Lawfare Daily: The Limits of Cyber Subversion, with Lennart Maschmeyer

[Intro]

Lennart Maschmeyer: The analogy to warfare doesn't really work because ultimately this is not about blowing things up. It's more about, you know, finding way into computer systems manipulating it.

Eugenia Lostri: It's the Lawfare Podcast. I'm Eugenia Lostri, Lawfare fellow in technology, policy and law with Lennart Maschmeyer, senior researcher at the Center for Security Studies at ETH Zurich,

Lennart Maschmeyer: How can we learn from not only you know, the new technology, but also from historical cases of how states have used all the different tools they have at their disposal to, to her, their adversaries.

Eugenia Lostri: Today we're talking about his new book “Subversion,” which explores the promise and reality of cyber capabilities in conflict.

[Main Episode]

So I, I wanna start just by asking you about the rationale for you writing this book, because it provides both, you know, maybe a more traditional study of subversion as an instrument of power, but then it also offers this very interesting analysis of the role that cyber capabilities can play in conflict. So what were you seeing either in doctrine or in actual operations that made you wanna write an entire book about this?

Lennart Maschmeyer: This was a PhD project in the beginning, right. So that's, I think, explains the kind of book ambition behind it. And the question I was trying to answer when I started working on this was my expectation that there is a revolution in the nature of conflict because of the information revolution with, you know, it plausible, at least you can assume it changes a lot of things.

And that was the expectation at that time around 2016. That you have this ability suddenly for states to run these cyber operations, which are really fast, cheap, effective, secretive as well, which lowers the escalation risks.

And I was planning to write a book on this revolution and examine it, but what it turned out was kind of has been the opposite cause the more I was looking into this topic and looking for kind of signs of the revolution of warfare, especially the more I realized that actually the analogy to warfare doesn't really work because ultimately this is not about blowing things up. It's more about, you know, finding way into computer systems, manipulating them, and also that the techniques used the technology new, but the techniques used fundamentally, the mechanisms involved.

They're not that new, it's just that they're not, not understood very well. And that's this kind of shadowy world of subversion that's been there always. It's also always been in the shadows of world politics, you know, security competition in world politics that's been on the front stage, and it's something that's just not studied as, as much, far less than, you know, just warfare.

Eugenia Lostri: Yeah. Building on that, I, I thought I could, you know, we could follow the two questions that are at the center of your book to kind of frame this conversation, right? And so the first one that you tackle is how does subversion work? What is its value, strategic value? And then how does technological change alter subversion, right?

So let's start at the beginning. You have a, a really interesting discussion of, you know, what is power? What is aversion? How do we define the elements of power? So, you know, let's have an abridged version of that. Can you describe subversion as this instrument of power? How it's different from war and diplomacy? What are the differences, and at least theoretically, how should we understand subversion?

Lennart Maschmeyer: Sure. So I mean, phase value is very straightforward and simple because you have warfare, as I said, right? That's the main thing. That's that people study, who study international relations. That's traditionally the main instrument that states use if they have a conflict and they, you know, want to want others to or, or want to get others to do what they want against resistance, basically, that's also the basic idea of power. So violence or the threat of violence using force. That's traditionally been the main instrument.

Unfortunately, it still is now, as we see in Ukraine, for example, in a very terrible way. Also in a way, challenging this expectation that we have a revolution, a change in the nature of conflict, because that's been the idea, as I was alluding to earlier, right? This idea that now states can achieve things without going to war that they couldn't previously achieve.

So then you start thinking of what are alternatives to warfare, right? If, if you don't want to use force, then how can you get others to do what you want? And diplomacy. Is then the typical alternative. So mostly this is about treaties or you know, just bargaining negotiations between countries, sometimes also threats.

So in that way, you know, warfare kind of comes, comes in from the background ultimately, because it's based on your ability to hurt others, that you can sometimes force them to do things by just threatening them violence. But subversion is something that's in between in this, yeah, this shadowy world, as I was saying, right, of COVID operations that offer a way to get others to do what you want without overtly using force.

Sometimes in some of these covert operations forces involved secret warfare. The Bay of Pigs invasion from the CIA, right, we're trying to invade covertly, invade Cuba there. But also there are a lot of cover operations that are not about using force, using kind of troops secretly, maybe without overt in sinia.

