2013); 和
Christopher Andrew and Vasili Mitrokhin, The Sword and the Shield: The Mitrokhin Archive and the
Secret History of the KGB (纽约: 基础书籍, 1999), PP. 364, 473.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 55
their adversaries’ affairs and attempt to shift the balance of power when diplo-
macy falls short. Cyber operations share this promise. Because various social,
政治的, and physical processes are increasingly computerized, subverting
these computer systems can produce a range of physical, 政治的, and eco-
nomic effects. Cyber revolutionary theory accordingly expects cyber opera-
tions to offer a low-risk and low-cost, yet highly effective, instrument for
conducting sabotage, 政治干预, and economic disruption.
然而, I identify an operational trilemma that tends to prevent subversion from
fulªlling this promise, and this article shows why cyber operations also face
this trilemma. The same characteristics that enable the promise of subversion
(IE。, its secret and indirect nature) require signiªcant efforts to establish and
维持. These efforts constrain operational effectiveness across three key
变量. 第一的, they slow operational speed, deªned as the time required from
starting an operation until it produces effects. 第二, they constrain the inten-
sity of effects, determined by both scope and scale. Scope concerns the severity
of effects against individual targets, and scale comprises the number of targets
affected and thus the scale of societal impact.23 Third, efforts to maintain se-
crecy and exploit systems limit control, deªned as the extent of control over a
targeted system, and over the effects produced through this system.
These constraints pose a trilemma for actors because the three variables (IE。,
速度, intensity of effects, and control) are negatively correlated—a gain in one
variable tends to produce losses across the other two variables. 例如,
the higher the operational speed, the less intensity and control actors tend to
达到. As mentioned, the revolutionary thesis expects information technol-
ogy to enable high-speed cyber operations with large-scale effects under a
mantle of secrecy. 在实践中, 然而, the trilemma prevents actors from
achieving these properties all at once. 最后, in most circumstances
cyber operations fall short of their strategic promise and provide, 最好, lim-
ited strategic utility.
I test this theory through an in-depth case study of the ongoing Russo-
Ukrainian conºict. This protracted conºict started in 2013, and it includes ªve
major disruptive cyber operations that attempted election interference, sabo-
tage, and economic dislocation. As a paradigmatic example of cyber-enabled
low-intensity conºict involving one of the world’s leading cyber powers,
俄罗斯, against a much weaker adversary, one would most expect to observe
the utility of cyber operations. With its long duration and multiple cyber oper-
ations in a real-world “test lab” of cyber conºict, the constraints of the
23. This deªnition builds on Herman Kahn’s deªnition of conºict intensity. Kahn, On Escalation:
Metaphors and Scenarios (韦斯特波特, 康涅狄格州: Greenwood, 1986 [1965]).
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 56
trilemma are least likely to apply.24 Consequently, the Russo-Ukrainian conºict
is a crucial case.25 I introduce and use a systematic framework to measure op-
erational effectiveness across the variables of speed, intensity, and control, 和
I triangulate strategic utility. The case study leverages rich original data from
ªeld interviews with experts in Ukraine, leaked Russian documents and
emails, and forensic reports. Evidence from these sources supports my theory
that the subversive trilemma constrains operational effectiveness and limits
strategic utility.
This article makes three main contributions. 第一的, it furthers the current de-
bate in cybersecurity between cyber revolutionaries and an emerging rival the-
sis of “cyber evolution,” whose proponents point out the general strategic
continuity between cyber conºict and intelligence contests.26 The theory of the
subversive trilemma clariªes what types of intelligence operations cyber oper-
ations reproduce, and how operational constraints limit their strategic utility.
第二, the theory contributes to security studies by clarifying the strategic
role of cyber operations as instruments of subversion that promise an effective
alternative to force yet offer limited utility in practice. The theory of subver-
sion also contributes to international relations, which has neglected the topic.
第三, the article adds rich empirical evidence on the mechanisms, constraints,
and utility of cyber operations that will be useful for both cybersecurity and
international security scholars.
The argument proceeds as follows. 第一的,
I outline how expectations
about the strategic utility of cyber operations have evolved. 第二, I develop
the theory of subversion from which I derive a set of expectations and hypoth-
eses. This section also speciªes the research design and empirical strategy.
第三, I present the case study, which examines the operational effectiveness
and strategic utility of cyber operations in the Russo-Ukrainian conºict. I con-
clude with a discussion of alternate explanations and potential limitations of
the study before laying out the implications for international security.
24. Andy Greenberg, “How an Entire Nation Became Russia’s Test Lab for Cyberwar,” Wired,
六月 20, 2017, https://www.wired.com/story/russian-hackers-attack-ukraine/.
25. A “crucial case” is one “in which a theory that passes empirical testing is strongly supported
and one that fails is strongly impugned.” Alexander L. George and Andrew Bennett, Case Studies
and Theory Development in the Social Sciences (剑桥: 麻省理工学院
按, 2005), p. 9.
26. Erik Gartzke and Jon R. Lindsay, “Weaving Tangled Webs: Offense, Defense, and Deception in
Cyberspace,” 安全研究, 卷. 24, 不. 2 (2015), PP. 316–348, doi.org/10.1080/09636412.2015
.1038188; Aaron Franklin Brantly, The Decision to Attack: Military and Intelligence Cyber Decision-
制作 (雅典: University of Georgia Press, 2016), PP. 43–62, http://muse.jhu.edu/book/45365;
and Joshua Rovner, “Cyber War as an Intelligence Contest,” 岩石战争博客, 九月 16,
2019, https://warontherocks.com/2019/09/cyber-war-as-an-intelligence-contest/.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 57
Existing Literature on the Strategic Utility of Cyber Operations
Cybersecurity scholars’ expectations concerning the strategic utility of cyber
operations have shifted from warfare to conºict short of war. Initial research
expected cyber operations to provide independent utility in warfare, 使能
strategic cyber strikes and offering an offensive advantage.27 Such cyberwar
theorizing rested on three assumptions about the effectiveness of cyber oper-
ations: information technology enabled unrivaled operational speed compared
to conventional warfare,28 while the Internet’s design facilitates anonymity29
and its global scale allows actors to disrupt or damage targets at massive
scale.30 Accordingly, other scholars assumed that the same three properties
also offered strategic utility as complements to the use of force.31 But scenarios
of cyberwar and escalation did not manifest in practice. 反而, the inten-
sity of cyber conºict has remained below the threshold of war.32
Cyber revolution theory proposes, 因此, that cyber operations offer
27. Arquilla and Ronfeldt, “Cyberwar Is Coming!”; 克莱默, “Cyberpower and National Secu-
rity”; Clarke and Knake, Cyber War; 威廉·J. Lynn III, “Defending a New Domain,” Foreign Af-
博览会, September/October 2010, https://www.foreignaffairs.com/articles/united-states/2010-09-
01/defending-new-domain; Joseph S. Nye Jr., “Nuclear Lessons for Cyber Security?” Strategic
Studies Quarterly, 卷. 5, 不. 4 (冬天 2011), PP. 18–38, https://www.jstor.org/stable/26270536;
and Wirtz, “The Cyber Pearl Harbor.”
28. Daniel T. Kuehl, “From Cyberspace to Cyberpower: Deªning the Problem,” in Kramer, Starr,
and Wentz, 编辑。, Cyberpower and National Security, p. 28; Nye, “Nuclear Lessons for Cyber Secu-
理性?” p. 18; 林恩, “Defending a New Domain”; James C. Mulvenon and Gregory J. Rattray, 编辑。,
Addressing Cyber Instability (维也纳, Va.: Cyber Conºict Studies Association, 八月 2012), p. 23;
Jacquelyn Schneider, “Cyber and Crisis Escalation: Insights from Wargaming,” United States Na-
val War College, 2017, p. 1, https://paxsims.ªles.wordpress.com/2017/01/paper-cyber-and-crisis-
escalation-insights-from-wargaming-schneider.pdf; and Clarke and Knake, Cyber War, p. 34.
29. Martin C. Libicki, Cyberdeterrence and Cyberwar (圣莫妮卡, 加利福尼亚州。: RAND, 2009), p. 43;
Gregory J. Rattray, “An Environmental Approach to Understanding Cyberpower,” in Kramer,
Starr, and Wentz, 编辑。, Cyberpower and National Security, p. 272; 林恩, “Defending a New Domain”;
Joseph S. Nye Jr., Cyber Power (剑桥, 大量的。: Belfer Center for Science and International
事务, Harvard Kennedy School, 可能 2010), p. 6, https://www.belfercenter.org/sites/default/
ªles/legacy/ªles/cyber-power.pdf; Chris C. Demchak and Peter Dombrowski, “Rise of a Cybered
Westphalian Age,” Strategic Studies Quarterly, 卷. 5, 不. 1 (春天 2011), PP. 32–61, https://万维网
.jstor.org/stable/26270509; and Farwell and Rohozinski, “Stuxnet and the Future of Cyber War,”
p. 35.
30. Rattray, “An Environmental Approach to Understanding Cyberpower,” PP. 266–268; 林恩,
“Defending a New Domain,” p. 1; Nye, “Nuclear Lessons for Cyber Security?” p. 21; and Peter
Dombrowski and Chris C. Demchak, “Cyber War, Cybered Conºict, and the Maritime Domain,”
Naval War College Review, 卷. 67, 不. 2 (春天 2014), p. 73, https://www.jstor.org/stable/
26397758.
31. Libicki, Cyberdeterrence and Cyberwar, p. 139; Max Smeets, “The Strategic Promise of Offensive
Cyber Operations,” Strategic Studies Quarterly, 卷. 12, 不. 3 (落下 2018), PP. 90–113, https://万维网
.jstor.org/stable/26481911; and Jon R. Lindsay and Erik Gartzke, “Coercion through Cyberspace:
The Stability-Instability Paradox Revisited,” in Kelly M. Greenhill and Peter Krause, 编辑。, Coercion:
The Power to Hurt in International Politics (纽约: 牛津大学出版社, 2018).
32. Valeriano and Maness, Cyber War versus Cyber Realities.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 58
states a newly effective instrument in competition short of war, revolutioniz-
ing the way states compete.33 Although they consider different types of con-
ºict, revolutionary scholars and cyberwar theorists base their arguments on
remarkably similar assumptions. Cyber revolution scholars emphasize how
information technologies increase the speed,34 规模,35 and relative ease of
anonymity36 of instruments short of war, enhancing their effectiveness and ele-
vating their strategic utility. 尤其, Michael Fischerkeller and Richard
Harknett suggest that technological change has expanded the scope and scale
of intelligence operations to such an extent that it constitutes a “difference in
kind” in strategic utility,37 while Michael Warner suggests that information
technology may have “ªxed covert action’s problem of scale.”38 Ben Buchanan
goes as far as proclaiming the advent of a “new form of statecraft,” whereby
“one of the primary ways governments shape geopolitics is by hacking other
countries.”39 The underlying assumptions about the strategic promise of infor-
mation technology continue to be widely shared yet rarely tested empirically.
而且, the scarce empirical work on key cases indicates the limited effec-
tiveness and utility of cyber operations.40
A rival set of scholars argues that cyber operations are merely an evolution
of covert operations.41 While this perspective speciªes the larger strategic
空间 (IE。, intelligence contests), it still lacks a theory about the operational
mechanisms and strategic utility of cyber operations. Intelligence operations
encompass a broad range of activities, from passive information collection to
active interference,42 and cyber operations cannot likely reproduce all of them
equally well. As Loch Johnson has shown, covert operations have been de-
33. Kello, The Virtual Weapon and International Order; 迈克尔·沃纳, “A Matter of Trust: 钴-
vert Action Reconsidered,” Studies in Intelligence, 卷. 63, 不. 4 (十二月 2019), PP. 33–41,
https://www.cia.gov/static/d61827122b5a1b8023e0f11678c2edce/Covert-Action-Reconsidered
.pdf; 布坎南, The Hacker and the State; Harknett and Smeets, “Cyber Campaigns and Strategic
Outcomes”; and Michael P. Fischerkeller and Richard J. Harknett, Cyber Persistence Theory, Intelli-
gence Contests, and Strategic Competition (Alexandria, Va.: Institute for Defense Analyses, 六月
2020), https://apps.dtic.mil/sti/pdfs/AD1118679.pdf.
34. Kello, The Virtual Weapon and International Order, p. 2; and Harknett and Smeets, “Cyber Cam-
paigns and Strategic Outcomes,” p. 9.
35. 华纳, “A Matter of Trust,” p. 38; and Buchanan, The Hacker and the State, p. 290.
36. 布坎南, The Hacker and the State, p. 1; Kello, The Virtual Weapon and International Order,
p. 154; and Harknett and Smeets, “Cyber Campaigns and Strategic Outcomes,” p. 24.
37. Fischerkeller and Harknett, Cyber Persistence Theory, Intelligence Contests, and Strategic Competi-
的, p. 10.
38. 华纳, “A Matter of Trust,” p. 38.
39. 布坎南, The Hacker and the State, p. 7.
40. Lindsay, “Stuxnet and the Limits of Cyber Warfare”; and Slayton, “What Is the Cyber Offense-
Defense Balance?”
41. Gartzke and Lindsay, “Weaving Tangled Webs”; Rovner, “Cyber War as an Intelligence Con-
test”; and Brantly, The Decision to Attack.
42. 迈克尔·沃纳, “Wanted: A Deªnition of ‘Intelligence’,” Studies in Intelligence, 卷. 46,
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 59
ployed to produce a wide range of effects, from inºuencing public opinion to
sabotage to full-blown secret wars.43 Importantly, evolution theory does not
clarify which of these effects cyber operations can and cannot produce, 和
thus their strategic utility remains unclear. Current scholarship on covert oper-
ations focuses primarily on military operations.44 Yet, the premise of the cur-
rent shift in scholarly attention toward conºict short of war is the emerging
consensus that cyber operations are relatively ineffective and irrelevant in war-
fare.45 Hence, cyber operations are not likely to be useful substitutes for mili-
tary covert operations. 相当, as the next section shows, cyber operations are
nonmilitary instruments of subversion.
