Published by The Lawfare Institute
in Cooperation With
It turns out that the next war was not fought in cyberspace after all. Or at least the start of it has not been.
There has been no shortage of predictions over the past two decades about the importance of the digital domain in conflict since John Arquilla and David Ronfeldt warned that “cyberwar is coming” in a Rand Corporation paper back in 1993. As recently as November 2021, British Prime Minister Boris Johnson remarked in a testy exchange with Tobias Ellwood, chairman of the committee of the House of Commons that oversees defense, that “the old concept of fighting big tank battles on the European land mass are over … there are other big things that we should be investing in … [like] cyber—this is how warfare of the future is going to be.”
Ellwood, a strong critic of the British government’s decision to cut Army personnel in favor of investment in cyber capabilities, replied, “You can’t hold ground in cyber.” And on military tactics, if nothing else, Russian President Vladimir Putin seems to have agreed with him. Despite being one of the world’s foremost offensive cyber powers, the Russian invasion of Ukraine has, thus far, been utterly conventional in its brutality as the horrific pictures from Kyiv, Kharikiv and other cities show on an hourly basis. And Ukraine’s heroic resistance is similarly centered on the traditional understanding of war.
Even those of us long skeptical about the mischaracterization of cyber operations and cyber risk as catastrophic weapons of destruction, rather than a still serious but quite different threat of chronic disruption and destabilization, have been surprised by just how little cyber operations have featured in the early part of the invasion. The Kremlin’s handful of serious cyberattacks on Ukraine ahead of and around the beginning of the invasion represents its long-standing campaign of cyber harassment of the country over the past decade, rather than a serious escalation of it. There seems to have been little effort, for example, to strike the core of Ukraine’s internet infrastructure. Instead, the missiles rain, and the soldiers and tanks roll in. Similarly, the actions of pro-Ukrainian actors in defacing and taking down Russian websites may embarrass the Kremlin but hardly merit the much misused term of “cyberwar.” (As yet unverified reports of a massive data leak of the personal data of Russian soldiers would be much more impactful if true).
The reasons for this underuse of Russia’s sophisticated cyber capabilities so far in the conflict are unclear. In an article for War on the Rocks, Lennart Maschmeyer and Nadiya Kostyuk make a very interesting case that for all the sophistication and intensity of the Russian cyber campaign against Ukraine since 2014—a period in which Ukraine has become “Russia’s cyber playground,” with energy outages, the disruption of government and banking payments, and the harassment of Ukrainian business and civic society—it has been a failure. They argue that Russia’s hacks have made no material impact on the Ukrainian leadership’s decision-making and seemingly did nothing to undermine Ukrainians’ confidence in that leadership. Alternatively, the Kremlin’s calculation may have been more basic. As BBC security correspondent Gordon Corera put it on the day of the invasion, “For all the talk about ‘cyber war’, today shows that when conflict escalates to this point it is secondary. If you want to take out infrastructure then missiles are more straightforward than using computer code. Cyber’s main role now is perhaps to sow confusion about events.” It could be that Russia chose to leave the internet untouched because it needed it for its own communications. Or it could be that Russia’s state hackers suffered from a similar lack of preparation as their conventional forces.
As the Putin regime continues to initiate further bloodshed, Western policymakers will have many more urgent matters to tend to than reflecting on what the conflict says so far about cyber power. But those within the national security communities charged with thinking about cyber as a national security risk—and a national security capability—still need to find the capacity to evaluate three things:
- What the risk of cyberattacks against the West are as the conflict continues.
- How to analyze the role of cyber in the potential escalation in this conflict, including the potential use of Western cyber capabilities.
- What all this means for the West’s cyber posture and capabilities.
The Cyber Threat to Ukraine’s Western Allies
Even though cyber operations have featured to an unexpectedly small extent in the conflict so far, the West still remains at higher risk of serious disruption—as distinct from catastrophic attack—via the cyber domain than it was before the invasion. To point out the misrepresentation of cyber capabilities, their limitations, and the lack of use of them so far in the conflict is to invite allegations of complacency. It should not; a nuanced understanding of the actual risks makes for better preparation for them.
There are two reasons why Western governments’ advocacy for implementing a posture of heightened alert—or “shields up,” in the catchy slogan of Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA)—is the right one. The first is accidental “crossfire” damage in cyber operations. There is still every chance that Russia will decide to mobilize its cyber capabilities against Ukraine to a greater extent than it has so far, particularly if cyber is seen to have a potential role in demoralizing and disrupting the Ukrainian population and the ability of Ukrainian society to function. The nature of the networked world means that those attacks may not be cauterized within Ukrainian systems.