And that's ultimately the, the world where subversion happens. And the problem with it, and that's because also it's not studied very well, is that there isn't really a clear definition when you start reading the literature. And all, most of the literature is really more like spy fiction and you know, kind of interesting, crazy stories sometimes put together in this history of how this instrument works and mostly in the Cold War subversion was a tool that both of these powers, the US and and the Soviet Union used to get an advantage over the other side because warfare was really costly at the time.

Right? You have two nuclear powers and that means actually war was so costly that they never resorted to it. They had to find an alternative that went beyond diplomacy. That's why subversion became so important at that time. And the main thing both sides were trying to achieve was get other states kind of in the middle, right.

That would, that would sometimes become proxy regimes, then to get them on, on their side. Subversion there was the tool to secretly manipulate, infiltrate states from within to overthrow the government basically. And then through that time, and the whole literature from the Cold War subversion basically has become synonymous with, with that call of overthrowing a regime.

So, long story short, I was looking instead of at that goal and trying to make sense of how this works at, at the mechanism involved. And that's what I was picking together from, from the literature. And I realized, and that's also where kind of the penny dropped for me with this comparison to cyber operations, the ultimate fundamental mechanism and at play here is about infiltrating systems.

So social systems in, in traditional operations, basically infiltrating and adversaries institutions or organizations or, or social groups with undercover spies that then gain some influence in those systems and, you know, ideally assume some position of power in, in an institution for example, but under a false identity.

So, you know, without revealing there is any outside interference, and then use the influence they have to secretly manipulate that organization or you know, people who are part of it to do things that harm the victim, the state that is the victim here to the benefit of the sponsor of that operation.

And mostly though, without using force, it's more about using kind of legitimate rules, existing rules and practices and flaws in these rules. Also weaknesses in human character, human behavior to just manipulate people and manipulate organizations. And ultimately that's exactly how cyber operations produce outcomes as well, right?

You can't really force your way into the computer system. You can only find a way. And if there is a vulnerability either in the software or in the people who use these computer systems, so social engineering techniques. Work the same way. It's about finding a flaw, exploiting it, and then making a system do things it's not supposed to in a way that benefits you and harms, harms your victim.

Eugenia Lostri: That's such an interesting way of comparing them, right? Because usually one wouldn't think of cyber operations intrusions in that same way because when we're talking about subversion, it's easy to just think about, like you were saying, the spice and it's much more of a human component, right?

It's about taking advantage of people's weaknesses or their vulnerabilities. So I, I find this, you know, just kind of an interesting way to think about cybersecurity, about exploiting these existing weaknesses in order to make this the system work for you. I found that interesting as I was reading this. Yeah. It's not usually how we talk about it, but it is accurate.

Lennart Maschmeyer: Yeah, that's, I don't know why there are some explanations for it. I guess obvious ones to some extent why there is this language of warfare around it, right? It's always about some analogy, you have a cyber weapon, something is a cyber cruise missile.

That's how the Stuxnet virus was called by some people. And then you have an espionage operation, like the SolarWinds case in the us right? That this great intrusion that stole a lot of really sensitive information. And some lawmakers comparing it to an act of war. But if you look at what actually happened, it's about stealing sensitive information.

It's espionage, it's by infiltrating a system. There's no violence involved. I mean, the basic definition of an act of war is, you know, using violence, organized violence, that's the definition of war. So that's, it's been striking to me why, and, and still it, it goes on, right?

That the first analogy is always warfare. It's about offense, defense, and, you know, you, you have your offensive side. You try to get into the, into the defense. If you manage to breach the defensive lines, then you win. But it, that's not always the case, that the logic is just different. Sometimes, you know, operations fail because they get discovered.

And the defender gets a huge advantage because they can map the whole infrastructure of, of the adversary. And in that way, the analogy is kind of, it makes it exciting. I think it also works because military organizations, they have, kind of, grabbed onto this issue, right? The Air Force in the U.S., for example, was one of the first to really push this idea of fighting in cyberspace.

They had this slogan of, I think, fly fight and win in cyberspace working on this virtual reality project Thomas Rid has written a lot about, and that in his book. So it's clear kind of why we have this analogy, why it's entrenched, but if you look at the mechanism involved, it, it just doesn't really make sense. So I was, I wasn't as a PhD student, right? I was searching for a way to make sense of all this, and then I finally found the right thing there.

Eugenia Lostri: Yeah. I, I feel like throughout my, throughout my career, I, I always struggle with all of the, the war language, the conflict language that we've applied to this. You know, we're always talking about, well, when will a cyber attack cross the threshold for use of force?