Why Cyber Operations are Subversive
在这个部分, I develop the theory of subversion. I show how both subversion
and cyber operations rely on secret exploitation and face an operational
trilemma that limits their strategic promise. There is no general theory about
subversion, and the scholarly work on the topic is scarce. Existing studies ei-
ther tie their deªnition of subversion to a speciªc goal, the overthrow of gov-
ernments from within,46 or they examine its use in speciªc contexts, 例如
using nonstate proxies to undermine state authority47 or great power competi-
tion.48 But Cold War scholar Paul Blackstock identiªed a common operational
mechanism used in subversive operations regardless of speciªc goals or con-
text that offers a foundation for a general theory: the secret exploitation of po-
litical or social vulnerabilities.49 While Cold War subversion primarily targeted
entire political systems, any system of rules and practices is potentially vulner-
不. 3 (2002), https://www.cia.gov/resources/csi/studies-in-intelligence/volume-46-no-3/wanted-
a-deªnition-of-intelligence/.
43. Loch K. 约翰逊, “On Drawing a Bright Line for Covert Operations,” American Journal of Inter-
national Law, 卷. 86, 不. 2 (四月 1992), PP. 284–309, doi.org/10.2307/2203235.
44. Austin Carson, “Facing Off and Saving Face: Covert Intervention and Escalation Management
in the Korean War,” 国际组织, 卷. 70, 不. 1 (冬天 2016), PP. 103–131, doi.org/
10.1017/S0020818315000284; Poznansky, “Feigning Compliance”; and Rory Cormac and Richard J.
奥尔德里奇, “Grey Is the New Black: Covert Action and Implausible Deniability,” International Affairs,
卷. 94, 不. 3 (可能 2018), PP. 477–494, doi.org/10.1093/ia/iiy067.
45. Thomas Rid, “Cyber War Will Not Take Place,》 战略研究杂志, 卷. 35, 不. 1 (2012),
PP. 5–32, doi.org/10.1080/01402390.2011.608939; Gartzke, “The Myth of Cyberwar”; 和
Borghard and Lonergan, “Cyber Operations as Imperfect Tools of Escalation.”
46. Beilenson, Power through Subversion, p. v; and Frank Kitson, Low Intensity Operations: Subver-
锡安, Insurgency, and Peacekeeping (伦敦: Faber and Faber, 1971), p. 3.
47. Melissa M. 李, Crippling Leviathan: How Foreign Subversion Weakens the State (伊萨卡岛, 纽约:
康奈尔大学出版社, 2020).
48. William C. 沃尔福斯, “Realism and Great Power Subversion,” International Relations, 卷. 34,
不. 4 (十二月 2020), PP. 459–481, doi.org/10.1177/0047117820968858.
49. Blackstock, The Strategy of Subversion, p. 50.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 60
able to subversion because it contains ºaws that allow subversive actors to
inªltrate and manipulate the system in unexpected ways. The main system of
rules targeted by traditional subversion are institutions, and recent research
has examined the use of subversion against institutions of all kinds.50 If exploi-
tation is successful, subversive actors can use the targeted systems to produce
detrimental effects against an adversary, without revealing either their identity
or the subversive activity itself.51 Subversion is thus covert and clandestine.
例如, a spy might become an employee at an industrial facility and
gain access to machinery that they manipulate to damage the facility and pos-
sibly surrounding areas, but they hide the subversion by making it look like
an accident.
Cyber operations rely on the same mechanism of secret exploitation, 但
they target computer systems rather than political systems. Exploitation is pos-
sible because the behavior of computer systems is determined by different lay-
ers of code, consisting of logical rules and instructions.52 Hacking, 中央
instrument used in cyber operations as commonly deªned, involves secretly
exploiting ºaws in these rules to make computer systems behave in unin-
tended ways.53 In practice, hackers establish undetected and unauthorized
access and control over an adversary’s computer systems, which they manipu-
late to produce detrimental effects against the adversary. 例如, hackers
might target computer systems that control physical machinery and manipu-
late their operation in a way that damages or destroys the machinery. 这 2010
Stuxnet operation that sabotaged Iranian nuclear enrichment centrifuges with
a computer virus offers a key example.54 In addition to targeting technical vul-
nerabilities in computer systems, hackers also use “social engineering” to ex-
ploit pathologies in human behavior to get people to unwittingly provide
access to systems.55 Phishing emails are a classic example.56 Cyber operations
50. Jan Olsson, “Subversive Action,” in Subversion in Institutional Change and Stability: A Neglected
Mechanism (伦敦: 帕尔格雷夫·麦克米伦, 2016), PP. 39–61, doi.org/10.1057/978-1-349-94922-9_3;
and James Mahoney and Kathleen Thelen, 编辑。, Explaining Institutional Change: Ambiguity, 机构,
and Power (剑桥: 剑桥大学出版社, 2010).
51. Blackstock, The Strategy of Subversion, p. 68.
52. Thomas Dullien, “Weird Machines, Exploitability, and Provable Unexploitability,” IEEE Trans-
actions on Emerging Topics in Computing, 卷. 8, 不. 2 (April–June 2020), PP. 391–403, doi.org/
10.1109/TETC.2017.2785299.
53. 埃里克森, Hacking, p. 115.
54. Ralph Langner, To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to
Achieve (Arlington, Va.: Langner Group, 十一月 2013), http://www.langner.com/en/wp-
content/uploads/2013/11/To-kill-a-centrifuge.pdf.
55. Pekka Tetri and Jukka Vuorinen, “Dissecting Social Engineering,” Behaviour & Information Tech-
科学, 卷. 32, 不. 10 (2013), PP. 1014–1023, doi.org/10.1080/0144929X.2013.763860.
56. Prashanth Rajivan and Cleotilde Gonzalez, “Creative Persuasion: A Study on Adversarial Be-
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 61
桌子 1. Key Instruments of Power in International Relations
Warfare
Diplomacy
颠覆
Relation
Interaction Mode
Mechanism
direct
overt/covert
力量
direct
overt
persuasion/bargaining
间接
covert/clandestine
开发
thus share the core characteristics of subversion, namely the reliance on secret
exploitation and the indirect use of adversary systems to produce effects.
因此, cyber operations are an instrument of subversion—and technical
experts routinely refer to hacking as subversion.57
The secret and indirect nature of exploitation distinguishes subversion from
the two classic instruments of power in world politics: warfare and diplomacy
(见表 1). In the words of Carl von Clausewitz, war is “the use of physical
force to compel an enemy to one’s will.”58 It shifts the balance of power by de-
stroying adversaries’ material capabilities. Warfare typically involves direct
相互作用, but states can also covertly pursue “secret wars.”59 In contrast, 的-
plomacy relies on direct and overt forms of communication to exert inºuence
through reasoned discourse, bargaining, or signaling.60 Diplomacy shifts the
balance of power through alliances and international law.61
Strategically, subversion promises a way for states to intervene in adversary
affairs when diplomacy falls short to produce results, and yet at lower risks
and costs than going to war. The secret and indirect nature of exploitation
enables this promise. As discussed, secrecy reduces escalation risks and lowers
reputational costs. The indirect nature of exploitation adds a third beneªt:
haviors and Strategies in Phishing Attacks,” Frontiers in Psychology, 二月 21, 2018, doi.org/
10.3389/fpsyg.2018.00135.
57. 看, 例如, Philip A. 迈尔斯, “Subversion: The Neglected Aspect of Computer Security,”
master’s thesis, Naval Postgraduate School, 1980, https://csrc.nist.gov/csrc/media/publications/
conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/
myer80.pdf; and Susan Young and Dave Aitel, The Hacker’s Handbook: The Strategy behind Breaking
into and Defending Networks (Boca Raton, 佛罗里达州。: CRC, 2004), PP. 15–29.
58. Carl von Clausewitz, On War, abr., 编辑. 比阿特丽斯·豪瑟, 反式. Michael Howard and Peter Paret
(牛津: 牛津大学出版社, 2006), p. 13.
59. Carson, Secret Wars.
60. Hedley Bull, The Anarchical Society: A Study of Order in World Politics (纽约: Columbia
大学出版社, 1977), p. 163; 托马斯·里斯, “‘Let’s Argue!’: Communicative Action in World
政治,” 国际组织, 卷. 54, 不. 1 (冬天 2000), PP. 1–39, https://www.jstor.org/
stable/2601316; Thomas C. Schelling, Arms and Inºuence (新天堂, 康涅狄格州: Yale University
按, 2008); and Barbara Koremenos, Charles Lipson, and Duncan Snidal, “The Rational Design
of International Institutions,” 国际组织, 卷. 55, 不. 4 (秋天 2001), PP. 761–799,
https://www.jstor.org/stable/3078615.
61. 亨利·基辛格, Diplomacy (纽约: 西蒙和舒斯特, 1995), PP. 17–29.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 62
lower resource costs, since effects are produced through adversary systems,
rather than one’s own material capabilities. Subversion can provide independ-
ent strategic utility by undermining, manipulating, or disrupting the institu-
tions that modern societies depend on, weakening adversaries or inºuencing
their foreign policy. Cyber subversion holds the same promise, as revolution-
ary scholars emphasize.
the subversive trilemma
在实践中, subversion tends to fall short of its promise. Blackstock noted in
1964 that scholars and policymakers have “greatly overestimated” the effec-
tiveness and utility of subversion,62 and more recent quantitative studies
document the high failure rate of subversive operations.63 The reason for
this failure, 我认为, is a subversive trilemma that constrains effectiveness and
limits strategic utility. As this section shows, cyber subversion faces the
same trilemma.
The indirect and secret nature of exploitation that enable the strategic
promise of subversion require signiªcant efforts to establish and maintain.
一般来说, secrecy in covert operations requires extra “time, 技能, 一个
money.”64 Subversion requires further efforts because it depends on secrecy
成功. Whereas secret warfare operates on a spectrum of secrecy and
can continue even when the cover has been blown,65 discovery of a subver-
sive operation typically means failure. I argue that this constraint applies to
cyber subversion as well. In traditional subversion, the victim can arrest the spy
涉及;66 in cyber subversion, victims can delete computer viruses and
“patch” vulnerabilities.67
To fulªl the promise of secret exploitation, I ªnd that actors must meet four
distinct challenges that constrain operational effectiveness. They must identify
suitable vulnerabilities in a system designed by others, exploit them without
being detected, establish access and control over the system without detection,
and maintain control to produce effects through this system that achieve their
desired outcomes. As detailed below, these four challenges constrain opera-
62. Blackstock, The Strategy of Subversion, p. 304.
63. Lindsey A. O’Rourke, Covert Regime Change: America’s Secret Cold War (伊萨卡岛, 纽约: Cornell
大学出版社, 2018); and Sarah-Jane Corke, US Covert Operations and Cold War Strategy: Truman,
Secret Warfare, and the CIA, 1945–53 (纽约: 劳特利奇, 2008).
64. Mark M. Lowenthal, 智力: From Secrets to Policy, 4特德. (华盛顿, 华盛顿特区: CQ, 2009),
p. 177.
65. Cormac and Aldrich, “Grey Is the New Black.”
66. Beilenson, Power through Subversion, p. 63.
67. 埃里克森, Hacking, p. 320.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 63
tional effectiveness across three variables: operational speed, intensity of ef-
fects, and control.
第一的, speed is limited because identifying vulnerabilities and developing
means of exploitation requires reconnaissance and learning how target systems
function. Both processes take time. Spies have had to learn new languages or
skills to inªltrate institutions.68 Hackers similarly study how complex computer
systems function and write code to exploit them, which can take months.69
而且, cyber subversion may require more time than traditional subversion
because hackers cannot use force to override logic in programming code if their
means of exploitation fails.70 In contrast, spies can use limited force to gain ac-
过程, such as by blackmailing individuals or forcing open a door.
第二, the need to establish access to target systems without detection lim-
its the intensity of effects. 一般来说, only effect types for which suitable target
systems exist are possible. If there are no vulnerable institutions that control
physical machinery within a targeted state, traditional subversion cannot pro-
duce physical effects. This constraint applies to cyber subversion as well,
whereby only those social and physical processes controlled by computers are
within reach. Even for vulnerable targets, the scope and scale of effects that ac-
tors can produce through a target system depend on the scope and scale of
their access to the system. Expanding the scope and scale of access increases
discovery risks, 然而, thus limiting the maximum intensity that can be
achieved without discovery. In traditional subversion, 例如, Lindsey
O’Rourke identiªes a resulting dilemma between the scale of an operation and
the need for secrecy.71 I expect the same to apply to cyber subversion. 和-
doubtedly, cyber operations facilitate a greater scale of effects compared to
traditional subversion because computer viruses can multiply and spread au-
tomatically.72 This capacity does not negate the dilemma between secrecy and
规模, 然而; the more systems that are affected, the more likely one of the
affected victims will discover the compromise. 而且, automated prolifera-
tion may spread beyond its intended targets. 因此, the infamous
Stuxnet malware was discovered by a Belarusian antivirus ªrm because it
68. Christopher Andrew and Vasili Mitrokhin, The Mitrokhin Archive: The KGB in Europe and the
西方 (伦敦: 艾伦·莱恩, 1999), PP. 192–193, 220.
69. Lillian Ablon and Andy Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day
Vulnerabilities and Their Exploits (圣莫妮卡, 加利福尼亚州。: RAND, 2017), https://www.rand.org/pubs/
research_reports/RR1751.html.
