Start your day with intelligence. Get The OODA Daily Pulse.
Over the last 2 decades cyber attacks have shifted from the theoretical to reality. This report provides insights from real world activities that can inform strategists and policymakers seeking to mitigate risks from nation state cyber attacks.
Writings on cyber warfare have been consistent in seeing cyber attacks as a first strike weapon for states before or at least at the onset of a kinetic conflict. The speed with which these attacks occur combined with the difficulty in allowing for sufficient indications and warning for defenders to be able to successfully mitigate their intensity and volume have bolstered cyber attacks as a legitimate capability for degradation, disruption, and destruction. Cyber attacks in kinetic conflict are synonymous with an aerial bombardment in which an onslaught of surprise digital strikes would help prepare the battlefield for a swift invasion force where timing, coordination, and maximum effectiveness would reap huge awards for the attacker. Many believed that cyber would be such a weapon, a game changer, something that the Chinese refer to as an “Assassin’s Mace,” an asymmetric capability that can be levied against a technologically superior force and a weapon whose use benefitted from not being telegraphed ahead of deployment.
The element of surprise has long been championed as a tremendous advantage for warring armies, a tactic that has been espoused by acclaimed war philosophers like Clausewitz and Sun Tzu. Indeed, history is rife with examples of battlefield commanders employing such tactics in concert with other actions such as deceptions and feints to break hardened perimeters or outflank an adversary in battle. The element of surprise has also been an important enabler for smaller forces to successfully beat larger, better equipped opponents. This can be seen in such examples as George Washington’s 1776 surprise attack against the Hessians in the Battle of Trenton and Germany’s invasion of France in 1940. Aside from kinetic opportunity, successfully employing the element of surprise can achieve a psychological advantage as well. The shock of an unexpected assault can have a traumatic effect on a commander’s psyche, as well as the in the minds of the boots on the ground forces. This is exceptionally important in the early stages of an armed conflict and can aid an attacker achieve victory as a result.
However, this philosophy in the context of cyber attacks has to be re-examined as they have evolved over the years. With more state actors developing both offensive and defensive capabilities, cyber attacks have not quite yielded the results many have suspected. Looking at the evolution of state-influenced and state-driven cyber attacks, there has been interest in trying to maximize the effectiveness of a cyber strike. After all, with continued integration of networks, it logically follows that exploiting systems could achieve an aggressor’s tactical objectives by impacting the very systems relied upon for command-and-control, logistics, supply, and general operations. Simply, the more networks and endpoints, the more possible areas to attack. Adding to that have been the perceptions that cyber weapons could be an awe-inspiring tool. After all, these weapons can be executed quickly, delivered surreptitiously, and can spread malevolently like a cancer or punch a hole in its intended target like a missile.
Over the past decade, the volume of cyber attacks by both state and nonstate actors have propelled these weapons into the mainstream. Cyber is no longer a foreign concept, and thanks to a proficient cybercrime ecosystem, there are few people in the world who haven’t been impacted in some way thanks to theft, a breach, or other forms of cyber-enabled malfeasance. Press outlets and cybersecurity vendors have prodigiously informed the public of suspected state actor cyber operations, tools used, varying degrees of sophistication employed, and their impacts on sectors and industries. Such attacks have become so common they are now expected, with even cybersecurity community resorting to a “zero trust” security framework that assumes networks are always at risk to external and internal threats, and as such, continuous attacks should be expected.
What has been learned over the past decade is that not only should cyber attacks be expected, but they also can be anticipated. As Clausewitz presciently wrote, “war is not merely a political act but a real political instrument, a continuation of political intercourse, a carrying out of the same by other means.” Like most wars that have been fought, geopolitical tensions between states can be a harbinger of future conflict, and thus be a good indicator of future cyber attacks whether from patriotic and nationalistic hackers, or if tensions have escalated, by state actors seeking to demonstrate displeasure or cause disruption in advance of kinetic action. What’s more, cyber attacks offer an opportunity that traditional weapons typically do not – they can be used as signaling agents, causing various degrees of damage without risking human life. Such incidents can be seen in the Operation Ababil DDoS attacks, the attack against Sony Pictures Entertainment, or even the wiper attacks against Saudi Aramco –all cyber attacks catalyzed by geopolitics.
Now, to be fair, there is a big difference between waxing theoretic about how cyber weapons can be used as a precursor to kinetic conflict and actually operationalizing their deployment during such periods. What works on paper does not always make the easy transition into the real world, especially in a domain where so much must be considered including preparation of digital battle space, target packaging, weapons development, and predicting battle damage assessments and collateral damage fallout. But while kinetic weapons have been known to go beyond the scope of the target inflicting collateral damage in excess of anticipated thresholds, their impact can be better quantified. The same degree of fidelity cannot be applied to cyber weaponry, which has a way escaping deep into the wild, as was seen with Stuxnet and NotPetya.