When can we consider cyber as a start of war? And. And at the same time, like that doesn't happen. And then we have all of these other things happening that we just don't have the language to talk about because we're just thinking about when will it become like this, you know, the cyber Pearl Harbor. And I've always understood this, you know, just to give another perspective on, on the history of it.

It was based off, and, and I dunno if this is true, but this is just my understanding that some people were actually aware of cybersecurity risks. And unfortunately the one way to get people to pay attention is if you go to the extremes. And so you need to start talking about all of these extreme cases in order to get people worried and to start making progress, that actually, you know, reflects what you are seeing. So I don't know if that's true, but I've, I've always found that to be a convincing explanation considering how influence works.

Lennart Maschmeyer: Yeah. And if you're an organization in a government and you want a budget, right? Obviously you're gonna say this is a really serious issue and you need more money because things are just getting worse.

And on the same, on the other hand, you have an industry, cybersecurity industry that is selling the, the product here, which is protecting against these attacks. So obviously they have clear incentives to not always exaggerate, but emphasize, you know, that the worst kind of scenarios that that could happen.

But I think that's if you look at a lot of kind of analysis and also basis for policy in, in this space, it's mostly based on, on possibilities that are all plausible. So that mean, that's another point I'm trying to make right, that yes, there are a lot of plausible scenarios that are possible with the technology, but the problem is that not everything that you can imagine that's that's possible, right?

It's really also realistically feasible to do in practice and there are a lot of challenges involved. That are often overlooked because of yeah, various reasons. Like some of the ones we, we discussed and that's something else that struck me looking at the more historical literature.

It's the same you read in the Cold War, you read some statements. There's a report by U.S. Congress, by a special committee on us on Soviet active measures about the, the possible threat. This kind of stuff might pose how, you know, Soviet's subversion could just undermine the strengths of the, the Western Alliance, basically from within, because they're open systems, open societies, they're just so vulnerable, and the Soviets have perfected these methods over decades.

And we basically, we as the Western Alliance at that time have nothing to, to oppose them and, and the, the fear that comes from that. Right. And that's also, I think partially because very few looked into, on the one hand, what are the effects of these kinds of operations and what are the mechanisms? What, what are the drawbacks?

And obviously it's difficult because there's just so little tangible evidence too, right? I mean, you often read about a cyber attack. But rarely does it say, well, you know, it, it caused this amount of damage. You know, this was the, the kind of real world impact. It's more about this was the objective, it worked, and then this final step you have to mostly make in your head that, okay, yeah.

It probably also then made an impact, at least plausible. It made plausibility, it made an impact.

Eugenia Lostri: Is the overemphasized effect right? If we're not talking about actual real world effects of a cyber operation and we're focusing more on they tried to do this and they succeeded in intruding and yeah, we stopped it, but you know, they were still there.

Do you think that does accomplish the first kind of effect of subversion that you identify in the book, which is still manipulating public opinion, you know, and maybe manipulating policy like in a different way than traditional subversion would be able to do it, but is this idea that, oh, the Russians are so good at manipulating, you want social media, and then we're all kind of convinced, oh yeah, no, they're so good.

Even though their Facebook page had like 10 subscribers and only two people looked at it like, would you consider that still a, a successful kind of subvert of operation?

Lennart Maschmeyer: Yeah, that's a really good question and I, I don't think I can give you a very satisfying answer because that's something I'm trying to figure out now, defining what is actually a success, right?

Especially if you never clearly know the goals of your adversary and you get with this, the point you make. It's great. One, you get into really murky territory quickly. So on the one hand you mentioned the manipulation strategy, right? So in the book, basically I'm saying there are three strategies. The first is to manipulate your adversary from within, either directly, government policy or public opinion.

The second one is kind of long-term erosion, where you just undermine cohesion, sabotage of infrastructure, but also just undermining trust in a society and kind of fueling tensions. And the final one, the one I mentioned at the beginning, is just overthrowing a government. So you have these, these three strategies, and it's relatively clear if you want to assess success and failure, if you think of a manipulation of specific policy, right?

Because you know, okay, this is the policy that your adversary was trying to change, or from the sponsor of the operation, right? You're trying to change this outcome. You can clearly measure did it change or not? Same with overthrowing a government, that's an either or thing, right? The government is still there, or it's not, that's quite clear.

