The strategic complications presented by cyberwar
The cyber front hasn’t yet been a major factor in the Ukraine war – but that’s no reason for complacent strategic thinking
At first glance, cyberwar looks like the dog that didn’t bark in Russia’s brutal attack on Ukraine.
Many of the dire warnings about possible Russian moves against Ukraine in the cyber arena haven’t come to pass, including U.S. intelligence warnings in advance of the war that Russia had likely penetrated Ukraine’s critical infrastructure. Concerns about threats directed at the United States haven’t come to pass, fortunately.
That may seem somewhat surprising, given Russia’s long rap sheet in cybercrimes, hacks and attacks. There are several reasons why the cyberwar hasn’t played out the way some have feared.
Five possible reasons why cyberwar fears haven’t been realized yet
1. Russia’s top leaders may have overestimated its own likely success in a conventional military invasion.
Some analysts hypothesize that the ultimate decision to invade Ukraine was “close hold” among top leaders and there wasn’t planning done down the chain of command to initiate massive cyberattacks. Once a conventional war is launched, others argue, the relative advantages that cyberattacks have in scenarios that fall short of actual war are eroded.
The cakewalk didn’t happen, and a lot of what Russia had planned wasn’t achieved. More than two months into the war, and it’s not going well for Russia. The conflict is having devastating effects on the lives of millions of Ukrainians, but Russia is clearly not where it wanted to be by May.
2. Public warnings and leaking evidence of cyberattack plots in advance may have deterred Russia.
The United States issued multiple public warnings and threats of counter-retaliation for attacks on the cyber realm, and it could have had an impact.
3. Defensive measures on cybersecurity may have helped.
In advance of Russia’s invasion on Ukraine, the United States worked with NATO allies and other partners to bolster collective cyber defenses. A recent Microsoft assessment found that Ukrainian cyber defenses helped block some aggressive Russian cyber attacks early on in the war.
Because much of the U.S. national security debate is often stuck in the past, however, fighting the last war with a fixation on conventional military warfare and boots on the ground, many foreign policy commentators didn’t pay as much attention to the cyber realm as they should have.
4. Hacktivists may have turned the tables on Russia.
One interesting feature of the Ukraine war has been the massive counterreaction on many fronts by a wider range of actors, including non-state actors – and that seems true on the cybersecurity front, too. Russia is facing an extraordinary wave of cyberattacks and hacks from a mix of criminals, hacktivists, and governments.
The nature of these attacks even prompted some concerns from U.S. officials. Last week, Rob Joyce, the director of the National Security Agency’s Cybersecurity Directorate, tried to discourage vigilante hacking and attacks against Russia, saying, “…it’s illegal. But it’s also unhelpful, because one of the things we talked about is we’re trying to get Russia to take account for the ransomware attacks and hacks that come out of Russia and emanate.”
That statement shows the challenges U.S. officials face in trying to uphold a “rules based” international order when a multiplicity of actors who don’t want to play by any rules and move to take matters into their own hands.
5. Russia may be holding its cyberwar options in reserve.
The simplest explanation may be that Russia has just decided to hold off on deploying its most damaging cyberattacks for a later phase in the war, which seems likely to drag on for a long time. It could be that some of the capacities aren’t as strong as reported, but that seems less likely given Russia’s track record over the past decade. Or perhaps cyberattacks simply don’t have the same strategic effects in the midst of a full-blown conventional war that they might in other situations.
In any case, just because the awful cybersecurity scenarios some had feared haven’t yet played out, it remains an important task to think through the possible strategic implications of the evolving cyber tools Russia and other actors, state and non-state, might seek to deploy. The full story of what has unfolded on the cyber front with Russia remains unknown, and it’s a story that continues to play out.
It's also connected to wider trends in which multiple actors have exploited the open source nature of power in the world today to hack the common good.
Thinking through cybersecurity’s potential strategic impact on geopolitics
Since this field of cybersecurity is evolving, it’s important to look for new ways to expand our thinking and adapt to new realities as they unfold. Here are a few resources to consider:
1. A recent conference at Vanderbilt University. Last week, Vanderbilt University hosted a major policy wonkfest on modern conflict and emerging threats, and it’s worth watching some of the sessions here. Leading academic figures and policy analysts as well as current policy practitioners offered some important insights about the policy steps the United States and others are taking to address this evolving challenge of cybersecurity and what may lie ahead.
2. The Perfect Weapon by David Sanger. There are many excellent books that offer the latest news and events on the latest trends in cybersecurity blended with some smart analysis. The Perfect Weapon, a 2018 book by New York Times journalist, is smart and accessible to wider audiences, and it was turned into an HBO movie.
3. The Virtual Weapon and International Order by Lucas Kello. Another 2018 book that seeks to connect the cybersecurity field more tightly with international security studies and highlights the gap between policy practice and theory in this field, The Virtual Weapon by Lucas Kello is a bit more academic but offers important insights into how the international system is evolving. A key insight from this book: that the fast-paced revolution in technology and major advances have challenged the way governments deal with traditional defense and deterrence.
There’s no clear-cut answer as to why Russia’s vaunted cyber capabilities have so far failed to make much of a difference in Moscow’s war against Ukraine. It likely involves a combination of factors, including less effective Russian capabilities, more effective Ukrainian defenses, and cyber operations reaching the limits of what they can accomplish in the context of a large-scale conventional war.
As the fog of cyber war lifts, it’ll be up to researchers and policy analysts to learn what they can from the apparent failure of Russian attacks and success of Ukrainian defenses – and adjust their assessments of this new and still-uncertain theater of conflict accordingly. As technology evolves, the analytical frameworks and intellectual tools we employ to assess policy options need to evolve as well.