Russia’s implementation of cyber has provided a better barometer by which to measure state evolution in how cyber attacks can be used as part of the military toolbox. One of the earliest instances of state influenced cyber attacks occurred in 2007 when Russian patriotic and nationalistic hackers engaged in DDoS attacks against Estonia that lasted 22 days. The catalyst for these politically motivated attacks was the relocation of a Soviet-era statue in Tallinn, though the relationship between the two countries had not been the best prior to that incident. And while patriotic hacker attacks had been seen before (the hacker wars between China-United States and India-Pakistan come to mind), they had not really been leveraged to that effect. These attacks were organized and mobilized to respond to a very specific incident and for a specific purpose, demonstrating how geopolitics could quickly motivate hostile cyber activity and produce it on a consistent level.
The 2008 Georgia conflict showed an evolution in thinking how cyber attacks could be used in concert with kinetic military operations. Russia’s pretense of Georgia committing genocide in South Ossetia led to DDoS attacks that bombarded the country before Russian forces moved over the border. In the months leading up to the attacks, Georgia and Russia had tumultuous relations which dated back to the 1990s with the dissolution of the Soviet Union. When Georgian president cracked down on separatists in South Ossetia, tensions escalated, prompting a Russian response. Again, when such tensions reached a breaking point, Russia committed to invading under the auspices of protecting Russian nationals, showing how geopolitics was a strong indicator of a cyber response.
Six years later, Russia’s 2014 annexation of Crimea was spurned by a revolution that ejected Ukraine’s former president, sparking a political crisis that prompted Russia to invade” to protect Russian people” in the region. Similar to the previous incidents listed, days before the Crimean referendum, sympathetic Russian actors conducted an eight-minute DDoS in order to disrupt Ukrainian communication networks and to filter and reroute traffic to occupied territories. The intent may have been to divert attention away from Russian troop presence in Crimea. One group of hackers even unsuccessfully attempted to change election results. Again, geopolitics played a role in these operations.
Though political hostilities between Russia and Ukraine had been an ongoing occurrence, the Crimean annexation has been identified as the start of the current Ukraine conflict with an ongoing barrage of cyber attacks victimizing Ukrainian networks and critical infrastructure in 2015. Since Russia’s invasion of Ukraine in February 2022, cyber attacks meant to disrupt and destroy systems have continuously pummeled Ukrainian targets, though at this juncture these attacks – at least those conducted by Russian government assets and state sponsored ones – have been used more as a means of getting battlefield advantage than a political tool or signaling agent. They started before the official invasion and have continued since, bringing in nonstate actors into the cyber fray. Prior to the invasion, governments and media sources anticipatedRussia implementing cyber attacks, expecting a digital equivalent of “shock and awe” that never quite materialized.
The fact that damages have been not as bad as many had predicted or expected has raised questions about Russia’s capabilities, intent, and concern over potential global repercussion. But one of the simplest responses to these questions is that Ukraine was prepared. Prior to the invasion, Ukraine requested cyber defense assistance, getting not only governments to assist but commercial technology and cybersecurity companies as well. Early February 2022, Microsoft alerted the Ukrainian government to the existence of malware targeting Ukrainian government and other IT organizations., opening a 24/7 hotline to help Kyiv. Such activities dovetailed with U.S. cyber hunt-forward teams that had deployed months before the assault. So not only were Russian cyber attacks expected, but an infrastructure was also in place to immediately assist in mitigating them once they commenced. Attacks diversified, volumes increased, and targets have shifted but Ukraine has withstood the cyber part of the conflict. Perhaps the biggest takeaway from the crisis so far is that a cyber playbook has emerged that could be replicated in case another geopolitical hotspot should blow up.
As states continue to understand the best ways to integrate cyber attacks into their military operations, it’s increasingly clear that in today’s environment the ability to execute a surprise cyber attack may not be feasible. There will be too many red flags that will alert the global community, that when combined with geopolitics and the aggressor state’s history of offensive cyber measures, should provide ample heads-up for a state to enhance its cybersecurity alertness and defensive posture. And while there is an argument to be made that foreknowledge of attacks will not necessarily translate into what specific targets will be in the crosshairs, predicting what sectors should be prioritized for protection is not as much of a mystery. Critical infrastructure will remain high value targets, and understanding the adversary’s intent will better inform a state as to the purpose of the expected cyber attacks. In this regard, they may not be as deceptive and limitless as people expect. Yes, there are potentially voluminous ways to cyber attack a target, but the target will remain the target. Understanding what an adversary will attack and by what means falls to the advantage of the defender even if the specific means remains unknown.
Regardless of the perception of the role of cyber attacks in Ukraine, the conflict has set the bar for how the world can respond to them, particularly if other states are brought in early into the fray as support elements. This strategy gives credence to the value of regional blocs and like-minded country multilateralism, especially with respect to cybersecurity cooperation. More attentive eyes on the problem and a robust collaboration of shared assets should further reduce the ability of cyber offensives to surprise, further neutralizing what was once their biggest advantage. This is not to say that this will work across the board, but the more focus placed on geopolitics with an eye toward cyber attacks, the better prepared and more resilient countries will be to them.