But this erosion strategy that works over the long term, that's much harder to assess also, because it's not any clearly established goal that's, you know, based on some kind of tangible metrics except for maybe public trust in the government. So that's the one metric I, I looked up in Ukraine to measure it.

But something like what you were saying failed basically individual operations that maybe tried to manipulate public opinion but didn't have the reach, but then get amplified by my media reporting that, you know, suggests well the Russians are doing this and you know, there are all these campaigns and what if, and then exactly as you're saying this belief that maybe we can't really trust what we read in the news.

And you know, maybe everything is controlled by outside hands. And you have some politicians then picking this up too. I remember Hillary Clinton giving an interview a few years ago where she accused someone of being a Russian asset without giving any evidence for it. That was kind of right after the, the, the whole panic around the Russian interference in, in the U.S. elections.

So that might ultimately benefit the sponsor of that campaign, right. Russia in that case. But was it the intention, right? Was it their goal? Because this is ultimately not something that you can control anymore. If you run these operations, it's completely about how your victim reacts. And maybe you can guess that some of this might happen, but ultimately it's, it's beyond your control.

And that highlights really one of the big drawbacks of these kinds of operations because you have ultimately relatively limited control. You always depend on some system in between or, and people that use it. And you can't fully control what these people are doing or how these complex systems are are behaving, right?

That's why we also often see cyber operations that either completely fail to produce their effect or they create collateral damage and, you know, spread far beyond their intended targets. And that becomes problematic when you are trying to achieve some specific strategic goal. And you would assume at least that most actors in world politics, they do have some specific goals.

Eugenia Lostri: So just going back, because I found it interesting that you said that for regime change, you know, you do have kind of measurable effects, right? Either the government is still there or not, but you know, taking this a step further, couldn't you also argue, well, maybe you manage to change the regime. There's a new government that you think is going to be, you know, more open to.

Let's say country A's ideas and principles, but they might not be like, you still don't have control over that, right? I mean, you could, you could always go a step further and just be like, well, did it actually achieve what you wanted it to achieve if they're actually not who you thought they were?

Lennart Maschmeyer: Yeah, exactly. The longer, kind of the longer term, you look at it. The harder it becomes to really pin down something that's really successful because you don't know, you can't fully control the, the regime you put in place, the government might also change. Or you know, there are some internal power struggles again, that are beyond your, your control.

So you have the, the limit of control is mean. I, I'm saying there are three basic constraints to these operations. Right? And one of them, and I think the main one is control, but you also have this limitation in the speed that you can operate with because you always depend on finding some vulnerabilities, some flaws, understanding systems that others have designed and build and use, and try to find something that those people have missed, right?

That's, that's not an easy thing. That takes a long time. And at the same time, you have to be careful because you depend on not being discovered until you do whatever manipulation you wanna do. 'cause otherwise your victim can relatively easy. Easily stop you by just maybe arresting a spy or, you know, in the case of cyber operations, finding the malware involved, deleting it, and these constraints, they, they exist in traditional operations, but they also exist in, in the new cyber operations.

Despite this expectation and right, there has been this idea of warfare. Cyber operations is really great instruments of warfare, the expectation of a cyber kind of Pearl Harbor scenario, which didn't happen. In the, with this realization that it didn't happen then over the last years, there is this idea of a revolution, shot of war that fuels also and and really builds the foundation for persistent engagement as a new strategy in that space that the U.S. has has adopted.

That assumes that cyber operations are not bound by the same constraints as traditional covert operations, and because of that, we need new strategy to counter this threat. Which is also a really plausible idea, right? I, I think it's absolutely plausible and probably true in some cases, but the, the problem is that no one has really, and that to me is really striking, considering that we've had these predictions for now, almost three decades, that there is this revolution in conflict that almost no one has really systematically looked at, okay, you know, this is the type of conflict that we think there is a revolution happening in.

And then how did it look before this technology was there? And how does it look after and, and what has changed. Right? And ultimately, if you wanna understand how the technology has impacted it, that's the only way that really works. So that's what I've been trying, trying in the book here.

Eugenia Lostri: You know, I do have to say, what about the AI revolution that could actually change things.

Lennart Maschmeyer: Yeah. There's always another revolution on, there's always a new revolution, you know?

Eugenia Lostri: Let's go back to the, the control and, and the speed. These kind of constraints on operations. Talk a little bit more about that. You call that the sub, subversive trilemma, right? Which is all about the trade offs that you need to.