70. Libicki, Cyberdeterrence and Cyberwar, p. 16.
71. O’Rourke, Covert Regime Change, p. 8.
72. Jürgen Kraus, “On Self-Reproducing Computer Programs,” trans. and ed. Daniel Bilar and
Eric Filiol, Journal in Computer Virology, 卷. 5 (二月 2009), PP. 9–87, doi.org/10.1007/s11416-
008-0115-z.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 64
传播, apparently accidentally, far beyond the targeted nuclear enrichment
plant in Natanz.73
第三, the need to avoid discovery and the indirect production of effects via
manipulation of a target system limit control, both over the system itself and
the effects produced through it. A subversive actor’s control over a target sys-
tem is never absolute because, 正如所讨论的, upon discovery the victim can
neutralize it. Even if it remains undiscovered, 然而, subversive actors
can only establish control over those parts of the system with which they have
become familiar. A spy may be unable to gain access to a targeted organization
or may lack the language skills required for inªltration.74 Likewise, hackers
may be unfamiliar with certain computer systems and ªnd no way to access
他们. Most importantly, subversive actors do not have full control over ef-
fects for two reasons. 第一的, they may lose control over the subversive agent.
Pressure from undercover work may prompt spies to behave erratically or de-
fect.75 Although they don’t have feelings, computer viruses used in cyber sub-
version may similarly go rogue. The Morris Worm of 1988, 例如, 曾是
designed as a harmless network mapping tool, but its automated spread com-
bined with bandwidth-consuming activity caused massive unintended disrup-
tions across the early Internet.76 Finally, because actors have limited control
over target systems, these systems may respond unexpectedly to manipula-
的, which risks causing the subversion to either fail to produce the desired ef-
fect or create negative and unintended consequences.
至关重要的是, these constraining variables of speed, intensity, and control are
negatively correlated, producing a subversive trilemma. As illustrated in ªg-
乌尔 1, holding all else equal, improving one variable tends to produce corre-
sponding losses across the remaining variables. Increasing operational speed
means less time for reconnaissance and development, which increases the risk
of making mistakes and that targets will discover the subversion, 两者
which decrease control. Increasing intensity requires actors to expand the
scope or scale of access to systems, which increases discovery risks. Lowering
discovery risks for a given effects intensity tends to increase development time
要求, which reduces speed. 而且, increasing control usually re-
duces speed because hackers need more time for reconnaissance and develop-
73. The anti-virus software vendor VirusBlokAda in Belarus detected the malware used in the
Stuxnet operation on computers in Belarus on June 17, 2010, and initially named it “Rootkit
.TmpHider.” “Rootkit.TmpHider,” VirusBlokAda, http://www.anti-virus.by/en/tempo.shtml.
74. Andrew and Mitrokhin, The Mitrokhin Archive, PP. 200–201.
75. Michael Herman, Intelligence Power in Peace and War (剑桥: 剑桥大学出版社,
1996), p. 65.
76. Charles Schmidt and Tom Darby, “The What, 为什么, and How of the 1988 Internet Worm,”
Snowplow, revised July 2001, https://web.archive.org/web/20051020030056/http://snowplow
.org/tom/worm/worm.html.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 65
数字 1. The Subversive Trilemma
Speed
Speed
Speed
Intensity
控制
Intensity
控制
Intensity
控制
笔记: In each diagram, the dotted triangle shows how increasing one of these three vari-
ables tends to decrease the others compared with a given state in which all are balanced,
which is represented by the solid triangle.
ment plus extra efforts to avoid collateral damage by limiting the scale of
effects and, 因此, intensity.
This subversive trilemma constrains operational effectiveness and thus se-
verely limits the strategic utility that subversion can achieve in practice. Speed,
intensity, and control are essential components of operational effectiveness, 然而
each of these variables can lead to mission failure and no more than two can be
maximized at once. Increasing both speed and intensity proportionally “dou-
bly” decreases control, 例如, because the more intense the possible
effects are, the more sensitive the target and the more challenging the unde-
tected exploitation is likely to be. 因此, pursuing both maximum intensity
and speed makes it highly likely that an operation either fails to produce a
strategically signiªcant outcome or produces unintended consequences that
impose further costs. 反过来, maximizing both control and speed is likely
to constrain intensity to such a degree that it is extremely unlikely to produce
a strategically signiªcant outcome. Maximizing both intensity and control in
turn tends to reduce speed to a glacial pace. 因此, forensic evidence
indicates that the carefully calibrated Stuxnet operation took ªve years to de-
velop.77 In theory, operations that maximize intensity and control are most
likely to produce signiªcant strategic gains, but in practice, their glacial pace
renders them mostly useless in urgent crises and makes premature discovery
probable. If high speed is necessary, such operations are likely unable to go af-
ter the most sensitive targets because they require signiªcant reconnaissance
and development time, and the scope of control that they have over a given
target system is also limited. 同时, more intense effect types, 例如
damage or disruption, involve greater risk of collateral damage or unintended
77. Geoff McDonald et al., “Stuxnet 0.5: The Missing Link,” Symantec Security Response (Mountain
看法, 加利福尼亚州。: Symantec Corporation, 2013), https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/
docs/Cyber-088.pdf.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 66
结果. Maximizing control requires either avoiding such effect types
or restricting use to fewer and less sensitive targets—both of which reduce ef-
fect intensity.
Because of this trilemma, like traditional subversion, cyber subversion is un-
likely to deliver on its strategic promise except in “unicorn” scenarios in which
hackers are both exceptionally skilled and exceptionally lucky. 否则, 在
line with the different conªgurations of the trilemma outlined above, 网络
operations will tend to be too slow, too low in intensity, or too unreliable to
provide signiªcant utility.
hypotheses and research design
My theory reªnes cyber evolution theory by specifying a distinct set of opera-
tional characteristics that shape strategic utility. It produces three expectations
and three corresponding hypotheses for the case analysis. 第一的, like cyber rev-
olution theory, I expect states to primarily deploy cyber operations independ-
ently from diplomacy and warfare. Unlike cyberwar theories, I expect states
to primarily use cyber operations as part of subversive campaigns against
nonmilitary targets. 第二, I expect the operational variables of speed, inten-
城市, and control to be negatively correlated. 特别是, the different permuta-
tions of this trilemma produce the following hypotheses: increasing speed
tends to decrease intensity and control (H1); increasing intensity tends to de-
crease speed and control (H2); increasing control tends to decrease intensity
and speed (H3); and increasing two variables tends to doubly decrease the
remaining variable (H4). Evidence supporting these hypotheses across differ-
ent cyber operations would support my theory, whereas evidence of opera-
tions scoring high across all three variables, or actors achieving simultaneous
increases across all three variables would support cyber revolution theory
or cyberwar theory (for operations deployed for warfare). 第三, I expect most
cyber operations to fall short of providing measurable strategic utility, 和我
expect the subversive trilemma to be a key limiting factor.
I test these expectations in a case study of the Russo-Ukrainian conºict,
which started in 2013. The ªve cyber operations within the case provide inter-
nal variation and allow within-case comparison. The Russo-Ukrainian conºict
is a paradigmatic case of cyber-enabled limited conºict that occupies the gray
zone between peace and conventional war, in which cyber revolution theorists
expect cyber operations to provide added utility.78 Four of the cyber operations
78. Oliver Fitton, “Cyber Operations and Gray Zones: Challenges for NATO,” Connections, 卷. 15,
不. 2 (春天 2016), p. 109, http://www.jstor.org/stable/26326443; and James J. Wirtz, “Life in the
‘Gray Zone’: Observations for Contemporary Strategists,” Defense & Security Analysis, 卷. 33,
不. 2 (2017), p. 108, doi.org/10.1080/14751798.2017.1310702.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 67
in this case are attributed to Sandworm, which is an advanced hacker group
that is in turn attributed to Russia’s Glavnoye Razvedyvatelnoye Upravlenie
(GRU) intelligence service.79 Russia is a leading cyber power that is known for
having a high tolerance for risk,80 and the Sandworm group is one of the
world’s most skilled and most dangerous hacking groups.81 I expect the con-
straints of the subversive trilemma to be less pronounced in this case for sev-
eral reasons. In addition to the linguistic and cultural similarities between the
two countries, Russian spies have penetrated Ukrainian institutions, 和
many Ukrainian industrial facilities rely on Russian technologies.82 Moreover,
Sandworm had seven years to adapt and improve its tradecraft. 因此, 这
conditions render cyber operations most likely to demonstrate their effective-
ness and utility, while the constraints of subversion I identify are least likely to
apply compared to conºicts with less favorable conditions.
I proceed in three steps. 第一的, I verify whether and how Russia deployed
cyber operations in coordination with its diplomatic and military efforts. 秒-
另一, I measure relative operational speed, intensity, and control to assess
whether and how the subversive trilemma constrained effectiveness. I base my
measurement for speed on how much time elapses between when the hackers
start to develop the cyber operation and when it concludes. To measure inten-
城市, I track both scope (IE。, degree of intrusiveness) and scale (IE。, number of
affected devices and individuals). I follow Loch Johnson’s escalation ladder
of covert operations, which ranks thirty-eight different types of operations ac-
cording to their intrusiveness (the lower the rank, the higher the intrusiveness)
and groups them according to risk.83 Finally, I use four key indicators to meas-
79. Sandworm is also known as “TeleBots,” “Electrum,” “Quedagh,”and “BlackEnergy.” See the
online resource “APT Groups and Operations,” established by Florian Roth and maintained by
several threat intelligence researchers for further background: https://docs.google.com/spread-
sheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid(西德:2)1636225066.
80. Mark Galeotti, Putin’s Hydra: Inside Russia’s Intelligence Services (伦敦: European Council on
Foreign Relations [ECFR], 可能 2016), http://www.ecfr.eu/page/-/ECFR_169_-_PUTINS_HY-
DRA_INSIDE_THE_RUSSIAN_INTELLIGENCE_SERVICES_1513.pdf; and “Reckless Campaign
of Cyber Attacks by Russian Military Intelligence Service Exposed,” National Cyber Security Cen-
tre, 十月 3, 2018, https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-
military-intelligence-service-exposed.
81. Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Danger-
ous Hackers (纽约: 双日, 2019); and Robert Lemos, “Suspected Russian ‘Sandworm’
Cyber Spies Targeted NATO, Ukraine,” Ars Technica, 十月 14, 2014, https://arstechnica.com/
security/2014/10/suspected-russian-sandworm-cyber-spies-targeted-nato-ukraine/.
82. Vitalii Usenko and Dmytro Usenko, “30% of Ukrainian SBU Ofªcers Were Russian FSB and
GRU Agents,” ed. Olena Wawryshyn, Euromaidan Press, 四月 24, 2014, http://euromaidanpress
and Tomila
.com/2014/04/24/30-of-ukrainian-sbu-ofªcers-were-russian-fsb-and-gru-agents/;
Lankina and Alexander Libman, “Soviet Legacies of Economic Development, Oligarchic Rule, 和
Electoral Quality in Eastern Europe’s Partial Democracies: The Case of Ukraine,” Comparative Poli-
抽动症, 卷. 52, 不. 1 (十月 2019), PP. 127–176, doi.org/10.5129/001041519X15624348215945.
83. 约翰逊, “On Drawing a Bright Line for Covert Operations.”
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 68
ure control: premature discovery, failure to produce effects, time to neutralize
effects, and collateral damage.
第三, to evaluate strategic utility I analyze whether and how cyber opera-
tions contribute to Russia’s strategic goals and/or cause a shift in the balance
of power. It is challenging to determine strategic utility for conventional weap-
ons let alone for secret cyber operations.84 Indeed, for all ªve cyber operations
Russia has neither publicly acknowledged its involvement nor clearly stated
its goals. To determine the strategic utility of these cyber operations despite
these constraints, I follow established practice in intelligence studies to draw
inferences using triangulation among multiple sources of data.85
In this case study, I use process-tracing86 and leverage mostly original data
from four main primary sources: ªeld interviews with Ukrainian cybersecurity
experts and witnesses,87 leaked documents and emails,88 forensic reporting,
and social media posts and local media reporting.89 I primarily measure utility
through impacts on the balance of power deªned as the distribution of mate-
rial capabilities.90 I also examine whether and how the subversive trilemma
limits the strategic utility of each operation.
Case Study: The Russo-Ukrainian Conºict
The Russo-Ukrainian conºict has its origins in Ukraine’s pursuit of closer re-
lations with the European Union and the West. Despite President Viktor
the Ukrainian
Yanukovych’s close ties with Russia,
二月里 2013,
84. James G. Roche and Barry D. Watts, “Choosing Analytic Measures,》 战略研究杂志,
卷. 14, 不. 2 (1991), p. 172, doi.org/10.1080/01402399108437447.
85. Loch K. 约翰逊, 编辑。, Handbook of Intelligence Studies (纽约: 劳特利奇, 2007), p. 81.
86. Jeffrey T. Checkel, “Mechanisms, Process, and the Study of International Institutions,“ 在
Andrew Bennett and Jeffrey T. Checkel, 编辑。, Process Tracing: From Metaphor to Analytic Tool
(剑桥: 剑桥大学出版社, 2014), PP. 74–97, doi.org/10.1017/CBO978113985
8472.006.
87. The author traveled to Ukraine in 2018 to conduct interviews with twenty-three key individu-
作为, while adhering to a strict ethics protocol approved by the University of Toronto’s Research
Ethics Board (Protocol No.: 00034827).
88. Email inboxes of separatist leader Kirill Frolov and Russian advisor Vladimir Surkov provide
unique insights into Russian perceptions and coordination of separatist movements in Ukraine.
Daria Goriacheva, the author’s research assistant and a native Russian speaker, carefully analyzed
and translated these sources. The Ukrainian hacker collective Ukrainian Cyber Alliance obtained
these emails and has made them publicly available at the following links: https://ordilo.org/wp-
content/uploads/2016/12/frolov_moskva@mail.ru.rar (last accessed May 17, 2019) and https://
drive.google.com/drive/folders/0BxCzAWE6sxSfRXVjdm1pV2c3WXc (last accessed July 15,
2021). Henceforth, email citations from this source will include the sender and recipient names,
日期, and time.
