Russian intelligence operations: where to draw the line?

Over the past few weeks Russia has been top of the news every day due to the build-up of Russian military forces along the border with Ukraine, and in Crimea and the Black Sea. The West has been waiting anxiously to see if Putin is seeking only to intimidate Ukraine or is about to seize another chunk of its territory. As Russia has deployed around 120,000 troops and heavy equipment, vehicles and modern fighter aircraft facing Ukraine, this is undoubtedly the largest military crisis that Europe has witnessed since Moscow annexed Crimea in March 2014. At the same time, and at the other end of the crisis spectrum, the rapidly declining health of Russian opposition leader, Alexei Navalny, and the unwillingness of the Russian government to give him access to proper medical treatment, has also elicited warnings of further sanctions against Moscow from both the EU and the United States if Navalny is allowed to die in prison.

These two developments, together with Moscow’s involvement in Syria, Libya, Georgia and Belarus, are already giving the West enough Russia headaches for its hard-pressed diplomats. Yet now another has been added to the list: the aggressive actions of the Russian intelligence agencies in Europe and North America.

This week the Czech Republic expelled 18 Russian diplomats after a seven-year investigation into an explosion at an ammunition depot near Vrbetice concluded that it was the handiwork of the Russian GRU military intelligence agency, and in particular of its special Unit 29155. Interestingly, the two Russian operatives unmasked as being behind this act of sabotage used the same aliases as the two agents implicated in the use of the Novichok chemical weapon against a former Russian spy, Sergei Skripal, in Salisbury in 2018. Two Czech citizens died in the explosion. Once the Czechs had gathered sufficient evidence to attribute the attack to the GRU, they clearly decided that it went well beyond the bounds of normal intelligence gathering and, to use the words of the Speaker of the Czech Parliament, constituted an act of “state terrorism”. The government also responded by removing the Russian nuclear energy supplier, Rosatom, from the list of bidders for a contract to build a new nuclear plant in the country.

As Moscow inevitably acts as the innocent, aggrieved party when its hybrid operations in foreign countries are unmasked, it reacts aggressively and often disproportionately; in this case by expelling 20 Czech diplomats, enough to paralyse the work of the small Czech embassy in the Russian capital. At the time of writing, the Czech government is debating whether to expel more Russian diplomats in order to bring the Russian embassy in Prague down to the same skeletal manning level as the Czech embassy in Moscow. The Czech Foreign Minister appealed last Monday to his EU counterparts for solidarity and took a similar message to NATO’s North Atlantic Council on Thursday. He was no doubt inspired by the Salisbury precedent of 2018 when the EU and NATO allies responded collectively by expelling over 200 Russian diplomats from posts across Europe and North America.

The incident in the Czech Republic is the latest in a long line of Russian intelligence operations targeting allied countries, either conducted by the GRU or its foreign intelligence counterpart, the SVR. These have involved assassins using chemical agents, like the use of polonium to poison former Russian spy Alexander Litvinenko in London in 2010. Polonium is highly toxic and easily spread. British police discovered traces of it in multiple locations across London, including hotels, public transport and Heathrow Airport. The Novichok nerve agent in Salisbury killed a British woman and injured a British police officer, as well as Skripal father and daughter. The clean-up and decontamination operation in Salisbury lasted weeks, closed several businesses and residential areas and ran into the millions of pounds in costs. Given the high toxicity of Novichok, it was extremely fortunate that more people were not killed or injured. Russian intelligence has also been behind multiple assassinations of oligarchs, who have broken with Putin and fled abroad to the UK and elsewhere, as well as of a Chechen opposition leader in a park in Berlin.

The GRU and SVR have been behind destructive cyber-attacks against the German Bundestag and last year intruded into over 80 US companies and 13 US federal agencies by hacking into the Solar Winds software management system. The Russians have also been caught red-handed attempting to hack into the Organisations for the Prohibition of Chemical Weapons and the World Anti-Doping Agency.

The GRU and SVR have also been accused of interfering in elections in the US, North Macedonia and Moldova. Five years ago, Montenegro accused them of colluding with Serb intelligence to carry out a coup attempt during the election campaign in that country on the brink of its NATO membership. More recently, Bulgaria and Poland have expelled Russian diplomats after unmasking aggressive intelligence operations aiming to target their critical infrastructure and destabilise their societies through disinformation and political influence campaigns. The scope and brazenness of these Russian intelligence activities have led French President Macron to declare that it is time for EU countries to draw a clear red line against the misuse of diplomatic missions and normal intelligence gathering as a cover for nefarious and destructive types of political interference and coercion.