You know, accept for any of these operations. So, so walk us a little bit through, how does that work in traditional operations? You've, you've already mentioned it a little bit, but I wanna make it the focus of the answer here. And then how is it the same or different for cyber operations?

Lennart Maschmeyer: Sure. Yeah. I mean, I've, I've given you the, the short overview already, right? So, I mean, basically if you want to find some way into your adversary society, the starting point for most of the traditional operations, you have to train a spy in everything that's related to, to that society. So basically, most importantly, learning the language and without any accent that can be easily picked up.

And that's what the Soviets were really good at, they had these under undercover spies called illegals that had these really carefully constructed cover identities that were also built up over years, sometimes, you know, maybe 10 years living in also western societies without being discovered.

And then also being moved around. There were a few points where it was a bit easier to get them in. So also between the, the border between East and West Germany, for example, at that time. So trying to create this basically agent that can secretly, somehow find a way in, and then also have the skills to achieve whatever objectives they're given.

But these illegals were usually given relatively broad objectives that, you know, mostly was about having them in place. A society and then depending on what their handlers needed, maybe infiltrate some research institute and doing that by perhaps, you know, identifying some lonely employee there. That's something they, they often did, you know, maybe starting relationship with them or, you know, finding some, some flaw in the security practices there.

Maybe, you know, some, some door was unattended or you know, there was a security guard that was quite sloppy. Identifying some vulnerability like that, and as you can imagine, it takes time. Also, building up trust with an employee that you're trying to exploit, all of that ultimately takes time. So you have years for training this spy, and then months or sometimes years for putting that spy, putting your agent in a position where you can actually start thinking about implementing whatever effect you want or implementing basically the operation, creating and pro producing the, the effect that you wanna produce, but at the same time, then your spy needs to be in place, must not be discovered.

So, right, if you don't proceed carefully, it's, it can easily happen that you then lose all this work that you've put in. So imagine, right, starting with this example again, the, the spy who wants to infiltrate this research institute wants to steal some information. The really mildest kind of form of or the mildest effect of subversion in, in this way, basically feeding also into espionage.

If that spy then just works into some protected area and then grabs a bunch of sensitive documents, that's obviously not gonna work, right? So it would be about then finding a, a way up in the kind of ladder in that organization, getting the trust of all the employees around you to be able to access these documents that you ultimately want to get and steal without raising any suspicions.

Basically the same thing, if it's about sabotage, about sabotaging some equipment. You also need to be in a position where you can access that equipment without raising suspicions either by, you know, sneaking in somewhere or just having the trust of everyone around you who would then later be interviewed and said, wow, we would've never imagined that, you know, Ryan here would, would do this, or whatever.

Eugenia Lostri: Yeah. And there, there's the balance, right? Because you need to make it worth the potential for blowing up your cover.

Lennart Maschmeyer: Yeah, right.

Eugenia Lostri: I mean, you've invested so much and it's like, well, are we going to blow all of this up for just some papers or to sabotage one machine? You know, like is it that important and, and where is that line?

Lennart Maschmeyer: Yeah, exactly. And especially with the added risk that it might go wrong, even if you've done everything right, if you then, you know, want to manipulate some complex machinery to sabotage it. It might not work, or maybe the damage is more than what you wanted, or maybe it creates some collateral damage against some other targets.

Right? And that also means that on the one hand, because of the way that all these constraints interact, you can only really have two out of these three of, you know, speed, intensity of effects and, and control. Because if you wanna create a lot of damage and you wanna control it, then obviously you're gonna have to invest a lot of time.

But on the other hand, if you wanna really, if you don't have time and you still want to create a lot of damage, it's almost certain that it's going to either fail or, you know, kind of blow up in, in your face. So on the one hand, you have those interactions. That's why ultimately it's a trial, right?

Because you can only really get two out of these three. And the more you improve kind of on one, the, the more you tend to lose out on the others, the less time you spend, the less intensity and the less control you will tend to have in most contexts. But that also means the higher the, the stakes are, you know, the more you kind of want to achieve, the less attractive or the less reliable, at least.

And therefore, also mostly the less attractive or effective at least subversion becomes because it is really attractive to policy makers and to leaders because of this promise, right? You have a relatively cheap and easy and low risk way to hurt your adversary, but in practice. It often fails, and the more kind of you stake your strategic goals to that instrument, the, the more costly this failure becomes to you.