89. Collected and translated by the author’s research assistant, Daria Goriacheva.
90. Kenneth N. 华尔兹, Theory of International Politics (Reading, 大量的: Addison-Wesley, 1979).
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 69
Parliament voted to commit to an EU-Ukraine Association Agreement.91 This
vote threatened Russian interests of maintaining Ukraine within its sphere of
inºuence. A key part of the Kremlin’s Ukraine strategy has been spreading
“rumour, speculation, half-truth, conspiracy, and outright lie, to obscure the re-
alities of Russian activities.”92 Consequently, the drivers of foreign policy con-
tinue to be hotly debated.93 Yet, even amidst these acrimonious debates, 那里
is broad consensus that Russia has pursued two complementary strategic
goals.94 It wants to prevent and reverse Ukraine’s realignment toward the
European Union and the West as well as maintain Ukraine within its sphere of
inºuence. 因此, Russian scholars highlight Russia’s priority to “stop
the pro-Western Kiev government”95 and explain that “Russia looks at the for-
mer USSR states as creating arcs of safety in Eastern Europe.”96 Public state-
ments by Russia’s leadership warn Ukraine against the “inevitable ªnancial
catastrophe”97 that would result from EU integration, and President Vladimir
Putin has repeatedly emphasized the shared history of Ukraine and Russia
and their “sameness”98 as “one people.”99
To achieve these goals, Russia leveraged diplomacy, (semi-covert) 战争-
fare, and subversion. 最初, Russia applied increasing diplomatic pressure
on the Yanukovych government while mobilizing a network of subversive
proxy actors, comprised of church organizations such as the “Union of
91. Interfax-Ukraine, “Parliament Passes Statement on Ukraine’s Aspirations for European Inte-
gration,” Kyiv Post, 二月 22, 2013, https://www.kyivpost.com/article/content/ukraine-
politics/parliament-passes-statement-on-ukraines-aspirations-for-european-integration-320792
.html.
92. Mark Galeotti, Controlling Chaos: How Russia Manages Its Political War in Europe (柏林:
ECFR, 九月 2017), p. 6, http://www.ecfr.eu/publications/summary/controlling_chaos_how
_russia_manages_its_political_war_in_europe.
93. Elias Götz, “俄罗斯, the West, and the Ukraine Crisis: Three Contending Perspectives,” Con-
temporary Politics, 卷. 22, 不. 3 (2016), PP. 249–266, doi.org/10.1080/13569775.2016.1201313.
94. See section 1 of the online appendix, doi.org/10.7910/DVN/IZ65MC.
95. Vladimir V. Shtol, “Geopoliticheskiye zadachi Rossii na postsovetskom prostranstve”
tasks for Russia in post-Soviet space], Vestnik Moskovskogo Gosudarstvennogo
[Geopolitical
Oblastnogo Universiteta [Moscow National Regional University Press], 不. 3S (2014), p. 176.
96. 乙. Shturba and M. Makhalkina, “Territorial’nyye anklavy byvshego SSSR v kontekste
natsional’noy bezopasnosti sovremennoy Rossii” [Territorial enclaves of the former USSR in a con-
text of national safety of contemporary Russia], Istoricheskaya i sotsial’no-obrazovatel’naya mysl
[Historic and socially-educated thoughts],卷. 2, 不. 1C (2016), p. 26.
97. Shaun Walker, “Ukraine’s EU Trade Deal Will Be Catastrophic, Says Russia,“ 监护人, 九月-
木材 22, 2013, https://www.theguardian.com/world/2013/sep/22/ukraine-european-union-
trade-russia.
98. “Putin Says Russia, Ukraine Torn Apart to Prevent Major Rival from Emerging,” TASS, Febru-
和 21, 2020, https://tass.com/politics/1122727.
99. Vladimir Putin, “Address by President of the Russian Federation: Vladimir Putin Addressed
State Duma Deputies, Federation Council Members, Heads of Russian Regions, and Civil Society
Representatives in the Kremlin,” President of Russia, 行进 18, 2014, http://en.kremlin.ru/events/
president/news/20603.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 70
Orthodox Citizens” and other separatist groups, to stimulate pro-Russian sen-
timent. A leaked document in 2013 outlines Russia’s goals to “create a network
of Russian inºuence . . . [到] prevent the signing of association agreements be-
tween Ukraine and the EU . . . [和] neutralizethe political and media inºu-
ence of European integrators.”100 This campaign involved some curious
措施, such as a series of rock concerts,101 which unsurprisingly failed to
produce measurable results.102 Russia’s diplomatic efforts, 然而, were suc-
成功的. Following a secret meeting with Putin, Yanukovych unilaterally with-
drew from EU association negotiations in November 2013, prompting tens of
thousands of Ukrainians to gather at Maidan square to protest.103 In February
2014, Yanukovych’s government collapsed. 作为回应, Russia utilized its
subversive proxies to conduct a regime change operation in Crimea. 亚塞-
经常地, Russia’s proxies organized protests around government institutions in
the regional capital Sevastopol, which Russia supported with unmarked mili-
tary forces.104 These proxies then helped organize a referendum, coordinated
from Moscow, deciding secession before Ukraine could react and producing a
fait accompli.105 In the Donbass region, Russia deployed similar tactics, 但
pockets of local resistance allowed the Ukrainian government to launch a
countercampaign in May 2014.106 Russia and Ukraine remain in a protracted
stalemate with ongoing, signiªcant bloodshed.
Although Russia has (迄今) failed to achieve its two core strategic goals,
100. “O komplekse mer po vovlecheniyu Ukrainy v Yevraziyskiy integratsionnyy protsess”
[About the set of measures to involve Ukraine in the Eurasian integration process], ZN.Ua, Au-
gust 16, 2013, https://zn.ua/internal/o-komplekse-mer-po-vovlecheniyu-ukrainy-v-evraziyskiy-
integracionnyy-process-_.html.
101. Sergey Glazyev, email to Kiril Frolov, 九月 13, 2013, 9:45 a.m.
102. Sanshiro Hosaka, “The Kremlin’s Active Measures Failed in 2013: That’s When Russia Re-
membered Its Last Resort—Crimea,” Demokratizatsiya: The Journal of Post-Soviet Democratization,
卷. 26, 不. 3 (夏天 2018), PP. 321–364, muse.jhu.edu/article/699570.
103. Oksana Grytsenko and Ian Traynor, “Ukraine U-turn on Europe Pact Was Agreed with Vladi-
mir Putin,“ 监护人, 十一月 26, 2013, https://www.theguardian.com/world/2013/nov/26/
ukraine-u-turn-eu-pact-putin.
104. Michael Kofman et al., Lessons from Russia’s Operations in Crimea and Eastern Ukraine (Santa
莫妮卡, 加利福尼亚州。: RAND, 2017); Dmytro Lisunov, Oleh Baturin, and Serhiy Petrenko, “Why Surkov
Needs Private Army: Union of Donbas Volunteers (UDV) as Reserve of National Guard of Russia,”
InformNapalm English blog, 四月 30, 2017, https://informnapalm.org/en/surkov-needs-private-
army-union-donbas-volunteers-reserve-russian-guard/; and Alya Shandra, “Glazyev Tapes,
Continued: New Details of Russian Occupation of Crimea and Attempts to Dismember
Ukraine,” Euromaidan Press, 可能 16, 2019, http://euromaidanpress.com/2019/05/16/glazyev-
tapes-continued-ukraine-presents-new-details-of-russian-takeover-of-crimea-and-ªnancing-of-
separatism/.
105. Kremlin, “Podpisan ukaz o priznanii Respubliki Krym” [Decree on recognition of the Repub-
lic of Crimea was signed], Prezident Rossii [President Of Russia], 行进 17, 2014, http://
kremlin.ru/events/president/news/20596; 和大卫·M. Herszenhorn and Andrew E. 克莱默,
“Ukraine Plans to Withdraw Troops from Russia-Occupied Crimea,“ 纽约时报, 行进 19,
2014, https://www.nytimes.com/2014/03/20/world/europe/crimea.html.
106. Vladimir A. Kalamanov, “Ukraina v geopoliticheskom izmerenii sovremennoy mirovoy
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 71
these efforts have produced signiªcant strategic gains. 第一的, the balance of
power shifted in Russia’s favor as it expanded its territory into Crimea and
gained partial control over Donbass.107 Despite prevailing conceptualizations
of a cyber-enabled “hybrid war” in Ukraine, 然而, cyber operations played
no role in attaining these gains.108 Existing research shows cyber operations
were irrelevant to military action in the Donbass or Crimea, and there is also
no evidence that any cyber operations attributed to Russia contributed to
the regime change operation in Crimea.109 This absence is particularly surpris-
ing considering that Russian “information warfare” doctrine includes cyber
operations as being relevant to the objectives it pursued in Ukraine.110 Instead,
Russia deployed its cyber operations independently of the warfare effort
as part of a larger subversive campaign targeting the remaining territory
of Ukraine.
evaluating cyber operations in ukraine
The ªnal phase of the Russo-Ukrainian conºict is characterized by slow-paced
Russian efforts to weaken Ukraine. Although cyber operations have remained
irrelevant in the military clashes in Donbass, in Ukraine’s remaining territory,
Russia used election interference, sabotage, disinformation, 宣传, 和
sistemy i vozvrashcheniye Rossiyskogo liderstva” [Ukraine in the geopolitical dimension of the
modern world system and the return of Russian leadership], Vestnik Rossiyskogo Universiteta
Druzhby Narodov [Press of Peoples’ Friendship University of Russia], Politologiya [政治学],
不. 4 (日期不详。), p. 14; and Tom McCarthy and Alan Yuhas, “Ukraine Crisis: Kiev Launches ‘Anti-
terror Operation’ in East—Live Updates,“ 监护人, 四月 15, 2014, https://www.theguardian
.com/world/2014/apr/15/ukraine-military-forces-russia-live-blog.
107. Andrew S. Bowen, “Coercive Diplomacy and the Donbas: Explaining Russian Strategy in
Eastern Ukraine,》 战略研究杂志, 卷. 42, 不. 3–4 (2019), PP. 312–343, doi.org/10.1080/
01402390.2017.1413550.
108. András Rácz, Russia’s Hybrid War in Ukraine: Breaking the Enemy’s Ability to Resist, FIIA Report
不. 43 (Helsinki: Finnish Institute of International Affairs [FIIA], 六月 16, 2015), https://www.ªia
.ª/wp-content/uploads/2017/01/ªiareport43.pdf; and Fitton, “Cyber Operations and Gray
Zones.”
109. Nadiya Kostyuk and Yuri M. Zhukov, “Invisible Digital Front: Can Cyber Attacks Shape Bat-
tleªeld Events?” 冲突解决杂志, 卷. 63, 不. 2 (二月 2019), PP. 317–347, doi.org/
10.1177/0022002717737138; and Aaron F. Brantly, Nerea M. 卡尔, and Delvin P. Winkelstein, 的-
fending the Borderland: Ukrainian Military Experiences with IO, Cyber, and EW (西点, 纽约: Army
Cyber Institute, 十二月 1, 2017), https://vtechworks.lib.vt.edu/handle/10919/81979. 也可以看看
部分 2 of the online appendix, doi.org/10.7910/DVN/IZ65MC.
110. Keir Giles and William Hagestad II, “Divided by a Common Language: Cyber Deªnitions in
Chinese, 俄语, and English,” paper presented at the 5th International Conference on Cyber
Conºict, 塔林, 爱沙尼亚, June 4–7, 2013, https://ieeexplore.ieee.org/document/6568390; 和
Sergei Chekinov and Sergei Bogdanov, “Vliyanie nepriamykh deistvii na kharakter sovremennoi
voiny” [The inºuence of indirect actions on the nature of modern warfare], Voennaya Mysl [米利-
tary Thought], 不. 6 (2011), PP. 3–4, quoted and translated in Mark Galeotti, “Hybrid, Ambigu-
乌斯, and Non-linear? How New Is Russia’s ‘New Way of War’?” Small Wars & Insurgencies, 卷. 27,
不. 2 (行进 2016), p. 288, doi.org/10.1080/09592318.2015.1129170.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 72
桌子 2. A Comparison of Five Cyber Operations
Speed
Intensity Control
选举
干涉
(2014)
3 月
低的
规模,
高的
范围
power grid I
(2015)
力量
grid II
(2016)
19 months high
规模,
高的
范围
31 months high
“NotPetya”
(2017)
6 月
Strategic
Utility
negligible
negligible
• no premature discovery
• disruptive effect on target partially
produced
• disruptive effect neutralized within
20 小时, preventing impact
• premature discovery
• disruptive effect on target
produced
• disruptive effect neutralized within
6 小时
• premature discovery
• disruptive effect on target partially
negligible
规模,
highest
范围
highest
规模,
medium
范围
produced
• disruptive effect neutralized within
75 minutes
• premature discovery
• disruptive effect on targets
produced
• lasting effect (IE。, 数据
破坏)
• collateral damage and unintended
结果
measurable,
signiªcant
impact on
balance of
力量
negligible
“BadRabbit”
(2017)
12 月
低的
规模,
低的
范围
• no premature discovery
• disruptive effects on target
produced
• controlled proliferation
economic warfare to conduct a long-term, slow-burning subversive campaign
to weaken Ukraine and keep it within its sphere of inºuence.111 Five major
cyber operations attributed to Russian-sponsored actors contributed to this
campaign, and the analysis in this section examines their operational mecha-
nisms and strategic utility. 桌子 2 summarizes key ªndings.
election interference (2014). The ªrst cyber operation attempted to dis-
rupt Ukraine’s 2014 presidential elections by sabotaging the computer systems
of the Central Elections Commission (CEC). It moved fast and pursued intense
effects by disrupting a core political process in democracies, yet it failed to
inºuence the elections because the hackers missed a security measure that the
111. Alya Shandra and Robert Seely, “The Surkov Leaks: The Inner Workings of Russia’s Hybrid
War in Ukraine” (伦敦: Royal United Service Institute [RUSI], 七月 2019), https://static.rusi
.org/201907_op_surkov_leaks_web_ªnal.pdf.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 73
CEC used to neutralize the compromise. This outcome provides support
for the subversive trilemma and is congruent with H4. 最后, as I ex-
果皮特, the operation provided Russia—whose military intelligence agency GRU
most likely sponsored it—with little measurable strategic utility. 此外,
I ªnd circumstantial evidence that Russia deployed this cyber operation as
part of its larger subversive campaign rather than to support its diplomatic
and military initiatives.112 This ªnding conªrms the expected independent
strategic role of cyber operations.