In June 2017, the Russian military intelligence service, the GRU, launched one of its periodic cyber operations against a range of Ukrainian targets in the so-called NotPetya attack. The attack misfired, and spread globally, devastating the ability of multiple Western companies to function, causing around $10 billion in commercial damage. Maersk, the shipping giant, was heavily disrupted. Merck, the pharmaceutical company, just won its court case in January 2022 and was awarded an insurance payout topping $1.4 billion to cover its NotPetya losses. Many businesses, from the global law firm DLA Piper to Cadbury’s chocolate production facilities in Hobart, off the south coast of Australia, were badly disrupted. The irony of the NotPetya case, as with the globally devastating WannaCry hack a month earlier by North Korea, was that had the hackers done their jobs better, the global impact would have been far less. Should there be an intensification of Russian cyber aggression against Ukraine, which there may well be, especially if the war drags on, the risk of such a repeat miscalculation increases.
The second risk is about the use of Russian cyber criminals as proxies for the Russian administration. The year 2021 was terrible for Western cybersecurity, and it had nothing to do with Ukraine. It did have quite a lot to do with Russia, but in a particular way. Russia is home to the world’s largest concentration of cyber criminals. Chainanalysis calculated that nearly three-quarters of the exponentially rising revenue from ransomware last year went to cyber criminal groups in Russia. More importantly, the economic and social impacts of Russia-based ransomware attacks were beyond what had been experienced before and exposed a soft underbelly of vulnerability for disruption across the West. In the U.S., a criminal operation against the ordinary enterprise network of Colonial Pipeline caused the company to switch off the transportation of fuel to the eastern United States, causing major shortages at gas stations. The sophistication of this criminal attack was well below the capabilities of the Russian state, illustrating the disruption and damage that can be caused by even semicompetent hackers. Worse, an attack by the so-called Conti ransomware group shut down the administrative body in Ireland charged with managing the national health care system with hugely disruptive consequences for cancer, prenatal and other critical health treatments.
The Conti group published a statement threatening retaliation against countries that support Ukraine and pledging loyalty to Mother Russia (and, incidentally, suffered a serious internal security breach, seemingly from a pro-Ukrainian working with them). Their statement is an unusually obvious glimpse into the strange but largely symbiotic relationship between the Russian state and organized cyber-criminality. Last year, President Biden protested vocally to President Putin in Geneva about the “safe harbor” Russia provided for such activity. And since then there have been some rather theatrical arrests of Russian cyber criminals. But such “gangster diplomacy,” in the words of former CISA director Christopher Krebs, cuts both ways. A cornered Putin may not just ease up on the criminals but encourage them to wreak more havoc on the West. So for both of those reasons, organizations like CISA and the National Cyber Security Centre in the U.K. (which I used to lead) warned not of any specific threats, but of a more general higher level of risk.
What We’re Learning about Cyber Capabilities and Escalation
Both of these risks—accidental and the use of proxies—have existed for years, so the current heightened threat level is just that: a possible intensification of what we already face. But will the circumstances of the war lead to a serious and unprecedented escalation of hostile cyber exchanges between Russia and Western states? This would be beyond anything undertaken before against a NATO state from Russia (excluding the high-intensity, medium-sophistication operation against Estonia in 2007 before the world really began talking about how to deal with cyber escalation). And will the West conduct cyber operations against Russia beyond the sort of espionage and influencing operations already expected and publicly articulated in general terms?
Plenty of experts seem to think so. And given the unpredictability of the Putin regime, the risk must not be discounted. CrowdStrike co-founder Dmitri Alperovitch, who has predicted with great precision how the conflict would begin, worries that the early underperformance of the Russian military and the strength of Western sanctions could provoke a cornered Kremlin with less to lose down this route. Perhaps more intriguingly, Washington and London abound with speculation that offensive cyber forms a part of the planned pushback against Putin. Alperovitch’s concern is then of a “horribly escalatory … tit for tat between the U.S. and Russia to see who can destroy one another’s critical infrastructure” with “potentially devastating impacts for our security.”
Predicting how this aspect of the conflict turns out is extremely difficult. But preparing for it starts with grappling with what the cyber capabilities are, how they work and what impact they have. And not every American policymaker seems to have Alperovitch’s expert understanding of the complexities. The day after the invasion began, NBC News reported that President Biden had been presented with a range of options for a cyber response against Moscow. Speculating that tampering with railroad switches could be part of the plan, one anonymous U.S. government source mused that “you could do everything from slow the trains down to have them fall off the track.”