Of course, you know, if, if it doesn't really matter, if you know you, you, you might be able to hurt your adversary without much risks to yourself and without too much cost and over the long term. And if it doesn't work, it's okay because you use other tools at the same time. And subversion is kind of just one little cock kind of in the larger machine that you're using to, to hurt your adversary, then it's fine.

Right? But if it's about your survival or if it's about, you know, delivering some strategic strike and there we get again to the cyber Pearl Harbor analogy, right? It's really not a very effective instrument because of this high risk that it either doesn't work. And also because of then all the effort that's required to actually get to the level where you would even be able to deliver the strategic blow.

And that effort is probably, in most scenarios then far more than you would need if you just use conventional weapons. If it's about really, you know, inflicting significant damage. So that means the strategic calculation. I think that's one point I'm, I'm really trying to, to drive home in, in this book is that should be part of this, this whole debate around how cyber operations matter or you know, how hybrid warfare matters.

There is a lot of possible outcomes that, you know could happen. It's not impossible also that there is this cyber Pearl Harbor scenario. I mean, technically it's possible to cause a major outage of, of power, of the power grid, right? But it's also then in that scenario, it's important to think about what would be the, the kind of geopolitical context here, right?

We are really talking about probably a major war. And in that case, missile strikes, for example, are also a very effective way of creating this kind of outage, hurting the power grid. We see Russia doing this in, in Ukraine, right, contrary also to a lot of predictions that we would have these disruptive cyber attacks.

So it's more about, it's not about saying cyber attacks cannot or can do this thing, but it's more about, you know, for what kind of outcome is what instrument in this arsenal that states have, where warfare diplomacy also belong is what instrument the most effective and the most efficient one. And in that way, I think it's then, you know, you get a much narrower kind of strategic space where cyber operations can still be very useful.

Eugenia Lostri: I, I wanna talk a little bit more about the example that you, that you just gave, you actually use Russia's invasion of Ukraine as a case study in your book. Right? And as you said when we look at the start of the conflict, there were many predictions that, you know, the Russian cyber capabilities, which is going to tilt the balance immediately.

This was going to be super easy for Russia and, you know, that hasn't really been the case. So, so walk us through these predictions and your findings as you, as you studied the conflict, because I, I think we don't usually get too many opportunities to look at operations in, in, in conflict. And Russia's invasion of Ukraine has been unfortunately, a good case study.

Lennart Maschmeyer: Yeah, it's a, it's a really useful, it's been a really useful and interesting case study for this, this topic. For me, that's also why, why I chose it, because basically for the last 10 years, that's been the paradigmatic case for this expectation that we have a revolution in the nature of conflict.

First, it was this, or basically also what Russia did against Ukraine. This takeover of, of Crimea of the peninsula there with this covert kind of intervention that put Ukraine in the situation where, you know, suddenly they had lost control over a territory where, you know, there was the adversary military ultimately there, and a referendum that suggested at least that the majority of the population had voted to, to join Russia, put them in a situation where they couldn't do anything anymore.

Right. The, the fait accompli how it's called in, in French or also in the jargon in covert operations, and that I think that shocked a lot of people, observers in the western world. And the reaction was to say, well, this is something new, right? We haven't really seen this before. This kind of method of warfare, mixing, covert operations, covert warfare, covert use of troops, the infamous little green men that that put in, referred to that were ultimately Russian soldiers, but just in unmarked uniforms.

So this whole mixture that, that they're produced in this case at least. Also really tangible success taking over the, the territory and also the use of cyber operations. That Russia has used since 2014 against Ukraine and also extensively some of the most disruptive ones. The power grid disruption, for example.

Right. The scenario that's been the kind of one of the really founding ideas of the cyber Pearl Harbor scenarios. That's, that's happened in Ukraine. Russia did succeed to, to cut off the power there with the cyber operation. So having this over, over 10 years on the one end as a researcher is, is great because you have a lot of variety and also attempts to really get around this constraints in cyber operations and also geopolitically.

Then this, it makes this case important because if you expect there is this revolution in the nature of conflict, then Ukraine is the most likely place where you would see that in action because right, these kinds of operations are being used there Russia is using, or has been at least until 2022. Using all measures short of war to get Ukraine to change course. Russia's goal being to change Ukraine from pursuing or stop Ukraine from pursuing a pro-Western foreign policy and also using cyber operations really prominently mean. Some have called Ukraine, Russia's test lab for for cyber warfare.