The group behind this cyber operation to sabotage the CEC’s computers
developed it within only two months, which is very fast compared with the
ªve years it took to develop Stuxnet.113 The hackers had to work quickly
because Ukraine’s elections announcement in March 2014 was unexpected.
Forensic evidence indicates the initial compromise of Ukraine’s CEC occurred
shortly after.114 Although the vulnerability and means of exploitation remain
未知, on May 21 the hackers deployed malware (IE。, a computer virus)
that disrupted the CEC’s computer systems for at least several hours.115 The
CEC successfully restored service before election day on May 25.116
The hackers moved fast while pursuing intense effects that were low in scale
yet high in scope because they aimed to disrupt a core democratic process.117
然而, as predicted by the trilemma, they had insufªcient control over the CEC’s
computer system. The intended effect of the cyber operation became clear on
可能 23, when the hacker collective Cyber Berkut boasted to have “destroyed
PC and network infrastructure of the Ukrainian CEC,” and challenged the
elections’ legitimacy as being under “total U.S. control.”118 Cyber Berkut is a
front organization for GRU119 and is likely linked to high-proªle threat actor
112. See section 3 in the online appendix, doi.org/10.7910/DVN/IZ65MC.
113. McDonald et al., “Stuxnet 0.5.”
114. Author interview with Victor Zhora, Kyiv, 四月 7, 2018; and Nikolay Koval, “Revolution
Hacking,” in Kenneth Geers, 编辑。, Cyber War in Perspective: Russian Aggression against Ukraine
(塔林, 爱沙尼亚: NATO Cooperative Cyber Defence Centre of Excellence, 2015), p. 57, https://
ccdcoe.org/library/publications/cyber-war-in-perspective-russian-aggression-against-ukraine/.
115. Nikolay Koval, then head of Ukraine’s Computer Emergency Response Team (CERT), 印迪-
cates the outage lasted around twenty hours. Koval, “Revolution Hacking,” p. 57. Cybersecurity
expert Victor Zhora, who was personally involved in the mitigation efforts, noted that the outage
lasted only “a few” hours; personal correspondence with the author via online messaging service,
可能 19, 2019.
116. Author interview with Zhora, 2018.
117. According to Johnson’s escalation ladder, election interference is a “high risk option” (rung
18 的 38). 约翰逊, “On Drawing a Bright Line for Covert Operations,” PP. 286–288.
118. “The Ministry of Finance of Ukraine Is Cracked: In the Country There Were Only Debts,”
CyberBerkut, 可能 23, 2015, http://www.cyber-berkut.ru/en/index_02.php.
119. “Reckless Campaign of Cyber Attacks by Russian Military Intelligence Service Exposed,”
十月 3, 2018.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 74
APT 28.120 Contrary to its claims, 然而, the vote counting remained unaf-
fected because the hacker’s reconnaissance overlooked the fact that the CEC
could use its backups to restore service.121 This evidence supports H4. 康塞-
经常地, the cyber operation failed to help Russia disrupt Ukraine’s election or
to shift the balance of power. The elections proceeded unhindered, 和他们的
integrity was widely accepted.122
power grid i
(2015). The second Russian-sponsored cyber operation
sabotaged equipment by the energy providers Prykarpattyaoblenergo,
Chernovtsoblenergo, and Kievoblenergo, causing a power outage in Western
Ukraine on December 23, 2015, that affected 230,000 people and lasted six
小时. These highly intense effects featured both high scope and scale and re-
quired substantial time to develop, yet the hackers failed to produce strategi-
cally signiªcant lasting effects because they had insufªcient control over the
targeted systems. Although the hackers successfully exploited the power grid
基础设施, ultimately the companies used a simple switch to neutralize the
disruption. The outage affected less than 1 percent of Ukraine’s population
and comprised only about 0.015 percent of Ukraine’s daily energy consump-
tion.123 According to a senior advisor to the Ukrainian government, its short
duration and timing on the day before Christmas caused minimal economic
disruption.124 In contrast to sensationalist Western coverage naming this an
“act of cyberwar,”125 only a few local Ukrainian outlets covered it, and none on
the front page.126 This outcome supports the subversive trilemma (特别地
H2) and its constraining inºuence on strategic utility.
120. Koval, “Revolution Hacking,” p. 58.
121. Author interview with Zhora, 2018.
122. Organization for Security and Co-operation in Europe (OSCE) 等人。, International Election Ob-
servation Mission: Ukraine—Early Presidential Election, 25 可能 2014: Statement of Preliminary Findings
and Conclusions (Kyiv: OSCE, 可能 26, 2014), https://www.osce.org/odihr/elections/ukraine/
119078?download(西德:2)true.
123. Sych, “Zillya! Antivirus provela analiz kiberatak na infrastrukturnyye obyekti Ukrainy”
[Zillya! Antivirus has analyzed cyber attacks on infrastructure facilities in Ukraine], Zillya!
Antivirus, 二月 17, 2016, https://zillya.ua/ru/zillya-antivirus-provela-analiz-kiberatak-na-
infrastrukturnye-obekti-ukrainy.
124. Author interview with senior Ukrainian government advisor, Kyiv, 四月 5, 2018. The ofªcial
has asked to remain anonymous.
125. Jose Pagliery, “Scary Questions in Ukraine Energy Grid Hack,” 美国有线电视新闻网, 一月 18, 2016, https://
money.cnn.com/2016/01/18/technology/ukraine-hack-russia/index.html; Kim Zetter, “Inside
the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” Wired, 行进 3, 2016, https://
www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/; and Elias
Groll, “Did Russia Knock Out Ukraine’s Power Grid?“ 对外政策, 一月 8, 2016, https://
foreignpolicy.com/2016/01/08/did-russia-knock-out-ukraines-power-grid/.
126. “SBU predupredila khakerskuyu ataku Rossiyskikh Spetssluzhb na energoob’yekty
Ukrainy—112 Ukraina” [SBU prevented hacker attack of Russian Special Services on
power facilities of Ukraine—112 Ukraine], 112.Ua, https://112.ua/kriminal/sbu-predupredila-
hakerskuyu-ataku-rossiyskih-specsluzhb-na-energoobekty-ukrainy-281811.html; “Pislya kibera-
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 75
I also ªnd no evidence that this cyber operation was linked to Russia’s mili-
tary or diplomatic efforts at the time. Military clashes continued throughout
十二月 2015 despite a truce.127 There were no major diplomatic events. 这是
plausible, as some have argued, that this cyber operation was retaliation for
sabotage to Crimea’s power supply in November 2015 that destroyed the
power lines linking it to the mainland, but there is no conclusive evidence.128
This sabotage operation against the power grid was more intense than the ef-
fort to disrupt the CEC’s computer systems. A power blackout can cause both
physical damage and possibly death, particularly in winter.129 As the subver-
sive trilemma would predict, this relative increase in intensity correlated
with a signiªcant decrease in speed (见表 2). On May 12, 2014, one day af-
ter the Donbass referendum, Sandworm used a Portuguese university’s com-
promised server130 to send phishing emails to employees of the targeted
energy ªrms.131 Curiously, the sender address was a Portuguese univer-
城市, and these emails contained general information on Ukraine’s railway sys-
tem.132 This cyber operation therefore relied on the unlikely scenario of the
victims being sufªciently interested in Ukraine’s railway system to click on
the malicious attachment. Somebody did, 尽管, providing Sandworm access
to corporate systems.133
Forensic evidence indicates that hackers needed another ªve months to ac-
cess the physical control systems in order to exploit its technical vulnerabili-
taky na ‘Prykarpattyaoblenerho’ v SSHA perehlyanut’ zakhyst enerhomerezh” [After the cyber-
attack on Prykarpattyaoblenerho,
the protection of power grids will be reviewed in the
美国], Obozrevatel, https://www.obozrevatel.com/ukr/news/58420-pislya-kiberataki-na-
and Sergey Martynets,
prikarpattyaoblenergo-v-ssha-pereglyanut-zahist-energomerezh.htm;
“SSHA pidozryuyut? Rosiyu u prychetnosti do kiberatak na ukrayins’ki elektromerezhi” [这
United States suspects Russia of involvement in cyberattacks on Ukrainian power grids], Ukrai-
nian National News (UNN), 一月 7, 2016, https://www.unn.com.ua/uk/news/1536191-ssha-
pidozryuyut-rosiyu-u-prichetnosti-do-kiberatak-na-ukrayinski-elektromerezhi.
127. “Deadly Clashes in Ukraine despite Holiday Truce,” RadioFreeEurope/RadioLiberty, Decem-
误码率 27, 2015, https://www.rferl.org/a/deadly-clashes-in-ukraine-despite-holiday-truce/27452015
html.
128. Kim Zetter, “Everything We Know about Ukraine’s Power Plant Hack,” Wired, Janu-
和 20, 2016, https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-
hack/; Ivan Nechepurenko and Neil MacFarquhar, “As Sabotage Blacks Out Crimea, Tatars Pre-
vent Repairs,“ 纽约时报, 十一月 23, 2015, https://www.nytimes.com/2015/11/24/
world/europe/crimea-tatar-power-lines-ukraine.html.
129. Johnson’s ladder does not include critical infrastructure sabotage, but the scope of effects
places it within the riskiest, “extreme options.” Johnson, “On Drawing a Bright Line for Covert
运营,” PP. 286, 292.
130. “Kyberuhroza BlackEnergy2/3” [Cyber threat BlackEnergy2/3], CysCentrum, 一月 16,
2016, https://cys-centrum.com/ru/news/black_energy_2_3.
131. 同上.
132. Oleg Sych, “Zillya! Antivirus provela analiz kiberatak na infrastrukturnyye obyekti
Ukrainy.”
133. “Kyberuhroza BlackEnergy2/3,” CysCentrum.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 76
领带. 十月 2014, threat intelligence vendor iSight reported that Sandworm
was exploiting a “zero-day” vulnerability (a previously unknown vulner-
ability about which the software vendor is unaware) in Microsoft Windows
to target energy providers.134 Subsequent analysis showed that the hackers
had identiªed a vulnerability in an industrial control system that estab-
lishes an interface for human-machine interaction (HMI).135 HMI systems
他们自己, 然而, cannot cause physical effects (IE。, disrupting the power
supply).136 The hackers needed another fourteen months to learn how to oper-
ate a power plant.137 At 3:30 下午. on December 2015, Sandworm operatives
manually entered commands that caused the temporary blackout, using built-
in functionality to cause an unexpected outcome.138
The cyber operation disrupted power service by remotely disconnecting
approximately thirty power substations and delayed restoration by simulta-
neously inundating phone support centers with calls.139 Ninety minutes later,
the hackers attempted to prevent the power companies from restoring service
by deleting all data on the affected computers.140 Yet, employees at these
Soviet-era power plants neutralized the disruption and restored power within
six hours by switching to manual control.141 Although it later became clear
that all the affected utility providers discovered the compromise months be-
fore Sandworm attempted to disconnect the power substations, none of the
victims reported or acted upon the premature discovery.142 It was primarily
134. Stephen Ward, “iSIGHT Discovers Zero-Day Vulnerability CVE-2014-4114 Used in Russian
Cyber-Espionage Campaign,” iSight Partners blog, 十月 14, 2014, https://web.archive.org/
web/20141015001101/https://www.isightpartners.com/2014/10/cve-2014-4114/.
135. Kyle Wilhoit and Jim Gogolinski, “Sandworm to Blacken: The SCADA Connection,” Trend
Micro: Security Intelligence Blog, 十月 16, 2014, https://blog.trendmicro.com/trendlabs-security-
intelligence/sandworm-to-blacken-the-scada-connection/.
136. Dragos, Crashoverride: Analysis of the Threat to Electric Grid Operations (Hanover, 马里兰州。: Dragos,
2017), p. 10, https://dragos.com/blog/crashoverride/CrashOverride-01.pdf.
137. As Dragos explains, access to an HMI enabled the hackers to “learn the industrial process
and gain the graphical representation of that ICS [industrial control system] through the HMI.”
Dragos, Crashoverride, p. 10.
138. Robert M. 李, 迈克尔·J. Assante, and Tim Conway, Analysis of the Cyber Attack on the Ukrai-
nian Power Grid (华盛顿, 华盛顿特区: Electricity Information Sharing and Analysis Center, 行进 18,
2016), https://africautc.org/wp-content/uploads/2018/05/E-ISAC_SANS_Ukraine_DUC_5.pdf;
and Dragos, Crashoverride, p. 10.
139. Sych, “Zillya! Antivirus provela analiz kiberatak na infrastrukturnyye obyekti Ukrainy”; 和
Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.”
140. “Kiberugroza BlackEnergy2/3,” CysCentrum; Sych, “Zillya! Antivirus provela analiz
kiberatak na infrastrukturnyye obyekti Ukrainy”; and Zetter, “Inside the Cunning, Unprecedented
Hack of Ukraine’s Power Grid.”
141. Sych, “Zillya! Antivirus provela analiz kiberatak na infrastrukturnyye obyekti Ukrainy”; 和
Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.”
142. “Kiberugroza BlackEnergy2/3,” CysCentrum.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 77
luck rather than stealth that enabled the hackers to control the system long
enough to attempt to produce effects.
power grid ii (2016). One year after it disrupted power substations in
Western Ukraine, Sandworm targeted the power grid in Kyiv, Ukraine’s capi-
的. The hackers had developed an advanced technique capable of more
intense effects than its predecessor, which could, in theory, inºict lasting dam-
age to Ukrenergo’s power plant machinery.143 But this capability failed, 和
Ukrenergo was able to neutralize the outage even faster than before. Maxi-
mizing intensity correlates with reduced speed and control—conªrming H2.
