“Cyber Realism in a Time of War”
Lawfare, March 2, 2022
2022 Ukraine Crisis
By Ciaran Martin
“Alternatively, the Kremlin’s calculation may have been more basic. As BBC security correspondent Gordon Corera put it on the day of the invasion, “For all the talk about ‘cyber war’, today shows that when conflict escalates to this point it is secondary. If you want to take out infrastructure then missiles are more straightforward than using computer code. Cyber’s main role now is perhaps to sow confusion about events.””
It turns out that the next war was not fought in cyberspace after all. Or at least the start of it has not been.
There has been no shortage of predictions over the past two decades about the importance of the digital domain in conflict since John Arquilla and David Ronfeldt warned that “cyberwar is coming” in a Rand Corporation paper back in 1993. As recently as November 2021, British Prime Minister Boris Johnson remarked in a testy exchange with Tobias Ellwood, chairman of the committee of the House of Commons that oversees defense, that “the old concept of fighting big tank battles on the European land mass are over … there are other big things that we should be investing in … [like] cyber—this is how warfare of the future is going to be.”
Ellwood, a strong critic of the British government’s decision to cut Army personnel in favor of investment in cyber capabilities, replied, “You can’t hold ground in cyber.” And on military tactics, if nothing else, Russian President Vladimir Putin seems to have agreed with him. Despite being one of the world’s foremost offensive cyber powers, the Russian invasion of Ukraine has, thus far, been utterly conventional in its brutality as the horrific pictures from Kyiv, Kharikiv and other cities show on an hourly basis. And Ukraine’s heroic resistance is similarly centered on the traditional understanding of war.
Even those of us long skeptical about the mischaracterization of cyber operations and cyber risk as catastrophic weapons of destruction, rather than a still serious but quite different threat of chronic disruption and destabilization, have been surprised by just how little cyber operations have featured in the early part of the invasion. The Kremlin’s handful of serious cyberattacks on Ukraine ahead of and around the beginning of the invasion represents its long-standing campaign of cyber harassment of the country over the past decade, rather than a serious escalation of it. There seems to have been little effort, for example, to strike the core of Ukraine’s internet infrastructure. Instead, the missiles rain, and the soldiers and tanks roll in. Similarly, the actions of pro-Ukrainian actors in defacing and taking down Russian websites may embarrass the Kremlin but hardly merit the much misused term of “cyberwar.” (As yet unverified reports of a massive data leak of the personal data of Russian soldiers would be much more impactful if true).
The reasons for this underuse of Russia’s sophisticated cyber capabilities so far in the conflict are unclear. In an article for War on the Rocks, Lennart Maschmeyer and Nadiya Kostyuk make a very interesting case that for all the sophistication and intensity of the Russian cyber campaign against Ukraine since 2014—a period in which Ukraine has become “Russia’s cyber playground,” with energy outages, the disruption of government and banking payments, and the harassment of Ukrainian business and civic society—it has been a failure. They argue that Russia’s hacks have made no material impact on the Ukrainian leadership’s decision-making and seemingly did nothing to undermine Ukrainians’ confidence in that leadership. Alternatively, the Kremlin’s calculation may have been more basic. As BBC security correspondent Gordon Corera put it on the day of the invasion, “For all the talk about ‘cyber war’, today shows that when conflict escalates to this point it is secondary. If you want to take out infrastructure then missiles are more straightforward than using computer code. Cyber’s main role now is perhaps to sow confusion about events.” It could be that Russia chose to leave the internet untouched because it needed it for its own communications. Or it could be that Russia’s state hackers suffered from a similar lack of preparation as their conventional forces.
As the Putin regime continues to initiate further bloodshed, Western policymakers will have many more urgent matters to tend to than reflecting on what the conflict says so far about cyber power. But those within the national security communities charged with thinking about cyber as a national security risk—and a national security capability—still need to find the capacity to evaluate three things:
- What the risk of cyberattacks against the West are as the conflict continues.
- How to analyze the role of cyber in the potential escalation in this conflict, including the potential use of Western cyber capabilities.
- What all this means for the West’s cyber posture and capabilities.
About the Author:
Ciaran Martin is Professor of Practice at the Blavatnik School of Government, University of Oxford. From 2014 to 2020 he set up and then led the National Cyber Security Centre of the United Kingdom, part of the intelligence agency GCHQ.