That one sentence encapsulated the many misunderstandings of cyber capabilities, which perhaps explains why the White House dismissed the whole NBC story in unusually strident terms. There is a hierarchy of cyber operations from the extremely basic to the most sophisticated. Difficulty rises in correlation. Anyone can have a go at taking down a Russian government website. Taking a medium-size—or, too often, even a large—company offline is well within the capabilities of low-sophistication criminals. Doing something like slowing the trains down by sabotaging the signaling is usually much harder. The sorts of capabilities to do that belong to a handful of nation-states. Forcing trains off tracks takes you into the realm of Hollywood cyber fantasy: Cyber operations are computer code, and any railway system worthy of the name does not have a computer that can be reprogrammed to drive trains off the tracks. A system on which people’s lives depend, like air traffic control, must always have a fall-back mechanism. So, air traffic control will know how to land planes safely in the event of the total collapse of the network, whether by accidental or malicious means.
Way back in 2013, Thomas Rid, now at John Hopkins University, captured all of these nuances in his masterpiece “Cyber War Will Not Take Place.” Of particular importance was his insight that cyber capabilities are not like missiles. They do not directly destroy anything. As such, cyberattacks rarely, if ever, kill or physically hurt anyone. They have an effect: It is usually gathering information by espionage, influencing outcomes through subversion, or disrupting through sabotage. But even cyber sabotage is an indirect outcome. In theaters of war, a cyber operation could have a battlefield impact, not by firing anything but by disrupting military logistics and capabilities (and these are often hard to do). In times of war or peace, sabotaging a railway signaling means the trains should stop, causing mass inconvenience and inflicting economic costs. It should not cause the trains to power ahead, crashing into each other, causing mass fatalities. Similarly, the many cyberattacks on health care so far have been mostly disruption of health care administration, which has serious indirect consequences but is fundamentally different from bombing a hospital.
This lesson of the limitation of cyber as a weapon of war is not always well enough understood. In February, a column in Britain’s Daily Telegraph, where Prime Minister Boris Johnson spent most of his career and which is widely read by the governing party, called cyber “effectively a second-strike capability for NATO” and claimed that the West’s “cyber divisions are worth more than aircraft carrier battle groups or nuclear weapons in the particular circumstances of the Ukraine crisis,” equivalent to an alternative nuclear deterrent.
The reality is that cyber capabilities, as currently understood, can do everything from low-level harassment to serious disruption of everyday economic and social activity. But they can’t do what missiles, fighter jets and soldiers do. So what should weigh on the minds of Western policymakers when evaluating (a) the risks of deliberate cyberattacks by the Russian state against the West and (b) the role Western offensive cyber capabilities might have in the campaign against Russia’s aggression?
Broadly, four limitations apply and need to be considered.
Ease. Just as cyber capabilities don’t have the impact of missiles or ground troops, they can’t be directed like them either. While basic hacks are easy, at the higher end, where governments would be aiming to have a strategic effect, they can be complex operations that involve gaining entry to the network, remaining undetected, finding the right parts of the network, and configuring the operation to gain the desired outcome. For basic effects this is easy; for targeted attacks on critical infrastructure, it is harder. It takes time (sometimes lots of it), skill and luck. A leader cannot just order a “cyber strike” against an air defense, air traffic control or health care system and expect a successful operational report the next day. The feasibility of any cyber operation is the first hurdle to surmount.
Effectiveness. Some of the more difficult cyber operations could have an obvious and useful impact at a time of war, such as disrupting military logistics or undermining air defenses. Outside of war, extremely complex operations, such as that undertaken against the Iranian nuclear program in 2011 via the Stuxnet worm, can give real-world strategic gain to those carrying it out. But these are usually very difficult to do. Stuxnet took years. Easier operations could be mounted against privately owned civilian critical infrastructure. As with sanctions, the aim here is not to harm, but to influence. So what would influence Putin, or enough influential Russians, or the Russian population as a whole, to change course? Taking down the Kremlin website, as hacktivists somewhere seem to have done, causes embarrassment. So too does interrupting Russian media. But is it enough to have a decisive effect? That is highly doubtful.
