Russia and Ukraine, a path to conflict.

Russia and Ukraine, a path to conflict.

Russia and Ukraine, a path to conflict.

by Philip INGRAM MBE

You don’t deploy over 100,000 troops for months in winter on the borders of another country which you have already annexed elements of in 2014, unless you intend to use them.  Troops deployed into areas preparing for potential combat operations can sustain themselves for a certain amount of time and then boredom and lack of access to fixed facilities, becomes an issue.  The worst ever type of deployment is an open ended one, the very type all the service personnel from Russia are experiencing as they sit within striking distance of the Ukrainian border.

So, what is likely to happen? That is anyone’s guess at this point, but there are certain factors that come to bear. Putin won’t want the full might of the international community to come to put pressure on his fragile economy, but he must be seen to do something for his domestic audience and for the massive deployment to seem ‘legitimate.’

He has sold the threat of NATO expansionism into Ukraine and Georgia to his domestic audience and whipped up a level of threat that NATO isn’t capable of, even if it were politically coherent.

The last few NATO deployments to the Balkans and Afghanistan have shown the very real difficulties NATO has in generating a sustainable, coherent military approach to operations with very real differences between EU members, the US and UK with the UK aligning itself more often with the US and France participating where it can see potential economic advantage.

However, Russia and Putin in particular, have a collective deep-down belief in NATO expansionism for the sole purpose of threatening Russia.  Putin also hankers after the ‘good old days’ of the USSR and would love its re-birth (under his control of course).

Putin loves the ability to grandstand, he loves the feeling of power on the international stage, so will happily participate in any and all international ‘de-escalation,’ conferences and meetings. He has one advantage; he owns the information space like no other leader. He is a master of manipulation, disinformation and obfuscation so our participation will just serve not just to embolden him, but provide a stage for him to set the conditions to ‘prove’ to the Russian people and to others that he has tried everything, but it is the West that are being intransigent and not budging, it is others who are forcing Russia’s hands into having to protect itself.

This is the start, the foundation for action, the first Indicator and Warning ticked, and we must now watch for the language to become more accusative and aggressive.  This will be the second indicator and warning of impending action.  However, Putin knows that winning the war of words won’t be enough for the West to accept him marching into Ukraine or even part of Ukraine, so more has to happen.

He seems to like the NATO Kosovo scenario of going to protect an element of the local population, but to do that he needs to escalate the crisis to the international community before he can think of going, else he needs to de-escalate his preparations in the eyes of the Russian public.  In his eyes it is justifiable to the international community as it is just doing what NATO did in Kosovo, so to achieve this he has things that need to happen.

Alongside increasing domestic and international rhetoric suggesting Western Interference and expansionist aims we will begin to see increasing rhetoric around ethnic Russians being targeted inside Ukraine. He will suggest an increase of Ukrainian state and foreign sponsored actions supressing the Russian speaking populations. This could involve terror type attacks, a public atrocity like a school bus or aircraft being hit in the Donbas region, it will likely involve a massive increase in anti-Russian rhetoric on social media, the only difference being, it will be Russia behind it.

At the same time Russia will likely expand their threats, more support to Assad in Syria, courting of other countries sympathetic to Russia, increased refugee activity on the EUs borders via Belarus and elsewhere.  Russian conventional military activity, probing NATO airspace, threatening undersea cables, backing Iranian aggression in the Gulf, encouraging North Korea to ‘test’ more missiles with a sprinkling of cyber-attacks would all be used to distract western defence and split its focus.

The next step close to Putin deciding to attack Ukraine may possibly be terror type attacks by element of the state in Russia but blamed on Ukrainian separatists or sympathisers. This would be the trigger for action into Ukraine and in the run up to this we would likely see an increase in targeted messaging against Ukraine as well as more reports of ‘little green men’ popping up, Russia’s deniable contract mercenaries that played a leading part in the annexation of Crimea and of course blunt messaging accusing the west of interfering and aggression. At the same time, we could see the following:

  • Ukraine Cyber attack(s)
  • Global Cyber attack(s)
  • Russian Black Sea fleet deployed
  • Elements of the Russian Med Fleet deployed
  • Elements of the Russian Northern and Baltic Fleet Deployed

However, Putin is not daft and will calculate if he gets his messaging frenzy to a point where the world thinks that the whole of Ukraine will be invaded but he only carries out a limited land grab, then he could calculate that there would be an international sigh of relief and he could weather any additional sanctions or measures. His activities with NATO, the EU and the wider international community will be designed to gauge if he could get away with this.