Like its predecessor in 2015, there is no evidence linking this cyber operation
to Russia’s ongoing military and diplomatic efforts in Ukraine. The key mili-
tary events in October 2016 were inªghting among the pro-Russian rebels
in the Donbass region and the assassination of rebel leader Arsen “Motorola”
Sergeyevich Pavlov.144 Given the timing of this sabotage operation (days be-
fore Christmas), a Ukrainian government ofªcial speculated that its primary
purpose was to inºict psychological distress rather than to advance Russia’s
military or diplomatic agenda.145
Sandworm required an additional twelve months (thirty-one months total)
to develop this cyber operation compared with its 2015 predecessor. The hack-
ers used this time to deepen their knowledge about power substations and to
develop a more advanced and, theoretically, more effective malware. 乙酰胆碱-
cording to industrial cybersecurity experts Dragos, the hackers attempted
to trigger an automated protective system that would take targeted substa-
tions ofºine (IE。, “islanding”) by rapidly activating and deactivating power
circuits.146 This malware was theoretically capable of “coordinated targeting of
multiple electric sites and could result in a few days of outages.”147 Forensic
analysis revealed that the malware could cause lasting physical damage by
deactivating Siemens’s protective relays.148
The additional time that it took Sandworm to develop this sabotage opera-
tion against the power grid in Kyiv correlates with an increased potential in-
143. Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.”
144. Jack Losh, “Ukrainian Rebel Leaders Divided by Bitter Purge,” Washington Post, 十月 3,
2016, https://www.washingtonpost.com/world/europe/ukrainian-rebel-leaders-divided-by-bitter-
purge/2016/10/03/2e0076ac-8429-11e6-b57d-dd49277af02f_story.html; and Andrew E. 克莱默,
“Bomb Kills Pro-Russian Rebel Commander in Eastern Ukraine,“ 纽约时报, 十月 17,
2016, https://www.nytimes.com/2016/10/18/world/europe/ukraine-rebel-arsen-pavlov-motorola-
killed.html.
145. Author interview with an anonymous government advisor, Kyiv, 四月 21, 2018.
146. Dragos, Crashoverride, p. 23.
147. 同上。, p. 23.
148. 同上。, p. 24.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 78
tensity of effects, conªrming expectations of the subversive trilemma. 这
cyber operation qualiªes as an “extreme option” in Johnson’s escalation
梯子, given its potential physical damage.149 At 11:53 下午. on December 17,
2016, Sandworm’s malware deenergized the Severyana power substation
near Kyiv, resulting in a loss of 202.9 megawatts—enough to power around
600,000 Ukrainian households according to average consumption statistics by
the International Energy Agency.150 Ukrenergo had learned from the 2015 sab-
otage, 然而, and swiftly switched to manual control, so that “within an
hour and ªfteen minutes, power was restored in full.”151 In practice, this oper-
ation thus achieved less intense effects than its predecessor.
Dragos’s analysis of this cyber operation underlined that deploying the ad-
vanced technique to damage targets “would be very difªcult to do at scale.”152
然而, the hackers never got that far. The networking protocol of the targeted in-
dustrial control systems reversed Internet protocol (知识产权) addresses when exe-
cuting commands, but Sandworm had missed this and entered the wrong
addresses, which resulted in “nonsensical communication.”153 When I inter-
viewed Volodymyr Styran, a cybersecurity expert at Berezha Security, he con-
cluded that Sandworm hackers are “just people” who “screwed it up at some
观点, as they did in previous incidents.”154 The triangulation of evidence indi-
cates that this cyber operation neither contributed to Russia’s strategic goals
nor achieved a shift in the balance of power, which conªrms my expectations.
The economic and psychological impacts of this second sabotage operation
149. 约翰逊, “On Drawing a Bright Line for Covert Operations,” p. 186.
150. “Prichinoy obestochivaniya chasti Kiyeva mozhet byt’ ataka khakerov” [The reason for the
blackout in part of Kiev may be an attack by hackers], Fakty.ua, 十二月 18, 2016, https://
fakty.ua/227538-prichinoj-obestochivaniya-chasti-kieva-mozhet-byt-ataka-hakerov. 在美国
状态, one megawatt typically provides enough power for about 750 households. California En-
ergy Commission, “California ISO Glossary,” https://www.energy.ca.gov/resources/energy-
glossary. 因此, an outage of 202.9 megawatts would equal power loss for 152,175 standard U.S.
households. 在 2016, IEA data shows average energy consumption per capita in Ukraine was only
approximately one quarter of that in the United States (3.2MWh vs 12.8MWh), and thus the num-
ber of households affected would be up to 608,700. For data on electricity consumption per capita
per country, see “Electricity,” IEA, accessed August 21, 2021, https://www.iea.org/fuels-and-
technologies/electricity.
151. Vsevolod Kovalchuk, “Tsiyeyi nochi na pidstantsiyi ‘pivnichna’ vidbuvsya zbiy—Vsevolod
Kovalchuk” [That night at the northern substation a failure has been—Vsevolod Kovalchuk],
Facebook, 十二月 18, 2016, https://www.facebook.com/permalink.php?story_fbid(西德:2)17980823
13797621&id(西德:2)100007876094707.
152. Dragos, Crashoverride, p. 25.
153. Joe Slowik, Crashoverride: Reassessing the 2016 Ukraine Electric Power Event as a Protection-
Focused Attack (Hanover, 马里兰州。: Dragos, 2019), p. 11, https://dragos.com/wp-content/uploads/
CRASHOVERRIDE.pdf.
154. Author interview with Volodymyr Styran, Kyiv, 四月 19, 2018. The incident that Styran re-
fers to is Sandworm’s 2015 attempt to compromise the media ªrm Starlight Entertainment, 期间
which it committed a similar basic error. See section 4 of the online appendix, doi.org/10.7910/
DVN/IZ65MC.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 79
against Ukraine’s power infrastructure were even less signiªcant than in 2015.
The outage occurred overnight when most businesses were closed and most
people were asleep. Although some U.S. media outlets covered the event, 这
incident barely registered in Ukrainian media.155 Accordingly, security re-
searcher Marina Kratoªl concluded that the operation “should not have long
and serious consequences.”156
notpetya (2017). Sandworm’s fourth operation, NotPetya, used data-
destroying self-proliferating malware to cause a massive disruption that mea-
surably affected Ukraine’s GDP. The hackers took much less time to prepare
this operation (见表 2), opting to reduce the scope of the effects in order to
maximize scale. Although at ªrst glance NotPetya appears to provide evidence
that supports cyber revolution theory about the scale advantage of cyber oper-
ations, I argue that NotPetya’s scale resulted from a loss of control. 的确,
NotPetya’s collateral damage and follow-on costs highlight the operational
perils of maximizing scale, providing further evidence of the subversive
trilemma and H4.
There is no evidence suggesting that Russia orchestrated the NotPetya cyber
operation in coordination with its military and diplomatic efforts. 上
diplomatic front, Ukrainian President Petro Poroshenko banned several high-
proªle Russian websites in May 2017,157 while military clashes continued
between Russia and Ukraine despite agreeing to another ceaseªre agree-
ment on June 24.158 There is no indication that NotPetya was linked to any of
these events.
Sandworm started to develop NotPetya in December 2016, when it released
155. “Prychynoy obestochyvanyya chasty Kyeva mozhet byt’ ataka khakerov” December 18, 2016;
“V ‘Ukrenerho’ ne vyklyuchayut’ kiberataku na pidstantsiyu ‘Pivnichna’, cherez yaku chastynu
Kyyevu bulo znestrumleno” [Ukrenergo does not rule out a cyberattack on the Pivnichna substa-
的, because of which part of Kyiv was de-energized], UNN, 十二月 18, 2016, https://
www.unn.com.ua/uk/news/1628435-v-ukrenergo-ne-viklyuchayut-kiberataku-na-pidstantsiyu-
pivnichna-cherez-yaku-chastinu-kiyevu-bulo-znestrumleno; and Informatsiyne ahentstvo
Ukrayins’ki Natsional’ni Novyny (UNN) [Ukrainian National News (UNN) news agency re-
移植的], Vsi onlayn novyny dnya v Ukrayini za s’ohodni—naysvizhishi, ostanni, holovni [All on-
line news of the day in Ukraine for today—the latest, latest, 主要的], https://www.unn.com.ua/uk/
news/1628435-v-ukrenergo-ne-viklyuchayut-kiberataku-na-pidstantsiyu-pivnichna-cherez-yaku-
chastinu-kiyevu-bulo-znestrumleno.
156. “Vidklyuchennya elektroenerhiyi v Ukrayini bulo khakers’koyu atakoyu—eksperty” [力量
outage in Ukraine was a hacker attack—experts], Hromadske, 一月 11, 2017, https://hromadske
.ua/posts/vidkliuchennia-elektroenerhii-v-ukraini-bulo-khakerskoiu-atakoiu.
157. Cassandra Allen, “Mapping Media Freedom: Ukrainian Journalists Subjected to Malicious
Cyber-Attacks,” Index on Censorship blog, 七月 11, 2017, https://www.indexoncensorship.org/
2017/07/journalists-ukraine-cyber-attacks/.
158. Patrice Hill, “Monitor Says Ukraine Cease-Fire, Weapons Withdrawal Not Being Hon-
ored,” RadioFreeEurope/RadioLiberty, 二月 22, 2017, https://www.rferl.org/a/monitor-osce-
says-ukraine-cease-ªre-heavy-weapons-withdrawal-not-honored/28324012.html.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 80
the “Moonraker worm,” which could self-proliferate across networks and dis-
rupt systems through data encryption.159 It took Sandworm only six months to
adapt the generic “Green Petya” malware upon which NotPetya was based.160
Between January and March 2017, Sandworm targeted two unnamed ªnancial
institutions to test a new supply-chain malware propagation mechanism with
a new malware called Python/TeleBot.A.161 NotPetya used a similar supply-
chain mechanism as the hackers compromised the software update server of a
popular accounting software provider and hid malware within automated up-
dates that would be sent to customers. This server update thus automatically
spread the malware to its entire user population. According to Styran,
NotPetya was “technically simple,” but the hackers showed a spark of “ge-
nius” by exploiting the victims’ trust in the automated server update.162
By May 2017, Sandworm had ªgured out how to compromise its key target,
the Ukrainian software ªrm Intellect Services, which produces the popular
M.E.Doc accounting software.163 Ukrainian hacker Sean Townsend noticed
that at least one of the ªrm’s servers had not been updated since 2012,164 和
Ukrainian authorities conªrmed that the last update occurred in February
2013.165 Before deploying NotPetya, Sandworm propagated another newly de-
veloped piece of malware called “Xdata” through this server. XData infected
134 victims and caused some minor disruptions, but it did not signiªcantly af-
fect Ukraine.166 Ukrainian cybersecurity expert Victor Zhora speculates that
XData was a “proof of concept” aimed to “map the network” of victimized
ªrms.167 Sandworm ªnally deployed NotPetya, propagated it to M.E.Doc cli-
ents via a compromised software update on June 22, and activated it across all
159. Anton Cherepanov, GreyEnergy: A Successor to BlackEngergy, GreyEnergy White Paper (Bratis-
lava, 斯洛伐克: ESET, 十月 2018), https://www.welivesecurity.com/wp-content/uploads/
2018/10/ESET_GreyEnergy.pdf.
160. 同上.
161. Anton Cherepanov, “TeleBots Are Back: Supply-Chain Attacks against Ukraine,”
WeLiveSecurity blog, ESET, 六月 30, 2017, https://www.welivesecurity.com/2017/06/30/telebots-
back-supply-chain-attacks-against-ukraine/.
162. Author correspondence with Volodymyr Styran via online messaging service, 可能 14, 2019.
163. Jack Stubbs and Pavel Polityuk, “Family Firm in Ukraine Says It Was Not Responsible for
Cyber Attack,” 路透社, 七月 3, 2017, https://www.reuters.com/article/us-cyber-attack-ukraine-
software-idUSKBN19O2DK.
164. Author interview with Sean Townsend, Kyiv, 四月 15, 2018.
165. Catalin Cimpanu, “M.E.Doc Software Was Backdoored 3 时代, Servers Left without Up-
dates since 2013,” BleepingComputer, 七月 6, 2017, https://www.bleepingcomputer.com/news/
security/m-e-doc-software-was-backdoored-3-times-servers-left-without-updates-since-2013/.
166. MalwareHunterTeam (@malwarehunterteam), “Here is an IDR based heatmap for past 24
hours of XData ransomware. 91% of victims from Ukraine, (西德:3)3% from RU. @BleepinComputer
@demonslay335,” Twitter, 可能 19, 2017, 1:56 p.m., https://twitter.com/malwrhunterteam/status/
865627306794008578.
167. Author interview with Zhora, 2018.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 81
infected machines on June 27. NotPetya self-proliferated across networks from
all affected machines before executing a disk encryption program that ir-
reversibly destroyed all data on targeted computers. The ransom demand
that NotPetya displayed on hacked computers turned out to be deception,
because neither the bitcoin address it listed for payments nor the decryption
key existed.168
NotPetya’s economic disruption ranks in the middle of Johnson’s escalation
梯子 (rung nineteen of thirty-eight).169 It achieved massive scale, 然而,
disabling an estimated 500,000 computers in Ukraine alone.170 Its automated
proliferation ultimately affected organizations across sixty-ªve countries,171 在-
cluding targets in Russia such as the state-owned oil company Rosneft.172
NotPetya’s speed and apparent success in producing intense effects sug-
gest that Sandworm successfully bypassed the subversive trilemma. But I
show that this cyber operation conªrms H4, because the increase in speed and
intensity of effects correlate with a decrease in control. The hackers could nei-
ther predict nor control NotPetya once they had set it in motion. Days before
NotPetya’s automated proliferation and encryption was activated on infected
电脑, M.E.Doc had sent another clean update to its customers, 哪个
Anton Cherepanov suggests was “an unexpected event for the attackers.”173 It
is exceedingly unlikely that Sandworm could map the near-instantaneous
spread of NotPetya across hundreds of thousands of systems just a few weeks
later.174 Forensic evidence indicates that Sandworm had “underestimated the
malware’s spreading capabilities,” which then “went out of control.”175 The re-
sult was signiªcant collateral damage.