So you have all these conditions in place and Russia being one of the foremost cyber powers in the world too. So one of the most capable actors. So with, with all these conditions, right? If states can now achieve things short of what they couldn't previously achieve, that's the conflict where you would most expect to see that in action.

And really strikingly what we've seen and you know, terribly now also confirm with this invasion is the opposite, that Russia didn't achieve most of its goals. And the primary goal, as I said, being to stop Ukraine's pro-Western foreign policy. That very clearly didn't work. So you had all these operations, including cyber operations that individually sometimes worked, right?

As I said, they cut off the power, but even there, if you look at the bigger strategic context, it's hard to establish any kind of measurable contribution towards Russia's goals or even just weakening Ukraine at at a national level. Even then, you know, compounded all of this. So there's often this talk of cumulative effects, right?

That individual operations are maybe not decisive, but over a long period of time, they're still going to be sufficient to weaken your adversary. And we don't see that in Ukraine either. It's more that, you know, you see the, the resolve being strengthened in the population. And I was looking up some data for, for this project because.

And we were talking earlier about this erosion campaigns, it's hard to, to pin down the effect. So one metric I I found also data for was just trust in the government and in Ukraine. Over the period of time that Russia has been targeting Ukraine, not just with cyber operations, you know, with all kinds of covert operations, including really mass disinformation campaigns, having some television stations in place that, you know, constantly spouted, really Russian propaganda.

And despite all that trust in the government in Ukraine, has increased over that period of time rather than decreased. So, you know, we, we don't see any success in the kind of simple, big picture. Ukraine didn't change its course. That's why Russia invaded. All the measures short of war they failed.

And then the option for Russia was apparently to either kind of back back down, give up or further escalate and use force to achieve what they couldn't achieve short of force, which then illustrates, right, this, it just falls short as an alternative in the decisive way, but also in the less decisive kind of cumulative effects perspective. Also, there, it's hard to make a case that this was all successful.

Of course, maybe, you know, a trust in the government in Ukraine would've increased more over that time without all the disinformation campaigns, certainly possible, but it's definitely not the case that we really see evidence. And you know, as I said, I've spent years now researching this clear evidence of this revolution in the nature of conflict.

It's, it's really the opposite. 'cause I'm comparing it to historical case in the book, right? And you see that the traditional instruments used in that historical case, Czechoslovakia in the 1960s crushing the Prague Spring. In some ways they're more effective than, than the cyber operations. Also comparing it directly within the Ukrainian case too.

Eugenia Lostri: So if the technological change has sort of failed in delivering this promise, you know, do you think that current military doctrine around. Cyber operations is misguided. What would you recommend, you know, how would you recommend anyone think about the use of cyber and conflict?

Lennart Maschmeyer: Yeah, good question. I, I don't think I have the full solution. I, I would love to. Right.

Eugenia Lostri: I thought we were solving it.

Lennart Maschmeyer: No, but I, in one, one thing I was already saying earlier, what is I think missing for me in a lot of the debate is the strategic perspective and, and the context of, you know, that cyber operations has being one tool among many. And thinking about what are the kind of relative advantages and disadvantages compared to other tools.

And in that way, also evaluating the kind of extent of the threat in different kind of scenarios. Also, different kinds of cyber operations. There are many different kinds, right? So you have espionage, then you have the kind of low level interference or you know, disrupting businesses as well.

Sometimes this is being used strategically and the really kind of high level, dramatic, possibly catastrophic scenarios with critical infrastructure sabotage. They're very different kind of goals. They fit into very different kinds of strategies, and they also require extremely different kind of capabilities and also efforts, resources that are put in. And I think a problem with a lot of the the state of the debate on, on cyber conflict, cyber operations is that it's being treated as this kind of one monolithic thing because the focus is so much on the technology, right?

So cyber is about using information technology, exploiting it, you know, information technology is everywhere. So cyber is also everywhere. And then that means cyber is this big thing that we can't really stop, but that's not very useful, right? When you, you, you get into kind of intricacies of, of strategy and policy.

And I, I, I can see how it's useful in making the case that it's important. And I mean, I think that is in itself, it's an important task to highlight that, you know, this is not just about geeks and, and hackers kind of sitting in basements and stuff like that. And that, that's, I think where a lot of also the cyber cybersecurity community has been quite successful and in alerting policy makers to this threat.

So right, everything I'm saying is not that this doesn't matter and we should just, you know, neglect it and forget about it and be content, but it's more about making sure that, you know, the, the resources in defense and in policy are, are a really, you get the most bang for your buck to put it simply in, in, in defending us in against these threats.

