As the conflict in Ukraine rages on, the implementation of offensive cyber operations has fallen under an intense microscope.  A reputed cyber power with capabilities that many believe are near-peer to the United States, many expected Russia to execute devastating attacks that crippled critical infrastructures, knocking out energy grids, impacting financial institutions, and showing the true power of cyber in the 21^st century.  However, to date, these types of attacks have not materialized, calling into question if cyber war has been over sensationalized, and why and whether the West has overestimated Russia’s cyber capabilities the way it appears to have done with Moscow’s conventional military power.

But what makes the Ukraine conflict notable for cyber enthusiasts is that it represents the first real example of cyber attacks used in conjunction though not necessarily all coordinated with traditional military maneuvers (there are several pro-Russia nonstate cyber elements acting independently).  A recent Microsoft report shows how some cyber attacks occurred in tandem with a kinetic move, though it did not show causal effect. Notwithstanding, understanding the interaction between military strikes and cyber attacks is important in gaining perspective of how cyber can be used to support conventional military operations and if they can serve as a force-multiplier to them as has been suspected. Undoubtedly, once this conflict ends and all the information becomes available for public review, analysts will pour over what transpired and provide their takes on what was successful, what was not, and establish a lessons-learned baseline for how cyber weaponry can and should be deployed at all stages, start to finish.

To be fair, Russia appears to have pursued a cyber playbook that has been written about by many cyber warfare authors with respect to using cyber attacks at the onset of engagement and against what targets.  As the new Microsoft report relays, Russia conducted extensive cyber espionage against key Ukrainian targets prior to the invasion.  Per Microsoft’s findings, Russia espionage and network penetration has been conducted against 128 organizations in 42 countries allied to Ukraine since the start of the war.  Russian cyber actors have been approximately 29% successful, a quarter of which has led to the exfiltration of a target’s data. While the statistic is noteworthy, it doesn’t necessarily codify if this percentage is good (akin to a baseball player’s batting average) or poor and does not take into account if any taken material was critical to Russia’s operational success or not.  Nevertheless, the report does confirm what many cyber warfare followers have long maintained – an adversary conducts cyber espionage for network mapping and intelligence collection before, during, and after a conflict.

Additionally, Russia conducted a series of disruptive attacks against vital communications channels leading up to its attack, consistent with the belief that cyber attacks are a “first strike” weapon.  Ukrainian website defacements and a the disruptive attack against vital communications satellite VIASAT (which provides high-speed broadband to both commercial and military customers) disrupted Ukraine’s ability to disseminate information broadly, a critical goal for any invader looking to gain an advantage.  Russia followed with a series of destructive attacks in the form of distributed denial-of-service (DDoS) and several wiper malware strains that disrupted systems, rendering some inoperable.  The targets of these attacks focused on key civilian assets – government, finance, IT, aviation, Ukraine’s largest broadband provider, among others – likely designed to stoke unrest and instill a lack of confidence in the public.

But as it had against Georgia and Crimea before, Russian cyber operations have not been limited to strikes that exploit the technical aspects of computer systems; they also have sought to exploit the psyches of the targeted public.  While disruptive attacks fall in the category of the former, disinformation, propaganda, and influence campaigns address the latter, targeting both domestic and international audiences. However, where such Russian information operations proved successful in the past, particularly in keeping NATO out of its efforts to annex Crimea in 2014, it has been less successful now, a result of the volume of on-the-ground international media to counter the narrative pushed by Russian press reporting.  Even though Russia has had more success in influencing its own domestic population, there are signs that this too may be changing the longer the conflict endures.

While cyber attacks continue, they seem to be less of a factor and have created less of an impact the more Russian forces battle for territory.  In fact, Russia appears to have backed away from relying on cyber attacks against critical civilian infrastructures in favor of using conventional strikes, intimating that kinetic weapons and not cyber ones are more preferable to adversely affect these targets. This indicates that while cyber attacks may inflict fear in a populace, they are not seen as a dependable means to achieve a desired a tactical military outcome, most likely due to their unpredictability and their tendency to escape the network boundaries of the specific target.  At least for the past four months, Russia seems to be using cyber attacks in a supportive, secondary role, which may be a result of how the military engagement has unfolded, though a full accounting won’t be fully understood until long after the conflict has been resolved.

Therefore, looking at how Russia has implemented cyber operations in Ukraine, lack of cyber impact may not be the fault of the use of cyber weaponry as the strategy in which it was incorporated.  Many contend that Russia expected to win the conflict in a short amount of time, the very type of situation where a constant bombardment of disruptive cyber attacks would have been most productive.  However, the longer the engagement draws out, the less important cyber attacks have become in terms of strategic positioning and helping to win military battles. They are still an attack option but one that pales in comparison to a missile barrage or threat of tactical nuclear weapon deployment.  As the Microsoft report contends, Russia continues its cyber espionage and network penetration activities, but against countries supporting Ukraine, perhaps to gain insight into political positions and further intent to aid Ukraine.

So, what does this bode for the future?  To say Russia has failed to execute a successful cyber war is disingenuous, as it is the first time cyber operations have been incorporated in an engagement of this magnitude.  Simply, Russia, as the rest of the world, is learning how to coordinate cyber and kinetic attacks in a productive, effective manner.  What’s more., Russia has been uniquely constrained to unleash the full arsenal of its capabilities. NATO has stipulated that a cyber attack on a member could trigger the Article 5 collective defense clause, thought it has fallen short in providing the conditions of that threshold.  Containing even specially designed malware (like a Stuxent weapon that exploited a specific system component) is difficult and has a tendency to escape beyond the original target.  As such, Russia has had to be very careful to ensure that its cyber weaponry has remained contained within the borders of Ukraine and not spilled into neighboring NATO countries lest risk full NATO retaliation.

Further complicating matters is that Russia’s cyber efforts are being countered and mitigated by a robust nonstate force as well as cyber teams from the United States and European Union and even private IT companies.  The more participants involved, the greater the visibility into the attack space, and the more experienced personnel to assist in identifying and remediating attacks. The fact that Russia mis-stepped and expanded its cyber espionage and network penetration outside the region further invites these countries to share threat information against a common foe.  Viewed from this lens, the cyber war that is occurring is not a straight-up fight, but one that has pitted Russia against a collective of public and private entities.

Therefore, it’s not so much that Russia has been ineffective in demonstrating the possibilities of cyber warfare as much as it has failed to devise an operational plan that took advantage of the hard and soft capabilities of cyber activities.  Combine that with being unable to implement them accordingly into its overall military strategy have made cyber attacks fractured independent one-offs that barked but did not bite. It also failed to draw up a soft power strategy that supported its actions in Ukraine. Russia vastly underestimated the overwhelming global response to help Kyiv and did not craft a successful message strategy to keep them on the sideline like it had done during its annexation of Crimea in 2014.

Building no that, the future of cyber attacks during military conflict may take a similar form, especially if the global community is brought into a geopolitical flash-point (read: Taiwan) where cyber operations may play a role.  An aggressor needs to consider how offensive cyber operations are realistically integrated into a battle strategy that advances its goals without risking the involvement of other countries to support victim and thwart their activities. This will come down to prepping the information space appropriately ahead of an expeditious short-lived military engagement in which all disruptive, destructive, and influential cyber activities are maximized for effect.  Until an actor can achieve this multi-faceted capability, cyber war will remain in the development process.

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.