Escalation. So what would have such an effect? Here is where the risks of escalation would come in. Both Russia and some of the major Western powers undoubtedly possess the capability for large-scale disruption of critical infrastructure. (Russia has shown that with the two disruptions of Kyiv’s electricity in 2015 and 2016.) What needs to be understood here is that any such activity would be escalatory. If there was an attack of unprecedented sophistication on a British or American power grid, it would be blindingly obvious who had carried out it. The portrayal of cyber as a domain where there could be a decisive but secret intervention is one of the most dangerous mischaracterizations of the domain. Offensive cyber therefore needs the same calm evaluation of adversary response as any other form of escalation or deescalation. It is just another form of state capability.
Ethics. This is unlikely to be on Putin’s decision tree, but it will and should be on the West’s. Health care is the obvious example. If Putin were to be found to have ordered, or facilitated, a repeat in a Western country of the sort of attack seen by the Conti group on Ireland’s health care in 2021, that would be seen as a highly escalatory act, completely outside the bounds of acceptable behavior, and an openly hostile act against countries that are not combatants in the war in Ukraine. So what does this mean for Western capabilities? Would the West do the same to Russian health care? Last June in Geneva, Biden handed Putin a list of some 16 sectors he said must not be the subject of malicious cyber activity. This presages a longer-term American, and wider Western, agenda to try to bring some sort of generally accepted understanding about where red lines are with respect to cyber activity. The world is a long way off from agreeing to such principles. But—even in this terrible conflict—Washington is likely to be wary of being seen to have trashed these principles and put noncombatant Russian civilians at risk of disruption of health care.
So there are practical, strategic, and, in the case of the West, ethical limitations on the potential for escalation in cyberspace. That is not to say it won’t happen. A desperate Putin could launch whatever capabilities are at his disposal, and even with all these limits on the potency of cyber capabilities, repeated hostile attacks could cause major disruption (though most probably not death and destruction) in the West. And in any case, enough non-escalatory threats are already out there through spillover and the use of proxies to justify the current state of high alert.
What This Means for Western Cybersecurity Posture
At this early stage, the conflict so far tells us something about the limitations of cyber capabilities in both directions in this conflict. And the early stages of this war provide two important lessons of cyber realism for Western policymakers and their societies.
The first is realism about the limitations of cyber capabilities. For the reasons already explained, cyber capabilities give neither side a big red button to decisively alter the course of events. The war thus far has emphasized the limitations of cyber as a tool of war rather than its centrality to it. A more realistic consideration and public discussion of the role of cyber as a tool of statecraft—both the risks it poses and the capabilities it provides—is urgently needed. Cyber capabilities provide the potential to disrupt, delay, annoy, rob, steal from, spy on and influence an adversary. They therefore have a place in and outside of conflict, but they are not magic invisible weapons.
Furthermore, high-end technological capability is a must for all modern military systems. But, to return to the exchange between Ellwood and Johnson, no one should think that cyber operations, however defined, provide some sort of alternative capability to use computers to bring about military-style impact. Ellwood must be right about the limitations of cyber power, even if Johnson is surely right to overrule him on the question of no-fly zones. It’s not just that you can’t hold ground with cyber; you can’t gain or reclaim it, either. That’s not the way cyber capabilities work.
The second lesson, once the crisis has passed, brings to mind a famous speech by Winston Churchill a century ago, not long after another European land war. Referring to the pre-war reemergence of the age-old problem of Ireland in British politics, he said that “the whole map of Europe has been changed, but as the deluge subsides … we see the dreary steeples of Fermanagh and Tyrone emerging once again,” citing the two Ulster counties most hotly contested as the island was divided. What he was saying was the world may have changed, but some problems were the same, and just as intractable as they were before the war.
The “dreary steeples” in Western cybersecurity are the problem, as old as the internet itself, of chronic digital insecurity. It is significant that the warnings coming from the likes of Washington and London to their own citizens are not about “cybergeddon.” They are about the risks of overspill from Russian attacks and from Russian proxies, and the potential that the Putin regime may decide to take over from the proxies and do it better.
So a state can spend a fortune on high-end offensive capabilities and on securing its own most important military and other national security assets against cyber risks. But the reason people are scared about cyber in the context of this war is that they know that cyber defenses across their entire societies aren’t strong enough yet (though they are better than they were). The strategic vulnerability to disruption and sabotage lies not so much in the military space but in the hospital booking system (Ireland), the logistics schedule (Maersk), the political party (as in the U.S. experience in the 2016 election), the electricity grid (Kyiv), and thousands of other mainstream, civilian, mostly privately owned networks.
However this horrendous war turns out, the West will be left with these strategic cybersecurity weaknesses to tackle. And in the meantime, the cyber domain may influence the war at the margins, but it will not decide it.