In the past, the transatlantic allies and the EU have tended to reserve major sanctions and diplomatic responses for more classical acts of aggression involving military forces. Hence, after Russia annexed Crimea in 2014, a set of economic sanctions were imposed on Russia inhibiting technology transfers, particularly in the energy and deep sea drilling areas, as well as in certain investments in state enterprises, such as food processing. Russian exports were also limited, as well as its banking and financial transactions. These Crimea sanctions have been renewed by the EU every six months for the past seven years and annually by the US, Canada and the UK as well.

Yet when it comes to Russian intelligence operations inside NATO and EU member states, or Russian crackdowns at home on the political opposition, the response had been much softer. Magnitsky laws, named after Russian whistle blower Sergei Magnitsky, who died in prison after exposing massive fraud by the Russian tax authorities and their arbitrary shakedowns of foreign companies doing business in Russia, have been introduced to enable countries to impose sanctions on Russian state officials and entities implicated in human rights abuses. In both North America and Europe, the list of Russian officials subject to visa bans and asset freezes grows ever longer.

Yet these officials frequently do not have bank accounts in New York, nor plans to spend their next vacation on the Cote d’Azur, so the punitive or deterrent value of individual sanctions is not clear.

With the help of investigate NGOs, such as Bellingcat, that use social media data mining to discover the real identities of Russian intelligence agents and to tie them to the timing and location of specific attacks, countries have been able to name and shame those directly implicated. Yet once safely back in Russia they cannot be extradited and Putin even made Alexander Luganov, the presumed assassin of Litvinenko, into an MP to grant him immunity from prosecution.

This background makes it all the more remarkable that the Biden administration has now decided to respond to Russian intelligence operations against the US – notably the Solar Winds cyber-attack, interference in the US 2020 election, manipulation of US political party polling data and an alleged bounty on US troops in Afghanistan – by adopting a much tougher package of sanctions. In addition to the traditional expulsion of ten Russian diplomats from the missions in New York and Washington, these include sanctions against eight Russian companies and limiting the access of US banks to Russia’s sovereign debt market in both rouble and non-rouble denominated currencies. This will make it harder for Moscow to float bonds or raise finance overseas. The US has also announced a readiness to carry out retaliatory cyber-attacks against Russia at a time of its choosing.

In his Executive Order, President Biden also gave himself headroom to adopt further economic sanctions if he sees no let-up in Russia’s intelligence driven activities. The scale and sophistication of the Solar Winds cyber intrusion, in terms of the wide range of US entities attacked, the year-long duration of the attack and the enormous amount of sensitive data exfiltrated by Moscow, seems to have been the final straw in inducing Washington to not just punish Russia, but to demonstrate that it can disrupt it as well.

At the same time, Biden’s offer of a summit to Putin was a sensible move to signal to Russia that the US will have a pragmatic relationship with Moscow, not being angry all the time but not believing in a reset either. Putin is likely to be in power for some time and will not change his behaviour fundamentally. Consequently, diplomacy cannot be a reward for good behaviour; otherwise there would not be much work for diplomats. So, Biden’s approach signals to Moscow that the US will push back hard on Russian intelligence operations while being open to cooperate with Moscow in other areas and ready to back down if the Kremlin demonstrates restraint. This strikes me as a realistic policy.

The question now is: will the EU and the European allies follow the more rigorous US approach? Particularly when it comes to tightening existing sanctions and preparing future packages so as to have immediate response options ready and to deter future aggression.

So far, the answer seems to be ‘no’. EU foreign ministers and NATO ambassadors listened politely to the Czech Foreign Minister when he asked for solidarity and then issued statements condemning Russia and pledging their support. Yet they did not adopt further sanctions at this stage. This is probably because they believe that there are already sufficient sanctions imposed on Moscow and that the threat of future measures against the Putin regime is a viable deterrent substitute for more actions now. Undoubtedly, given the extensive Russian military build-up on the border with Ukraine, the EU and NATO were careful not to provoke Putin and to give him a pretext or casus belli to encroach further on Ukrainian territory. De-escalation and coming up with a united but measured response were seen – rightly in my view – as the key to successful crisis management; a policy vindicated in the Kremlin’s decision to now pull its troops back from the border.

This said, the EU and NATO should now use this pause in the crisis to come up with a coordinated strategy to deter and respond to aggressive Russia intelligence operations within their member states. This strategy needs to contain five key elements.