NotPetya’s economic disruption decreased Ukraine’s gross domestic prod-
uct (GDP) by approximately 0.5 百分比在 2017, which shifted the balance of
168. David Maynor et al., “The MeDoc Connection,” Talos blog, Cisco, 七月 5, 2017, http://
blog.talosintelligence.com/2017/07/the-medoc-connection.html; and Anton Ivanov and Orkhan
Mamedov, “ExPetr/Petya/NotPetya Is a Wiper, Not Ransomware,” Securelist blog, AO Kaspersky
实验室,
六月 28, 2017, https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/
78902/.
169. 约翰逊, “On Drawing a Bright Line for Covert Operations,” p. 286.
170. This estimate by an anonymous expert at a leading cybersecurity vendor in Ukraine is based
on the number of compromises he observed personally while involved in mitigation efforts at
multiple large enterprises in Ukraine. Author interview with anonymous cybersecurity expert,
Kyiv, 四月 19, 2018.
171. Author interview with anonymous government advisor.
172. “Maersk, Rosneft Hit by Cyberattack,” Offshore Energy, 六月 28, 2017, https://www.offshore-
energy.biz/report-maersk-rosneft-hit-by-cyberattack/.
173. Anton Cherepanov, “Analysis of TeleBots’ Cunning Backdoor,” WeLiveSecurity blog,
ESET, 七月 4, 2017, https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-
backdoor/.
174. Greenberg, “How an Entire Nation Became Russia’s Test Lab for Cyberwar.”
175. Cherepanov, “TeleBots Are Back.”
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 82
power in Russia’s favor and provided it with independent strategic utility.176
Unlike Sandworm’s previous cyber operations, NotPetya was prominently re-
ported in Ukrainian media.177 Leaders from Ukraine, 美国, 这
英国, and Australia condemned Russia for the destructive cyber
手术, underlining its signiªcance.178 Yet, I argue that NotPetya’s loss of
control indicates the scale of its impact was accidental and produced unin-
tended consequences. The United States imposed sanctions against Russia,
particularly the GRU leadership. 美国. Department of Justice subsequently
indicted six GRU ofªcers for deploying destructive malware.179 These sig-
niªcant unforeseen costs reduce NotPetya’s overall strategic utility and
conªrm the expected constraining inºuence of the subversive trilemma. 更多的
重要的是, despite its scale, NotPetya did not measurably contribute to
Russia’s goals: Ukraine maintained its pro-EU course.
they added efforts to control
badrabbit (2017). When developing NotPetya’s successor, BadRabbit,
Sandworm used the same technique of disabling targets through encryption,
但
its spread and effects. 最后,
it achieved no measurable strategic utility. As predicted by H3, the increase
in control decreased intensity and speed. 而且, I argue that BadRabbit
offered little, 如果有的话, strategic utility to Russia because the cyber operation
only spread to a small number of targets. Its strategic irrelevance provides
further support for my hypothesis that the subversive trilemma is a limit-
ing factor.
176. Igor Burdiga, “‘Chornyy vivtorok’ ukrayins’koho IT: yakykh zbytkiv zavdala kiberataka, ta
khto yiyi vchynyv” [“Black Tuesday” of Ukrainian IT: What damage was caused by the
cyberattack, and who committed it], Hromadske, 七月 8, 2017, https://hromadske.ua/posts/
naslidki-kiberataki.
177. “SBU predupredyla khakerskuyu ataku Rossyyskykh Spetssluzhb na énerhoob’ekty
Ukrayny—112 Ukrayna” [SBU prevented hacker attack of Russian Special Services on power
facilities of Ukraine—112 Ukraine], 112.ua, 十二月 28, 2015, https://web.archive.org/web/
20160303172015/https://112.ua/kriminal/sbu-predupredila-hakerskuyu-ataku-rossiyskih-
specsluzhb-na-energoobekty-ukrainy-281811.html; “Ochil’nyk SBU rozpoviv pro motyv khakeriv,
yaki atakuvaly Ukrayinu virusom Petya” [The head of the SBU spoke about the motive of the
hackers who attacked Ukraine with the Petya virus], TSN, 七月 4, 2017, https://tsn.ua/ukrayina/
ochilnik-sbu-rozpoviv-pro-motiv-hakeriv-yaki-atakuvali-ukrayinu-virusom-petya-955817.html;
and “Pidsumky 2017 roku: Nayhuchnishi vbyvstva v Ukrayini” [Results of 2017: The loudest mur-
ders in Ukraine], 24tv.ua, 十二月 5, 2017, https://24tv.ua/news/showNews.do?pidsumki
_2017_roku_v_ukrayini_vbivstva_2017&objectId(西德:2)895499.
178. Mark Landler and Scott Shane, “我们. Condemns Russia for Cyberattack, Showing Split in
Stance on Putin,“ 纽约时报, 二月 15, 2018, https://www.nytimes.com/2018/02/15/us/
politics/russia-cyberattack.html; and “Treasury Sanctions Russian Cyber Actors for Interference
与 2016 我们. Elections and Malicious Cyber-Attacks,” U.S. Department of the Treasury,
行进 15, 2018, https://home.treasury.gov/news/press-releases/sm0312.
179. 我们. 司法部 (DOJ) Ofªce of Public Affairs, Six Russian GRU Ofªcers Charged in
Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in
Cyberspace (华盛顿, 华盛顿特区: DOJ, 十月 19, 2020), https://www.justice.gov/opa/pr/six-
russian-gru-ofªcers-charged-connection-worldwide-deployment-destructive-malware-and.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 83
BadRabbit does not appear to be linked to Russia’s diplomatic or military
倡议, providing further evidence of the expected independent strategic
role of cyber operations. Prior to BadRabbit, the EU-Ukraine Association
Agreement entered into full force on September 1, 2017, marking Russia’s fail-
ure to reverse Ukraine’s foreign policy course. Forensic evidence indicates that
Sandworm started to develop BadRabbit around September 2016.180 作为
subversive trilemma would predict, increasing control affected BadRabbit’s
operational speed. Hackers took twelve months to develop BadRabbit com-
pared with only six months for NotPetya. BadRabbit and NotPetya used
largely the same code and both cyber operations encrypted data on affected
systems before displaying a ransom demand.181 But Sandworm attempted to
“improve upon previous mistakes” by making encryption reversible on
BadRabbit and using a manually rather than automatically spreading mecha-
nism.182 Victims who visited compromised websites (so-called watering holes)
manually clicked on “OK/install” when the site offered users fake Adobe
Flash Player updates that contained malware.183
BadRabbit pursued the same effect type (IE。, economic disruption, or rung
nineteen on Johnson’s escalation ladder) as NotPetya, but at a fraction of the
scale and signiªcantly less intensity. Like NotPetya, it appears that BadRabbit
mostly targeted businesses’ computer systems, especially banks and media
ªrms but also transport providers. When BadRabbit encrypted compromised
systems on October 24, 2017, 然而, it only affected approximately 200 tar-
gets in Russia, Ukraine, Turkey, and Germany.184 Curiously, most victims
(65 百分) were in Russia,185 然而 75 percent of NotPetya’s targets were
in Ukraine.186 Yet, Sandworm only targeted Ukraine’s critical infrastructure.
180. Yonathan Klijnsma, “Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long
Ongoing Campaign of Target Selection,” RiskIQ, 十月 25, 2017, https://www.riskiq.com/blog/
labs/badrabbit/.
181. John Leyden, “Hop On, Average Rabbit: Latest Extortionware Menace Flopped,” Register,
十月 26, 2017, https://www.theregister.co.uk/2017/10/26/bad_rabbit_post_mortem/; 和
Orkhan Mamedov, Fedor Sinitsyn, and Anton Ivanov, “Bad Rabbit Ransomware,” Securelist blog,
AO Kaspersky Lab, 十月 24, 2017 (updated October 27, 2017), https://securelist.com/bad-
rabbit-ransomware/82851/.
182. Hasherezade, “BadRabbit: A Closer Look at the New Version of Petya/NotPetya,” Malware-
bytes Labs, 十月 24, 2017 (updated July 16, 2021), https://blog.malwarebytes.com/threat-
analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/.
183. Maynor et al., “The MeDoc Connection”; and Eduard Kovacs, “Bad Rabbit Linked to
NotPetya, but Not as Widespread,” SecurityWeek, 十月 25, 2017, https://www.securityweek
.com/bad-rabbit-linked-notpetya-not-widespread.
184. Mamedov, Sinitsyn, and Ivanov, “Bad Rabbit Ransomware.”
185. Marc-Etienne M.Léveillé, “Bad Rabbit: Not-Petya Is Back with Improved Ransomware,”
WeLiveSecurity blog, ESET, 十月 24, 2017, https://www.welivesecurity.com/2017/10/24/bad-
rabbit-not-petya-back/.
186. Burdiga, “Chornyy vivtorok ukrayins’koho IT.”
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 84
更重要的是, forensic evidence shows that critical infrastructure targets
indicating that
不是
Sandworm “already had a foot inside their [Ukrainian targets] network and
launched the watering hole attack at the same time as a decoy.”187
infected through the malicious Flash Player,
Consistent with the subversive trilemma, BadRabbit’s improved control
over the spread of the malware and its effects came at the cost of low speed
and low intensity. There are no indications of premature discovery, nor of prior
operational missteps that could have compromised the effects. BadRabbit nei-
ther auto-proliferated nor produced any signiªcant collateral damage.188 The
available evidence suggests that BadRabbit caused temporary, reversible, 和
inconsequential disruptions.189 It received minimal media coverage both
within Ukraine and abroad, while Ukraine’s newly established “cyberpolice”
attributed the operation to “criminals” rather than political operatives.190 Con-
依次地, BadRabbit neither contributed toward Russia’s strategic goals nor
shifted the balance of power. Tellingly, since BadRabbit, Sandworm has
abandoned any attempts at active effects cyber operations against Ukraine, 关于-
turning to a focus on pure espionage.191
Alternate Explanations for the Lack of Strategic Utility
Because the decision-making processes of the Kremlin and the Russian intelli-
gence agencies who almost certainly sponsored the cyber operations discussed
remain inaccessible, alternate interpretations concerning the intentions behind
their use abound. This section addresses two alternative interpretations: sig-
naling and experimentation.
The ªrst alternative interpretation holds that Russia deployed cyber opera-
tions primarily as signaling tools. Signaling is the core mechanism in coercive
diplomacy, in which actors demonstrate and deploy capabilities to signal re-
187. M.Léveillé, “Bad Rabbit.”
188. Eduard Kovacs, “Files Encrypted by Bad Rabbit Recoverable without Paying Ransom,”
SecurityWeek, 十月 27, 2017, https://www.securityweek.com/ªles-encrypted-bad-rabbit-
recoverable-without-paying-ransom.
189. Leyden, “Hop On, Average Rabbit”; and “Kiev Metro Hit with a New Variant of the Infa-
mous Diskcoder Ransomware,” WeLiveSecurity blog, ESET, 十月 24, 2017, https://万维网
.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/.
190. Cyberpolice of Ukraine, “Kiberpolitsiya rozpovila podrobytsi diyi virusu-shyfruval’nyka
‘BadRabbit’ (FOTO)—Departament Kiberpolitsiyi” [Cyberpolice tells details of BadRabbit encryp-
tion virus (PHOTOS)—Cyberpolice Department], 十月 25, 2017, https://cyberpolice.gov.ua/
news/kiberpolicziya-rozpovila-podrobyczi-diyi-virusu-shyfruvalnyka-badrabbit-foto-2732/.
191. Sandworm’s last recorded activity in Ukraine was in October 2018. Anton Cherepanov and
Robert Lipovsky, “New TeleBots Backdoor: First Evidence Linking Industroyer to NotPetya,”
WeLiveSecurity blog, ESET, 十月 11, 2018, https://www.welivesecurity.com/2018/10/11/new-
telebots-backdoor-linking-industroyer-notpetya/.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 85
solve and induce adversary actions.192 Effective signals have a clear recipient
and content, neither of which is the case regarding the ªve cyber operations
that I examine in this article. 例如, one interpretation of the two power
grid sabotage cyber operations holds that, “Russia is using cyber intrusions to
signal the risk of escalation in a crisis” to its rivals (IE。, the United States and
北约).193 Joseph S. Nye Jr., 相比之下, speculates that Russia is signaling to
Ukraine, “reminding Ukraine of its vulnerability in a hybrid war with a differ-
ent level of plausible deniability.”194 Similarly, one interpretation of NotPetya
suggests it was “designed to send a political message: if you do business in
Ukraine, bad things are going to happen to you.”195 A second interpretation
sees Russia “demonstrating its ability to disrupt faith in public institutions.”196
These interpretations are plausible, and so are many others, yet there is little
tangible evidence to support them.197 Ultimately, the existence of multiple
interpretations indicates that the signal is unclear. 更重要的是, 即使
signaling was the intent, it does not challenge my ªndings on the limiting role
of the subversive trilemma.
The second alternate explanation suggests that Russia deployed cyber oper-
ations primarily to test and develop its capabilities. A Dragos report about the
power grid sabotage operation in 2016 noted that it was “more of a proof of
concept than what was fully capable.”198 Ben Buchanan picks up this point,
suggesting that Sandworm perhaps wanted to “see how the code worked in
practice so they could reªne it for future use,” and he quotes Dragos’s CEO
Robert M. Lee warning of the potential threat to critical infrastructure around
the world.199 There are three key issues with this interpretation. 第一的, 这是
highly unlikely that an actor will spend years developing a capability and de-
ploy it without pursuing any strategic gains. 而且, doing so risks losing
the capability by allowing potential future victims to remove the vulnerabili-
192. Schelling, Arms and Inºuence.
193. Benjamin Jensen and J.D. 工作, “Cyber Civil-Military Relations: Balancing Interests on the
Digital Frontier,” 岩石战争博客, 九月 4, 2018, https://warontherocks.com/2018/09/
cyber-civil-military-relations-balancing-interests-on-the-digital-frontier/.