If he does, his limited objectives could be annexing a large part of Eastern Ukraine where the majority Russian Speakers live. He is likely to calculate this as being just under the threshold of a very robust Western intervention as the last thing Putin could afford is a conflict with the West and he knows this, but emotionally he wants all of Ukraine.

Equally, he could easily de-escalate but indicators of that will be domestically focused rhetoric regarding meeting Russia’s objectives and capitulation by the West in some way. We live in interesting times and the robustness of our political leaders will likely be tested to their fullest extent in the coming weeks.

Philip Ingram MBE is a former Colonel in British Military Intelligence who has studied Russian tactics from the Geopolitical to Tactical as part of his career. He remains available for comment.


Cyberwar – The FireEye and SolarWinds attack

Cyberwar – The FireEye and SolarWinds attack

Cyberwar – The FireEye and SolarWinds attack.

Should Digital Authoritarianism cause the threshold for war to be redefined?

By Philip Ingram MBE

In early December the US based cyber security giant, FireEye detected a breach in what Kevin Mandia their CEO described as, “a nation with top-tier offensive capabilities.” He went on to say, “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

The attackers stole a series of what he described as, “certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behaviour of many cyber threat actors.” In essence they stole FireEye’s own hacking toolkit but given its customer base of high-level corporates and government agencies, the toolkits would be designed to test these networks and systems.

Whilst investigating the attack his team identified that, “the attacker primarily sought information related to certain government customers.”  More worryingly they identified, “a supply chain attack trojanising SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.”

Some reporting has attributed the attack to a Russian state-sponsored group known as APT 29, or Cozy Bear. However, in 2017 a group of hackers known as the Shadow Brokers published a collection of hacking tools, stolen from the NSA. FireEye have not yet named the actor but speculation it was Russian is rife. A Kremlin official denied that Russia had any involvement.

SolarWinds is a company that provides IT infrastructure management software, ensuring software updates are downloaded and installed automatically and the like.  Many of its customers are large enterprises or government agencies controlling things like critical national infrastructure, power and water grids, nuclear facilities, military facilities and more.

SolarWinds estimated some 18,000 customers had downloaded the trojanised updates enabling the attacker to possibly monitor network activity and possibly steal data and credentials from the infected systems. It could potentially allow the attacker to take control of networks.  The full degree of exploitation hasn’t been made public yet.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert detailing what it knows about the breach. “Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST,” they said, adding, “Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult

The CISA concluded, “taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.”

In the UK, SolarWinds clients include the NHS, the Ministry of Defence, Cabinet Office, Ministry of Justice, GCHQ, the Civil Aviation Authority and various police forces. It’s not clear if any of these bodies used the Orion update or if they have been affected. The UK National Cyber Security Centre (NCSC) said, “The NCSC is working closely with FireEye and international partners on this incident.  Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any U.K. impact.”

Microsoft has also been affected and identified 40 clients that had been exposed, including some in the UK.  Paul Chichester, NCSC Director of Operations, said:  “This is a complex, global cyber incident, and we are working with international partners to fully understand its scale and any UK impact. That work is ongoing and will take some time, but simply having SolarWinds does not automatically make an organisation vulnerable to real world impact.”

In a recent speech by the Chief of the Defence Staff, General Sir Nick Carter, at Policy Exchange earlier this year, when talking about attack from authoritarian rivals and extremist ideologies, he said, “Their strategy of ‘political warfare’ is designed to undermine cohesion, to erode economic, political and social resilience, and to compete for strategic advantage in key regions of the world. Their goal is to win without going to war: to achieve their objectives by breaking our willpower, using attacks below the threshold that would prompt a war-fighting response.”

He was describing what he went on to call ‘Digital Authoritarianism’ and said “None of our rivals can afford to go to war as we define it. They want to win below that threshold. However, the stakes are high.”

However, what has never really been defined from a defence perspective is where that ‘threshold’ lies? If the attack had been physical in nature against critical national infrastructure either by a physical team taking control or explosives destroying its operability, then that would likely have crossed that line.

How do you respond to ‘Digital Authoritarianism’ where that authoritarianism has led to data, possibly classified, designs, processes, codes, being stolen? How do you respond where that authoritarianism has allowed a foreign state to have control of nationally critical capabilities to the same extent as if they had people in the control room? How do you respond when physical infrastructure has been destroyed because of manipulated code?

Given that war hasn’t been formally declared since 1939 yet British and allied troops have been in an almost perpetual states of conflict since then end of the Second World War, does that mean that the very underpinning definitions of warfare that General Carter alluded to need to be redefined before we can properly examine our defence and security needs?