First, a joint intelligence-sharing and investigative unit to rapidly determine who is behind these attacks and gather the evidence for public attribution. This could be based at Europol in The Hague, where the American FBI already has a liaison office. The UK has strong ties to Europol as well and used to lead the agency. NATO could establish a link between Europol and its intelligence fusion cells within its Joint Intelligence and Security Division. By systematically naming and shaming Russian operatives acting illegally on EU and NATO territory, indictments can be issued against them. These individuals may not face justice immediately, if at all, but it will certainly be difficult for them to travel to Europe or North America, or elsewhere in the world, thereafter. The tactics and covert operations of the Putin regime will also be exposed in the full glare of negative publicity.

Second is solidarity. It is important that countries attacked by aggressive intelligence operations not be left alone in facing the inevitable retaliation from Moscow. An attack on one has to be considered as an attack on all, especially where it involves loss of life and physical or economic damage. This makes a collective response and upping the diplomatic ante vital, even if it means issuing a joint statement or cancelling a trip to Moscow as an expression of displeasure.

The EU and NATO need to work further together on their respective toolboxes of response options in the diplomatic and economic areas and ensure that they have the necessary legal authority and administrative processes in place in advance to take these measures rapidly once agreed. One useful step would be to expand the range of targets beyond Russian officials to the broader community of oligarchs and Russian banks, companies and research institutes. These are the people who rely on their connections with the West, and if they begin to feel the pain of sanctions, there is some hope that Putin will come under domestic pressure at home to rein in his intelligence agencies.

Third, the EU and NATO need to look at ways of assisting their member states to recover from hybrid attacks. Based on recent experience, this assistance can comprise decontamination and clean-up equipment and specialist teams in the aftermath of chemical incidents, as well as rapid response teams to help states hit by cyber-attacks to get their IT infrastructure back up and running and to gather important forensics information for future attribution. NATO already has two cyber rapid response teams and the EU, under its PESCO defence cooperation programme, has a project led by Lithuania to pool and share national cyber defence expertise and capabilities more broadly within the EU, whether for early warning and detection, attack mitigation and post-attack recovery and investigation.

Where diplomats are expelled from Russia, the EU’s External Action Service can see how it could staff a member state embassy or provide a normal diplomatic service until the diplomats of the country concerned are able to return. The EU Lisbon Treaty of 2010 contains two articles (24.7 and 222) which provide for solidarity and mutual assistance among EU states in responding to attacks. Article 42.7 has been invoked only once by France in 2015 in the wake of the terrorist attacks in Paris. Yet even then, very little happened and the use of Article 42.7 was mainly symbolic. So the EU should conduct a reflection on how it can put real substance into these mutual solidarity clauses in responding to attacks that fall short of a conventional military aggression, as this is handled by NATO under its Article 5 collective defence clause.

Fourth, the West needs to build in some headroom for itself in preparing now for further measures that will cover the full spectrum of escalation if required. We know that Russia is vulnerable on the economic front. Putin admitted the decline in living standards and the worsening economic outlook in his State of the Nation address to the Duma this week. So new steps such as expelling Russia from the SWIFT international bank clearance system or sharply curtailing the flow of Russian natural gas through the Nord Stream 2 pipeline, if Germany cannot be persuaded to abandon the project altogether at this late stage, can hit the Kremlin where it hurts – in the pocketbook. These more stringent measures will obviously be more difficult for many EU and NATO countries than asset freezes on Russian prison guards. It is important to have this debate now and link the new measures in a scalable sequence to clearly defined trigger thresholds of Russian actions; for instance, the use of chemical weapons or explosives or cyber-attacks against critical infrastructure, government agencies or the financial system.

Fifth, and finally, is resilience. The Solar Winds cyber-attack against the US demonstrated that despite years of government attention to cyber security and billions of dollars invested by both companies and government, Russian intelligence was still able to find and exploit five basic vulnerabilities in the Solar Winds software, and was immediately able to penetrate dozens of leading US companies, as well as the US Treasury, through the umbrella IT management tool. The attacks in the UK showed how easily Russian agents could smuggle dangerous substances into the country and the attack on the Czech Republic revealed the vulnerabilities of ammunition depots. So, both the EU and NATO need to take a fresh look at the whole notion of resilience and set higher and measurable resilience targets for critical national physical and digital infrastructure and leading private sector suppliers and supply chains.

In sum, it is time to raise our game on aggressive Russian intelligence operations and turn what has been up to now the relatively low risk, high gains strategy of the Kremlin in undermining Western democracies and punishing its enemies abroad into its exact opposite: a strategy that is low gain and high risk, and therefore, increasingly counter-productive for the Kremlin.