Guest post by Erica D. Lonergan and Maggie Smith
A few weeks ago, Montenegro—a NATO member—was hit with a cyber attack that targeted government servers. Montenegro’s outgoing Prime Minister, Dritan Abazovic, initially hedged about potential responsibility for the attack, stating on August 26: “We do not have clear information about the organizers… Security sector authorities couldn’t confirm that there is an individual, a group, a state behind [the attack].” Nevertheless, later that same day officials from Montenegro’s national intelligence agency attributed the attack to Russia. They also implied that the attack was related to Montenegro’s support for Ukraine and push for membership in the European Union. Yet, the extent of Russian involvement in the cyber attack remains ambiguous, which poses significant political and strategic challenges.
Several variables seemed to support the narrative that the Russian government was responsible for the cyber attack. For example, the initial attack on August 20 occurred during a severe political crisis, just after the Montenegrin parliament backed a vote of no confidence that collapsed Abazovic’s minority government. Abazovic—in an about face on his initial ambiguity—warned that the attack could lead to destabilization. Domestic tensions were further exacerbated when Montenegro joined Albania and North Macedonia in a public appearance with Ukrainian President Volodymyr Zelenskyy to support Ukraine’s bid for full EU membership and to call for the EU to admit the four nations.
Therefore, it was plausible that Montenegro would think Russia might be retaliating for its support of Ukraine. Moreover, the cyber attacks likely felt eerily familiar. Throughout 2016 and 2017, Montenegro was the target of a series of cyber attacks, many of which have been attributed to the Russian- sponsored group APT28. Those attacks also coincided with politically significant events, like the country’s 2016 elections and the subsequent Russian-instigated coup attempt intended to prevent Montenegro from becoming NATO’s 29th member state in 2017.
With fingers pointing at Russia, NATO allies swooped in to support Montenegro. France and the United States sent teams from the National Agency for the Security of Information Systems and the FBI to assist. After all, Russia purportedly added Montenegro to its list of “enemy states” after it joined the EU’s sanctions against Moscow in March. Moreover, NATO has repeatedly emphasized the alliance’s commitment to collective defense against unconventional threats, affirming in June 2021 that Article 5 applied to cyberspace.
The problem is that Russia may not actually be responsible. In fact, the cyber attack against Montenegro has since been attributed to the criminal outfit Cuba, a financially motivated ransomware and extortion group unrelated to the country whose name it shares. While some of its members are Russian speaking, the connection with Moscow at this stage is tenuous.
If Montenegrin authorities truly believed the Russian government was responsible, despite limited evidence, it shows how bias can affect how leaders perceive and interpret information. As Robert Jervis’ research on political psychology demonstrates, leaders tend to use “cognitive shortcuts” to interpret information in complex and uncertain environments and are slow to update their existing beliefs, despite new information that may call them into question. The cyber attack against Montenegro—coupled with other cyber attacks against other European states such as Romania, Italy, Lithuania, Norway, Poland, Finland and Latvia—had all the markings of a coordinated Russian operation during a time of heightened geopolitical tension. However, the attacks on the other European states were linked to Killnet, a pro-Russian—but not state-sponsored—group of hacktivists.
Yet, Montenegrin leaders likely saw exactly what they expected to see—Russian cyber attacks—despite dubious supporting evidence. This kind of bias could produce unintended negative consequences. Russia could capitalize on it for its own diplomatic or reputational ends, pointing to this as further proof that it is a victim of the West’s false anti-Russian narratives. A rush to attribute blame to Russia could also undermine the credibility of future attribution against Russia (or others), including in cases where Moscow actually is responsible. Overall, premature attribution and false claims can undermine efforts to establish meaningful international norms of behavior in cyberspace.
But Montenegro’s leaders might not have made an innocent mistake in pointing the finger at Russia; they could have made a strategic calculation about public attribution. Since Russia’s invasion of Ukraine in February, NATO leaders have repeatedly underscored the importance of the alliance, with President Biden proclaiming in March that the US has, “a sacred obligation under Article 5 to defend each and every inch of NATO territory.” Therefore, publicly linking a cyber attack against a NATO ally to the Russian government could increase political pressure on NATO to act more directly to preserve the credibility and integrity of the alliance.
Relatedly, the rapid decision by states like France and the US to provide cyber defense support to Montenegro could create problems of moral hazard. Beleaguered by cybersecurity threats and lacking the capacity to address them, smaller states could see a benefit in making similar public claims in an effort to garner resources. Over the long term, this could reduce the incentives for states to invest in their own cybersecurity if they anticipate their allies will come to their aid.
So far, the US government seems to have taken a measured stance in the Montenegro case. In response to another recent cyber attack against a NATO ally (the attack against Albania attributed to Iran), the White House issued an official statement of condemnation, which was followed by a round of sanctions against actors affiliated with the Iranian military for prior attacks against US targets. The timing of these actions sends a signal of US commitment to Albania, and is in contrast to the approach the US is taking with Montenegro. While the FBI continues to investigate the Montenegrin incident, the US has avoided strident public statements. Altogether, this suggests policymakers should continue to act with caution to prevent premature public accusations that could damage US credibility and provide fodder for Russian misinformation.
Erica D. Lonergan is an Assistant Professor in the Army Cyber Institute at West Point. She is also an adjunct research scholar at the Saltzman Institute of War and Peace Studies and the School of International and Public Affairs at Columbia University. Captain Maggie Smith is a US Army cyber officer currently assigned to the Army Cyber Institute at West Point where she is a scientific researcher, an assistant professor in the Department of Social Sciences, and an affiliated faculty of the Modern War Institute. She is also the director of the Competition in Cyberspace Project.
The views expressed are personal and do not reflect the official position of the Army Cyber Institute, United States Military Academy, Department of the Army, or Department of Defense.