The war in Ukraine is the largest military conflict of the cyber age and the first to incorporate such significant levels of cyber operations on all sides. Below, Carnegie Endowment experts Jon Bateman, Nick Beecroft, and Gavin Wilde discuss the key insights from their new series, “Cyber Conflict in the Russia-Ukraine War.”
What does cyber competition in the war look like so far?
Gavin Wilde: In many ways, February 2022 was the culmination of one of the most long-running and extensive information assaults by one state on another in history. If Ukraine could be considered Russia’s testing ground for offensive cyber and information operations—primarily to wage political warfare—since 2014, after this year, it seems fair to consider it the best testing ground for Western assumptions about information weapons in conventional warfare more broadly.
Jon Bateman: Ukraine has faced intense levels of Russian offensive cyber operations since the invasion, but these do not seem to have contributed very much to Moscow’s overall war effort. As the war began, Moscow launched what may have been the world’s largest-ever salvo of destructive cyber attacks against dozens of Ukrainian networks. Most notably, Russia disrupted the Viasat satellite communications network just before tanks rolled across the border, plausibly hindering Ukraine’s initial defense of Kyiv. But no subsequent Russian cyber attack has had visible effects of comparable military significance, and the pace of attacks plummeted after just a few weeks of war.
Although destructive attacks are most attention-grabbing, Russia’s main cyber activity in Ukraine has probably been intelligence collection. Russian hackers have most likely sought to gather data to inform Moscow’s prewar planning, kinetic targeting, occupation activities, influence operations, and future negotiations with Kyiv. However, Russian brutality and incompetence seem to have prevented Moscow from properly leveraging cyber intelligence. Additionally, non-cyber intelligence sources—like imagery, human agents, and signals intercepts—have been more practically useful to Russia.
Nick Beecroft: Ukraine has shown formidable defensive strength and resilience on the physical battlefield, and the same is true in cyberspace. Kyiv’s ability to harness the experience of years of Russian cyber attacks, combined with strong support from Western governments and—crucially—technology companies has allowed Ukraine to deploy cyber defenses at a scale and depth never seen before. But it’s not only the scale of defense that has been impressive. An alliance of competing companies and governments with varying agendas is collaborating and learning together to thwart Russian cyber attacks, driven by a shared sense of outrage at the invasion. This is not to say that Ukraine has won the competition in cyberspace, since Russia could yet launch damaging cyber attacks or exploit networks for valuable intelligence. But the war has demonstrated that cyber defense is not a hopeless cause.
It appears to many that Russian cyber operations were less impactful than expected. Why is that?
Jon Bateman: Russia’s low cyber success was the overdetermined result of many factors, including inadequate cyber capacity, weaknesses in non-cyber institutions, and exceptional defensive efforts by Ukraine and its partners. To meaningfully influence a war of this scale, cyber operations must be conducted at a tempo that Russia apparently could sustain for only weeks at most. Moscow worsened its capacity problem by choosing to maintain or even increase its global cyber activity against non-Ukrainian targets and by not fully leveraging cyber criminals as an auxiliary force against Ukraine. Meanwhile, Russia seems unwilling or unable to plan and wage war in the precise, intelligence-driven manner that is optimal for cyber operations. Ukraine, for its part, has benefited from a resilient digital ecosystem, years of prior cybersecurity investments, and an unprecedented surge of cyber support from the world’s most capable companies and governments.
Some other oft-cited explanations, like Russia’s poor planning or restraint, are less compelling. Nine months of war have given Russian hackers plenty of time to grasp Moscow’s war goals, yet the pace of damaging cyber attacks has fallen, not risen, over time. And with Russian forces working hard to destroy Ukraine’s infrastructure and immiserate the populace, it would make no sense for Russian hackers to hold back.
Gavin Wilde: The bar seems to have been set too high on two scores: in the West, because we calibrated our expectations under a context far short of all-out war; and in Moscow, because military strategists calibrated theirs according to a version of war they think they saw in the 1990s to 2000s but was never quite accurate. In both cases, even the most sophisticated cyber and information operations are simply more impactful and resonant in periods of relative peace than they appear to be amid the violence, destruction, and ops tempo of a military campaign. The most advanced military cyber forces are still wrestling with how to effectively integrate them. Russia doesn’t appear to have done so thus far.
Nick Beecroft: One somewhat surprising feature has been Moscow’s apparent concern to avoid unintended or widespread international impacts through cyber attacks. Past Russian cyber operations had featured global disruption (NotPetya worm), aggressive targeting of massive global networks (SolarWinds breach), and pursuit of political objectives through digital intrusions (U.S. election interference, attempted disruption of the 2018 Winter Olympics). All of these operations were exposed, thwarted, or apparently ran out of control, and it’s possible that the Kremlin attaches a high risk of unintended or negative consequences to cyber operations against foreign targets outside of the war zone.