194. Joseph S. Nye Jr., “Deterrence and Dissuasion in Cyberspace,” 国际安全, 卷. 41,
不. 3 (冬天 2016/17), p. 49, doi.org/10.1162/ISEC_a_00266.
195. Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in His-
保守党,” Wired, 八月 22, 2010, https://www.wired.com/story/notpetya-cyberattack-ukraine-
russia-code-crashed-the-world/.
196. Brandon Valeriano, Ryan C. Maness, and Benjamin Jensen, “Cyberwarfare Has Taken a New
Turn. 是的, It’s Time to Worry,” Monkey Cage blog, Washington Post, 七月 13, 2017, https://万维网
.washingtonpost.com/news/monkey-cage/wp/2017/07/13/cyber-warfare-has-taken-a-new-
turn-yes-its-time-to-worry/.
197. See section 5 of the online appendix, doi.org/10.7910/DVN/IZ65MC.
198. Dragos, Crashoverride, p. 11.
199. 布坎南, The Hacker and the State, PP. 204–205.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 86
ties it exploits. In the words of Lee, “it would be extraordinarily weird to stage
an entire attack as just a proof of concept.”200 Second, there is no empirical evi-
dence supporting this interpretation. Sandworm has not used this toolset
再次, nor has it pursued other critical infrastructure sabotage using similar
方法. 显着, forensic analysis by Symantec showed that the 2017 在-
trusions in the U.S. energy grid attributed to Russia were the work of a differ-
ent actor and shared no tools or techniques.201 Third, the “proof of concept”
interpretation ultimately suggests that cyber operations are instruments of fu-
ture higher-stakes conºict. Yet as the analysis shows, despite multiple years of
experimentation and testing, Sandworm did not overcome the subversive
trilemma.
结论
This article has argued that cyber operations are an instrument of subversion
whose operational effectiveness is constrained by a subversive trilemma. 这
demands of the mechanism of secret exploitation that cyber operations rely
upon result in actors facing trade-offs between improving either speed, inten-
城市, or control of operations. Increasing the effectiveness of one variable tends
to decrease the others. In most circumstances, cyber operations thus tend to be
太慢了, too low in intensity, or too unreliable to contribute to political goals
or shift the balance of power. 最后, cyber operations tend to fall short
of their strategic promise and deliver limited utility. The case study of the
Russo-Ukrainian conºict provides strong support for this theory. All ªve cyber
operations that I examine in this article showed clear evidence of the con-
straining role of the trilemma.
This theory has several implications for the study of cyber conºict. Most im-
不幸地, the subversive trilemma signiªcantly hinders the ability of cyber op-
erations to successfully produce independent strategic utility. Success requires
alleviating the trilemma without raising costs above those of potential diplo-
matic or military alternatives. 特别是, effects must be sufªciently intense
to contribute to a given goal, while the operation must produce these effects
within a timeframe that is short enough to avoid discovery but long enough to
increase the likelihood of both achieving the intended effects and avoiding un-
200. Author communication with Robert Lee via online messaging service, 二月 25, 2021.
201. Threat Hunter Team, “Dragonºy: Western Energy Sector Targeted by Sophisticated Attack
团体,” Broadcom blog, Symantec Enterprise Blogs: Threat Intelligence, 十月 20, 2017, https://
www.symantec.com/blogs/threat-intelligence/dragonºy-energy-sector-cyber-attacks; and Andy
Greenberg, “Your Guide to Russia’s Infrastructure Hacking Teams,” Wired, 七月 12, 2017, https://
www.wired.com/story/russian-hacking-teams-infrastructure/.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 87
intended consequences. 此外, it requires conditions for success that are
rarely present: the availability of systems that control social, 经济的, 或者
physical processes of strategic signiªcance, yet also contain vulnerabilities that
operators can exploit without premature detection. 最后, long development
time involving highly skilled operators is expensive; the more intense, physi-
cal effects an operation pursues, the less favorable the cost-beneªt ratio is
likely to be.202 Moreover, even under ideal conditions, the potential effect on
the balance of power is still likely marginal.
Cyber operations are most likely to deliver on their strategic promise in two
scenarios. The ªrst scenario is long-term, low-stakes competition between
adversaries with a signiªcant power differential. Although most of the condi-
tions above are present in Ukraine, the deployment of multiple cyber oper-
ations did not measurably contribute to Russia’s strategic goals. 因此, 它
likely requires decades to develop a successful cyber operation, which makes
it difªcult to isolate the operation’s inºuence in order to measure its effects.
重要的, the most signiªcant power shift that traditional subversion can
achieve is regime change. Cyber operations alone are likely incapable of such
effects. 因此, cyber operations are most likely to deliver utility if they
are integrated with traditional subversion.203
The second scenario is high-stakes competition among nuclear-armed peer
competitors that expect eventual military confrontation. The tensions between
the United States and China are a key example. Potential nuclear escalation
renders the risks and costs of using conventional force unacceptably high. 铝-
though the subversive trilemma suggests an unfavorable cost-beneªt ratio for
cyber operations that pursue highly intense effects at the operational level,
strategic beneªts may still outweigh these costs. The party in a “domain of
losses” is especially likely to be more risk-accepting, and thus more likely to
accept the limits of control.204 If states use cyber operations to target military
assets for sabotage, cross-domain effects indicate potential inadvertent escala-
tion risks.205 Because cyber operations can likely achieve only marginal
changes to the balance of power over longer-term competition, they are only
likely to make a difference when both actors are closely matched and neither
side exhibits exponential growth rates.
202. Slayton, “What Is the Cyber Offense-Defense Balance?”
203. The Grugq, “A Short Course in Cyber Warfare,” keynote at Black Hat Asia 2018 conference,
Marina Bay Sands, 新加坡, YouTube, 四月 10, 2018, https://www.youtube.com/watch?v
(西德:2)gvS4efEakpY.
204. Amos Tversky and Daniel Kahneman, “The Framing of Decisions and the Psychology of
Choice,“ 科学, 一月 30, 1981, p. 453.
205. Erik Gartzke and Jon R. Lindsay, “Thermonuclear Cyberwar,” Journal of Cybersecurity, 卷. 3,
不. 1 (行进 2017), PP. 37–48, doi.org/10.1093/cybsec/tyw017.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 88
In lower stakes, nonnuclear dyads, capable states can be expected to regu-
larly employ cyber operations even though they have a high failure rate, 作为
has been the case historically with traditional subversion.206 For the same rea-
儿子, 然而, their impact on security competition should not be overesti-
mated because their strategic utility remains limited, barring “unicorn”
scenarios in which all favorable conditions align and the subverting actor is
extremely lucky.
Three major policy implications follow from this argument. 第一的, it conªrms
the current shift away from a strategy of cyber deterrence rooted in theories of
warfare, whose aim is to avoid costly engagements.207 Second, 选择
emerging strategies of “persistent engagement” and “defend forward” that
guide U.S. posture should consider the subversive trilemma as a limiting fac-
tor to avoid unintended consequences.208 These new strategies build on as-
sumptions of cyber revolution theory, and they aim to maximize the utility of
cyber operations as instruments of low-intensity strategic competition while
minimizing risks by participating in “agreed competition” that adheres to a set
of tacit rules of engagement.209 The ªndings of this study, 然而, 建议
that the subversive trilemma is the more likely explanation for the observed
low intensity of competition. By pursuing more aggressive engagement, 这
United States may shift adversary cost-beneªt calculi toward more risk-taking,
such as increasing effects intensity at the cost of control, which inadvertently
intensiªes cyber competition.210 Finally, persistence is a key requirement for
actors to succeed in exploiting targets. 然而, long-term planning, reconnais-
sance, and stealth as well as space for creative development are just as if not
more important to maximize effectiveness and utility of cyber operations.
Privileging persistence, as the current strategy does, risks neglecting these re-
quirements for success. 反过来, defenders in cyber conºict can beneªt
from exploiting the trilemma and exacerbating its constraining role on adver-
206. O’Rourke, Covert Regime Change, p. 8.
207. Achieve and Maintain Cyberspace Superiority: Command Vision for US Cyber Command (Fort
乔治·G. Meade, 马里兰州。: 我们. Cyber Command, 2018), https://www.cybercom.mil/Portals/56/
Documents/USCYBERCOM%20Vision%20April%202018.pdf?版本(西德:2)2018-06-14-152556-010.
208. 迈克尔·P. Fischerkeller and Richard J. Harknett, “Persistent Engagement, Agreed Competi-
的, and Cyberspace Interaction Dynamics and Escalation,” Cyber Defense Review (2019), PP. 267–
287, https://www.jstor.org/stable/26846132; and Paul M. Nakasone, “A Cyber Force for Persistent
运营,” Joint Force Quarterly, 卷. 92, 不. 1 (2019), PP. 10–14, https://ndupress.ndu.edu/
Portals/68/Documents/jfq/jfq-92/jfq-92_10-14_Nakasone.pdf.
209. 迈克尔·P. Fischerkeller and Richard J. Harknett, “Through Persistent Engagement, 美国.
Can Inºuence ‘Agreed Competition,’” Lawfare blog, 四月 15, 2019, https://www.lawfareblog
.com/through-persistent-engagement-us-can-inºuence-agreed-competition.
210. Lennart Maschmeyer, “Persistent Engagement Neglects Secrecy at Its Peril,” Lawfare blog,
行进 4, 2020, https://www.lawfareblog.com/persistent-engagement-neglects-secrecy-its-peril.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
The Subversive Trilemma 89
sary operations. Defensive strategies should prioritize the capacity to detect
and neutralize intrusions. If immediate neutralization is impossible, defensive
measures should aim to slow adversary speed, limit their control, and maxi-
mize the barriers that adversaries must overcome to achieve or intensify ef-
fects. The same principles should guide systems design, as well as security
rules and practices. Existing counterintelligence strategies provide a useful ba-
sis to develop such strategies.
此外, while this study has focused on the utility of cyber operations as
independent strategic instruments, its ªndings also apply to their use as com-
plements to other instruments of power. Just like traditional subversive opera-
tions have been deployed to contribute to military goals, such as undermining
command structures, so can cyber operations.211 Regardless of strategic context,
any cyber operation that produces effects through hacking relies on the subver-
sive mechanism and is thus bound by its trilemma.212 Consequently, the tri-
lemma can be expected to apply across multiple strategic contexts.
To verify this theory, further research tracking evidence of the subversive
trilemma in varying strategic contexts and by different actors is required. Find-
ings from this study supported H2, H3, and H4, but the cases examined did
not produce the conªguration of the trilemma predicted by H1. Quantitative
research verifying the predicted correlations across a larger universe of cases
will be especially useful. 第二, historical comparative research is needed to
verify the proposition that the quality of subversion has not changed despite
the technological advances of the information revolution. 在这方面, the in-
tegration of cyber operations with traditional subversion is a key topic of inter-
东方. While this study has focused on hacking, assessing the impact of new
technology on effectiveness and utility requires more empirical examinations
of another key instrument of subversion: inºuence operations that use disin-
formation and propaganda.
最后, looking ahead, changes in design features of ICTs may alter the sub-
versive trilemma. The most likely change is simpliªcation and standardization
in cyber-physical systems213 and the rise of the Internet of Things (IoT),214
211. Miklós Kun, Prague Spring, Prague Fall: Blank Spots of 1968, 反式. Hajnal Csatorday (布达佩斯:
Akadémiai Kiadó, 1999), p. 151.
212. There are some exceptions, such as Distributed Denial of Service attacks or Ransomware, 然而
these are of low relevance in interstate competition.
213. Borja Bordel et al., “Cyber-Physical Systems: Extending Pervasive Sensing from Control The-
ory to the Internet of Things,” Pervasive and Mobile Computing, 卷. 40 (九月 2017), PP. 156–
184, doi.org/10.1016/j.pmcj.2017.06.011.
214. IoT refers to physical devices that have sensors that are linked to the Internet. Philip N.
霍华德, Pax Technica: How the Internet of Things May Set Us Free or Lock Us Up (新天堂, 康涅狄格州:
耶鲁大学出版社, 2015).
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
国际安全 46:2 90
which could make it easier for cyber operations to produce physical effects at
规模. This change could increase cyber operations’ intensity and potential to
affect the balance of power, but the perils of losing control over an operation
would still exist. 相似地, advances in artiªcial intelligence may improve
control over scale-maximizing operations by facilitating computer network
mapping and command-and-control functions.215 Defenders in cyber conºict
(IE。, administrators of computer systems being targeted by cyber operations),
然而, would likely beneªt as well because artiªcial intelligence promises
superior means of detecting exploitation.216 Consequently, the trilemma will
likely remain relevant.
我
D
哦
w
n
哦
A
d
e
d
F
r
哦
米
H
t
t
p
:
/
/
d
我
r
e
C
t
.
米
我
t
.
e
d
你
/
我
s
e
C
/
A
r
t
我
C
e
–
p
d
我
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
我
s
e
C
_
A
_
0
0
4
1
8
p
d
.
F
乙
y
G
你
e
s
t
t
哦
n
0
8
S
e
p
e
米
乙
e
r
2
0
2
3
215. 看, 例如, Zhong Liu et al., “Cyber-Physical-Social Systems for Command and Con-
控制,” IEEE Intelligent Systems, 卷. 26, 不. 4 (七月八月 2011), PP. 92–96, doi.org/10.1109/
MIS.2011.69.
216. Fan Liang et al., “Machine Learning for Security and the Internet of Things: The Good, 这
坏的, and the Ugly,” IEEE Access, 卷. 7 (2019), PP. 158126–158147, doi.org/10.1109/ACCESS
.2019.2948912.