What is clear is this latest attack is yet another wakeup call to national cyber vulnerabilities. How many more are needed before we see a greater response? If nation states can’t protect their infrastructure from attacks by other nation states, surely that is a fundamental failure in government?

Cyber, I am sure we will see, will feature heavily in the upcoming integrated Defence and Security review, and rightly so.






Russian Cyber actors use plausibly deniable outlets to disguise hacks.

Russian Cyber actors use plausibly deniable outlets to disguise hacks.

Russian Cyber actors use plausibly deniable outlets to disguise hacks

By Philip Ingram MBE

The UK’s National Cyber Security Centre (NCSC) and US National Security Agency (NSA) have said that the Turla group, a suspected Russia-based hacking group, have been disguising their activities by adopting and using techniques used by suspected Iran-based hacking groups.  Effectively masking who was really responsible for hacks. Why would a Russian based group do this?

On 27th April 2007 a massive deliberate denial of service attack was launched against Estonia, causing government webservices, banks and much more to fail.  The attack lasted 3 weeks. Whilst suspicion was laid at the feet of the Russians, they denied involvement as they have done with attacks in Georgia and Ukraine. The sophistication of many of these attacks suggest the only possible perpetrator is a major actor with the resources that many believe are only available to states.

With Cyber space not being regulated in the same way as Land, Maritime, Air or space when it comes to international actions relating to war with an equivalent of the Geneva Conventions and Protocols or an Outer Space Treaty, cyberwar and state sponsored cyber attacks are unregulated in international law. To avoid political embarrassment and the possibility of political repercussions the use of a plausibly deniable outlet is key, as without substantive proof there can never be substantive repercussions.

Sun Tzu the infamous Chinese 6th century general and philosopher said in his book the Art of War, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”  The Russians have a doctrine called маскировка (maskirovka) which is all about ‘masking’ or deception and is central to all they do; they follow the philosophy laid down by Sun Tzu allowing them to interfere overseas but be able to deny it. We saw this with the attack on Sergei Skripal in Salisbury last year.

We keep hearing of cyber-attacks from Iran, a closed country with little access to western academia and training, yet they can mount some of the most sophisticated cyber incidents.  We hear the same of North Korea, who should have zero access to technology, academia, and extremely controlled access to the internet. However one has to ask why in 2017, TransTelekom, a major Russian telecommunications company that owns one of the world’s largest networks of fibre optic cables and is a full subsidiary of Russian national railway operator, Russian Railways who are owned by the Russian Federation put a fast internet connection into North Korea.

Around the same time, the North Koreans went from having a small nuclear capability with short-range missiles that failed more often than not, to have a hydrogen bomb capability with ICBMs that worked more often than not.  No one has explained how that technological advance happened so quickly in a country under strict international sanctions.  We have to remember, North Korea got blamed for the Sony Hack and the WannaCry attack of 2017, could it have been a proxy using a plausibly deniable outlet?  The why is because they can and want to maintain the ability to influence global activities without repercussions. Why do I suggest this? That is simple, they have history and a doctrine, tried and tested over many years, they also have a paranoia about anti Russian global sentiment reinforcing that inherent need to ‘do something’. Cyber space provided that perfect environment. A smudge of what could be a Russian fingerprint sits over many incidents. Not enough for real proof, but something that always seems to be there.

What is not unusual is that this technique of pretending to be someone else, using a plausibly deniable proxy identity is not that new however, we are likely to be coming more aware of it, have better analytical tools so that the intelligence agencies can be bolder at calling it out.  What is of concern is using a plausibly deniable proxy identity could also be used to instigate state sponsored terrorism, especially when online recruiting and radicalisation is so prevalent.

This joint statement today is a clear message to all potential threat actors across the globe from the UKs GCHQ and the US NSA saying, “we are watching you.”





2019 a year of Security Uncertainty

2019 a year of Security Uncertainty

2019 a year of Security Uncertainty

By Philip Ingram MBE

If the security challenges for 2018 weren’t challenging enough what will 2019 bring? Last year we saw the first use of the deadly Novichok nerve agent anywhere in the world, making a household name of a substance only very few had heard of before. Then we have the growth of terror that Andrew Parker the Head of MI5 described as working at unprecedented levels and the CT Police highlighting that the number of active investigations going on at once had grown from 500 to over 700. We also see security challenges caused by Gatwick airport being shut for 36 hours over a peak holiday getaway period because of a drone or drones in its airspace.