The attack against Viasat early in the war, which caused apparently unintended disruption to communications across Europe, may have further undermined the confidence in controlling the effects of cyber attacks. October’s ransomware attacks against transportation targets, which included some in Poland, could be an indicator of limited-scale experimentation with achieving targeted effects against countries supporting Ukraine. The stakes are much higher since the invasion of Ukraine raised the specter of direct conflict with NATO, and the Kremlin may simply not trust its cyber agencies to achieve carefully calibrated effects within a strategy of deterrence and escalation.
How might Russia adapt in cyberspace moving forward?
Gavin Wilde: I think the question now is one of how to sustain momentum with much less. The exodus of Western tech from the market means Russian state actors may now be running against the clock before they begin either incurring significant technological debt—lack of necessary hardware to software updates that are not forthcoming—or resorting to the less-trusted Chinese variants. Over time, this could diminish the security and functionality of everything from domestic telecommunications (and thus, surveillance) infrastructure to the high-tech research organizations that develop sophisticated cyber exploits. Meanwhile, Moscow is likely going to deal with a rapidly diminishing pool of R&D funding and especially tech talent—much of which, by all reports, has begun seeking more hospitable homes in places like Georgia, Kazakhstan, Turkey, and Israel. In the near term, I’d expect to see a doubling down on disposable, disruptive-but-not-decisive exploits like wipers that delete data from infected targets.
Jon Bateman: As the war continues, Russian intelligence collection probably represents the greatest ongoing cyber risk to Ukraine. Conceivably, Russian hackers might still have larger impact if they can collect high-value intelligence that Moscow then leverages effectively. For example, the hackers might obtain real-time geolocation data that enable the assassination of President Volodymyr Zelenskyy or the timely and accurate targeting of Ukrainian forces, particularly those with high-value Western weapons systems. Russia might also conduct hack-and-leak operations revealing sensitive war information to the Ukrainian and Western public, such as Ukraine’s combat losses, internal schisms, or military doubts. Or it could collect valuable information about Kyiv’s perceptions and intentions that can aid Moscow at future talks, among other scenarios. Damaging Russian cyber attacks pose a less serious threat, though they could multiply if Moscow directs more of its overall cyber capability toward Ukraine (at the cost of other objectives) or better leverages cyber criminals.
What are the implications for competition in cyberspace beyond this war?
Nick Beecroft: The war has exposed the huge role of the private sector in defending digital networks at national scale. Commercial entities have morphed from vendors to vital agents of defense and foreign policies. This tends to raise different priorities among the Western allies. In the United States, the concern is whether the ad hoc coalition deployed to defend Ukraine could be replicated elsewhere, particularly against a Chinese threat to Taiwan. In Europe, there is some unease at the prospect of relying on a “cyber umbrella” provided by a handful of U.S. corporations. Both perspectives encounter similar unanswered questions concerning funding and sovereignty.
Thus far, numerous corporations have been willing to provide a substantial commitment of proprietary services to Ukraine free of charge, but that cannot be sustained indefinitely and may not extend to other situations. Furthermore, the pivotal role of commercial (usually American) actors presents democracies with a challenge of retaining control of foreign and defense policies: governments will need to clarify when and how they could call on private sector capabilities and when and why they might not be available. The invasion of Ukraine sparked a unity of purpose among diverse actors that may not be present in the next conflict.
Gavin Wilde: Russian President Vladimir Putin in September tasked his foreign intelligence service with aiding Russia’s technological development amid economic isolation from the West and recently signed a federal budget in which 30 percent is dedicated to military and security forces. Meanwhile, the war has underscored the central role that precision—from targeting to guidance—will likely play in future conflict. That will require advanced chips, electronic and drone warfare capability, and air defense enhancements. In this regard, Western cyber defenses in the defense industrial complex and their related export controls will likely need to complement each other at unprecedented levels.
Jon Bateman: Russia’s experience suggests that damaging cyber operations can be usefully concentrated in a surprise attack or other major salvo, but they risk fading in relevance during larger, longer wars. To sustain wartime cyber attacks at meaningful levels, militaries may need to build much bigger cyber forces, develop much faster regeneration capabilities, and experiment with short bursts of intense cyber attacks (ideally coordinated with kinetic operations) followed by periods of stand-down. Cyber commands that cannot do these things should probably prioritize cyber defense and intelligence collection in wartime, while reserving cyber attacks for more selective use in peacetime, gray zone, or prewar conditions. Cyber intelligence collection has significant potential to support a variety of wartime military tasks, but this probably depends on having competent analysis and decisionmaking processes and a reasonably precise “way of war.”
To be sure, the Ukraine war is just one of many relevant case studies. Militaries with high capability, professionalism, and readiness in both cyber and kinetic disciplines—such as the United States and Israel—have previously leveraged cyber operations to enable strikes on high-value targets. Yet even top-tier militaries seem to have the greatest cyber successes in tightly circumscribed contexts. Overall, the scale of war appears inversely correlated with the strategic impact of cyber operations. If this correlation holds, cyberspace should probably not be seen as a “fifth domain” of warfare equivalent in stature to land, sea, air, and space.
For more on this subject, view the authors’ entire series.