14 June 2022
Describing and understanding the puzzle are of course two different things, let alone deriving policy conclusions. In the second part of this post, I will argue that special, although not necessarily unique, strategic circumstances have contributed to the absence of more serious cyberattacks, particularly against critical infrastructures in the context of the Ukraine war.
Major factors that have contributed to the rather limited role of cyber operations within the Ukraine thus far might simply not apply to other conflict scenarios: strategic interests, decision-making styles, as well as offensive and defensive capacities differ from one context to another. Yet, even in this conflict there is always the risk of unintended escalation. In the following, I will explore four particular reasons that could be used to explain the absence of (the rather widely expected) large-scale cyberattacks.
Cyber – a Superfluous Domain?
One way to approach the issue is to take sophisticated Russian cyberattack capabilities for granted (as many have done) and look for reasons these have not been utilised. Given that the Russian leadership was willing to use physical violence in a non-discriminatory and reckless way, without apparent consideration for international humanitarian law, cyber operations might simply have not been considered necessary. Once somebody is willing to attack cities, power grids, train stations, and similar targets with bombs and artillery, why bother with the cyber domain, which requires complex preparations, involves major trade-offs, and is arguably far less reliable in creating physical effects. Physical violence, or even the threat thereof, is a far more efficient and effective means of coercion and destruction. Even rerouting and controlling local internet traffic can be achieved by physically taking over, as the intrusion and takeover of a Kherson-based Internet company showed, where all equipment was disconnected and operators were forced to switch to the Russian network.
A Lack of Planning?
Another reason why we have not seen any catastrophic cyberattacks thus far might relate to Russia’s war planning. Most likely, very few senior decision-makers were involved in Vladimir Putin’s decision to wage a full-blown invasion of Ukraine. In the absence of broader deliberations among decision-makers and experts with divergent viewpoints, group thinking likely affirmed the illusory belief of a quick victory and the fall of Kyiv. The more this was the case, the more likely it is that cyber operations were seen as unnecessary or even too risky: a full integration would have required war plans to be shared with cyber specialists, increasing the chances of leakage – either intentionally or not. At first glance, data from Microsoft appears to refute this theory. Russian threat actors positioned themselves in networks of Ukrainian energy and internet service providers that later became targets of cyberattacks back in late 2021. Yet this does not prove that the attackers, knew about the strategic context in which these tools might be employed, even if they were APTs affiliated with Russian intelligence services. Nor does it mean that their efforts were prioritised and resourced appropriately by state leadership. It does not even mean that the wiper attacks were originally intended to be used during war, particularly considering the fact that Russia has used various means to destabilise Ukraine before.
Your Infrastructure is Now Mine
Assuming there had been a belief in a quick victory, targeting critical infrastructures via cyberattacks, especially with destructive goals, would not have made much sense. After all, the very same infrastructure would soon be used by the Russian occupation force. The fact that Russian forces quickly switched to indiscriminate violence against civilian infrastructures in Ukraine does not necessarily disprove this theory. Integrating sophisticated cyber operations in military strategies and tactics on short notice is a very challenging endeavour and large-scale cyberattacks against high value usually take months, not weeks, in preparation. Thus, even if the Russian leadership reversed its decision not to conduct large-scale disruptive cyber operations after realising that the military campaign would not succeed anytime soon, the means to do so might not have been available or only of very poor quality. That would explain the rather unsophisticated code of IsaacWiper that Kaspersky characterised as a “product of rushed development” though it cannot explain the use of more sophisticated malware against other targets. Thus, the evidence so far is inconclusive and more data on the preparatory time and organisational efforts behind various Russian malware campaigns would be needed to provide more solid answers.
A Strong Defence
Finally, while assessing possible causes of the absence of catastrophic cyber incidents, we should not underestimate the strength of Ukrainian defensive efforts. The sheer number of malware campaigns detected prior to causing any substantial damage is already testimony to this. The years Ukraine has been used by Russia as a testbed for cyber operations seems to have had an unintended side effect: Ukrainian authorities have stepped up the country’s cyber defences, also with the help of international partners and businesses. In the past five years, US agencies alone have provided over USD 40million in cyber capacity building. Since the start of the war, sharing threat intelligence, investigative methods, and cyber incidents response best practices with numerous Ukrainian government institutions and businesses has been stepped up even further. The most spectacular case of private sector help certainly was Elon Musk’s provision of hundreds of Starlink internet service terminals. Altogether, the combined and sustained actions of all these international partners – as well as tireless efforts by Ukrainian authorities, businesses, and cybersecurity experts themselves – explains the remarkable resilience of the Ukrainian ICT infrastructure in the midst of the Russian invasion. Yet precisely because there was such an exceptional defensive effort, both in terms of coalition size and duration, the question arises as how replicable these conditions are in other cases where military escalations will be harder to anticipate or where fewer international partners have similar stakes involved. In other words: cyber attacks will probably have a much higher success rate in places that did not go through such a period of intense strategic learning or those that lack strong international support.
International support or lack thereof is also key to understanding Russian decision calculus toward the employment of cyber operations against Western targets. In cyberspace, the country seems even more isolated than in diplomatic fora. For example, Chinese threat actors do not seem to support Russia’s limited campaign against Ukrainian targets but have rather seized the opportunity to intensify their cyberespionage activities across the board. More importantly, a cyber-strike against critical infrastructures of NATO members would almost certainly lead to an even greater resolve to transfer weapons to the Ukrainian military, even in countries with a rather sceptical public opinion. Against this backdrop, there is little that Russia could possibly gain from further internationalising the conflict, neither in nor outside of cyberspace. This might change if President Putin’s hold on power were to weaken due to domestic opposition at some point in the future. In this case, he might desperately seek another rally-round-the-flag effect by further escalating and internationalising the conflict with NATO.