As cyber environment continues to evolve, many cyber experts, government officials and academics are following the conflict in Ukraine, and particularly its cyber dimension, very carefully. Russia is believed to be in the top three most cyber-capable countries (the United States and China being the other two) and its actions in Ukraine may set a precedent of how countries integrate cyber operations into military activity. As many have said before, a “pure cyberwar,” where military conflict occurs only in the digital environment, is unlikely to take place anywhere. A more likely occurrence are wars, crises, and conflicts where the exploitation of the digital environment is an integral part of other military activities. This is exactly what has happened in Ukraine.
Cyber operations are well suited to the vague concept of hybrid warfare, where states use a mix of conventional and unconventional means to achieve their military goals. In cyberspace, the adversary is usually difficult to locate, nations can conduct offensive actions with less political risk, and international law concerning cyber operations is still a grey area. Even though destructive cyberattacks have not been reported in Ukraine, there have been a variety of cyber activities carried out through the digital domain. A number of the cyber incidents that we know of have occurred against civilian targets, not military ones.
The most prominent cyber activities in the Russo-Ukrainian conflict have been cyber espionage and propaganda warfare campaigns, distributed denial-of-service (DDoS) attacks against Ukrainian media and governmental organizations and defacements of several NATO websites, the jamming of Ukrainian policy-makers’ communications, manipulation of information and videos, a campaign to corrupt voting processes in Ukraine, leaking confidential e-mails, phone calls and documents, and various disruptions in networks and information systems. In eastern Ukraine, Russian signals intelligence operations have made use of Internet data to locate and target Ukrainian military forces.
Attacks on critical infrastructure and attacks on defense systems have not happened during the Russo-Ukrainian war. Maybe in the future we will learn that there were such attacks, but at the moment there are no visible signs of them. Why? There are several reasons, but five stand out.
First, , Russian authorities seem to have determined that there has been no practical need to engage in destructive offensive cyber operations to achieve their military and political objectives in Crimea and Eastern Ukraine. The Russians seem to have calculated that the moderate use of physical force has been enough.
Second, Ukraine’s critical infrastructure is not as advanced and technology-dependent as that found in the West. Ukraine may not have provided lucrative enough targets for destructive cyberattacks.
Third, severe cyberattacks would probably have meant the escalation of the conflict, which has not been the aim of either side. In addition, sophisticated cyberattacks often have unpredictable side-effects and there is a risk that the attacker might shoot themselves in the foot. An easy example is Stuxnet, where malware was designed for a specific set of equipment and circumstances but eventually ended up in the wild causing headaches for others who weren’t the intended target.
Fourth, the implementation of destructive cyber operations may in practice be more difficult than the public discussion about cyberspace assumes them to be. It’s actually pretty hard to design a discrete cyber weapon that only does what you want it to do on a specific target.
Fifth, states are likely to save their most destructive cyber capabilities until they really need them, like countering an existential threat. The conflict in Ukraine most definitely does not fall into that category for Russia.
In future wars and conflicts, it is more likely that cyber operations will be deployed to shape the battlespace rather than as decisive activities in their own right. States with successful cyber capabilities will find a way to combine both their physical and cyber capabilities as efficiently as possible towards a common purpose.
Although we haven’t seen any destructive cyber incidents in the Russian-Ukrainian war, that doesn’t mean it won’t happen. The five reasons I’ve laid out might not hold true in the future. The latest news from Ukraine tells us that malware probably infected at least three regional power authorities in Ukraine and left about 1.4 million homes without electricity for few hours. However, many crucial questions in this incident remain unanswered. The war in Ukraine isn’t over yet, and this year may bring a different set of interests to conduct destructive cyberattacks.