So, what does 2019 hold for the Security community in the UK? More of the same or are we likely to see anything new?

The biggest challenge that is occupying many people’s minds is that of BREXIT and the implications that will have on wider security architecture.  Peter Franciscus Van-Osselaer, Head of Operations, European Counter Terrorism Centre, EUROPOL told Philip Ingram MBE that, “even in the event of a ‘no deal BREXIT,’ the UK had in place bilateral and other agreements to ensure security working arrangements would remain as close to as they are today with the UK in the EU. No one, not on the UK side or the EU side wanted to lose the working relationship that was in place today.”

Putting BREXIT to one side, the Cyber threat is all pervading through society, continually morphing and finding new ways to threaten networks, businesses and personally identifiable data. The biggest threat we are likely to see in 2019 is through Artificial Intelligence or AI. This will be three-fold, the first, the threat to AI enabled business practices, the second, the criminal use of AI to break into networks and the third is the use of AI to protect networks.

Tied into this growing risk area is the growth of the ‘attack surface’ through the proliferation of Internet of Things (IoT) devices, the always connected and everything connected society we seem to be growing into and this will become worse with the roll out of the 5G data network that is up to 1000 times faster than the current 4G networks.

The traditional ransomware and data theft attacks will continue but we will see a rise in manipulation attacks, manipulating data to create undue influence and potentially reputational damage.

Threats will range from the home based ‘geek’ through to state sponsored like we saw with Wannacry and notPetya and are seeing with increasing wariness for governments to allow tech giants with potential Chinese government influence such as Huawei and ZTE from increasing their access to faster networks such as 5G.  The clear message from these attacks are the threat state actors can have on not just enterprise businesses but also SME.  However, it is important to balance this ‘wariness’ out as nothing has been proved against the Chinese firms despite intensive testing whereas CISCO had 7 back doors discovered in their equipment’s in 2018, some of which were blamed on the NSA. Security vulnerabilities are as much an economic tool as they are spying tool.

The focus on alleged illicit state activity in the use of manipulated and targeted data in various elections around the globe is being investigated, 2019 will likely be the year of the consequences of those investigations becoming public.  However, what this is likely to do, is emphasise the potential of information being used as a weapon designed to cause an effect and in industry that effect could be reputational.  Public Relations will probably move a little more towards the centre of risk mitigation activities.

The closure of Gatwick Airport outside London for 36 hours before Christmas brought the drone threat firmly back onto the agenda.  The UK Civil Aviation Authority Drone Risk Assessment of January 2018 makes no mention of the use of drones to deliberately disrupt a working airfield and the lack of equipment to deal with the threat shocked a large number of people.  One airline working out of Gatwick say the incident cost then £15 Million but the full cost of the incident hasn’t been calculated yet.

A scare at London Heathrow Airport in January was dealt with in less than an hour with only one runway closed, but highlighted the very real threats that drones provide to the safe operation of airports and a after several incidents in the Middle East, the Emirates Authority for Standardisation and Metrology (ESMA) estimated the cost of closure at $100,000 per minute, meaning drone detection technologies would very quickly fall into the cost effective bracket!

Thank goodness our news headlines are not filled with stories of continuing successful terror attacks as seemed to happen in 2017.  However, the threat hasn’t gone away and in the words of Andrew Parker the head of the UK Security Service MI5, the threat has reached “unprecedented levels.”  This is reflected in the growth of active investigations from 500 in 2018 to 700 towards the end of the year and into 2019 with 3000 active suspects and another 20,000 on a terror watch list.

With the squeeze to near elimination of the ground so called ISIS held in Syria and Iraq it would be easy to assume the terror threat was waning. Not the case says Vasco Amador of the cyber Intelligence Company Global Intelligence Insight, who track extremists online.  “In recent months was have seen a relaunch of so-called ISIS cyber capability that used to be called the ‘United Cyber Caliphate’ and has been rebranded as the ‘Caliphate Cyber Shield’ with new leadership and new energy.  The groups they operate online have thousands of active followers across the globe,” he said.

The final security threat we must watch out for in 2019 falls into the unknown bracket. Who would have thought a deadly military grade nerve agent would have been used on the streets of England by another state. We don’t know what the next novel threat will be.  However, putting all security threats to one side – we can confidently predict that more people will be killed and injured by man-made and natural disasters, than will suffer similar consequences from any security incident. 2019 will certainly be an interesting year.


Click HERE to continue to the International Security Expos’ HQ Magazine for more great insights and content.