And there, I think, and it's clear looking at the historical evidence too. That we can learn a lot from looking back at the kinds of subversive operations, the kind of, you know, sabotage, operations, disinformation that especially the Soviet Union has run and look at what has been successful, what hasn't been that successful, and in that way, what should be prioritized in, in the response.

Eugenia Lostri: I, I wanna echo the review of your book that we run on Lawfare by Ciaran Martin. You know, he says, and I would agree that this book is really a contribution to dismantling the, the hype around cyber capabilities during conflict. And, and he does mention that there's some stakeholders that, you know, might not be that pleased with the dismantling of the hype around it.

And it does go a little bit against the grain, this traditional understanding of, of cyber. And, and this is not really what you set out to do, right? Because when you started, you're like, let's show how cyber capabilities, how this technological change actually affects it. You know, what it, what is this great technological change? So how do you feel about this, this maybe shift and also the response to, to your book in your, in your work.

Lennart Maschmeyer: Yeah. That's a, it's a tricky one, huh? Because you get, people like to put people in boxes and also when the war broke out. We, we didn't really talk that much about the, the whole kind of hype around the cyber war warnings in Ukraine, right?

I got a, a bunch of requests for media interviews and I realized they were just, you know, putting people into these camps that on the one end, the other people were saying this is gonna be the end of the world, the cyber conflict that threatens the global system. And then the skeptics, and I was being put in the kind of skeptics camp that, you know, cyber wars doesn't exist and doesn't really matter.

But I think that's really, it's an unhelpful way of, of seeing things because the disagreements are also relatively minor. So the, the persistent engagement theory, right, that, that assumes that we have this revolutionary change and that these erosion campaigns can ultimately work. I mean, that's, that's the argument, right?

It's about cumulative effects. It's absolutely plausible to me. It is just that I haven't really seen the evidence of it. And in Ukraine you don't see it. But that's something that Michael Fisher Keller, I've had long discussions with him about this too. He's one of the authors of the book, right. That basically founds provides a foundation for that, that strategy, persistent engagement that he agrees with too.

I mean, it's quite obvious. It doesn't mean that that's false, right? Because there are other examples and they provide some case studies in the book, even though they're relatively short, but still they provide pos plausible examples of, you know, how this could work in practice. In practice. So for me as a, as a researcher, I mean, I'm an academic because I'm ultimately.

I, I like the freedom of just, you know, having a problem, spending years on it and figuring out the answer, and then it surprises you, which is great. It is, I found the opposite to what I expected, but for some people, for various reasons, right, they're wedded to either because, you know, their job ties them to this, you know, maybe their funding streams attached to this.

They, they kind of depend, I think, sometimes on this idea, or it's just become part of people's identity too. Then, you know, cyber warfare is a terrible thing. It matters in this and that way, and revolutionizes everything. And we, you know, we can't explain and interpret, understand any of this activity with the kind of old tools and we have to really throw it all out of the window.

And then if someone comes, hey, but you know, maybe that's not true. Some people get quite upset and I think I can understand that, but it's just not the, the point that I, I think. It's important to make that we should be making, I think it's just not the debate we should be having. It's not, you know, that this changes everything or it doesn't change anything.

It's about, you know, how does this stuff matter? Right? What are the threats that we face as western societies? How can we learn from not only, you know, the new technology, but also from historical cases of how states have used all the different tools they have at their disposal to to hurt their adversaries.

And what have been the effects on society, right? And throughout the Cold War you have these examples of just resources also sometimes being completely wasted on this kind of almost witch hunts against, you know, subversive threats. The McCarthy hearings are, you know, an infamous example. There are other examples across Europe too for, you know, similar kind of overreactions that just illustrate the fear of the kind of unknown, because it's a topic that's not researched systematically enough.

I think that's what we, we should be doing and where whatever side of the debate you're on, the more data we have, the more, you know, kind of tangible also evidence of what kinds of operations can produce, what kind of impact, the better we are going to be as societies in, in fending off these threats, very idealistic, but-.

Eugenia Lostri: I, I like that we need to maintain some, some idealism. I, I think this is a, a, a great feeling to leave us with. Thank you so much for joining us.

Lennart Maschmeyer: Thanks.

Eugenia Lostri: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a law firm, material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcast. Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja. And your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from ALIBI music. As always, thank you for listening.