As the war in Ukraine grinds through its fourth week, the Russian advance has failed to make significant progress, and major nodes of Ukrainian power remain unconquered. This is true not just on the ground, but also in cyberspace. This conflict began with many worried experts, cyber and military alike, claiming that the Russian forces could swiftly overwhelm the Ukrainians. With heroic resolve, botched Russian logistics, and Western aid, the military experts were proven wrong quite expeditiously. Director of National Intelligence Avril Haines said in an open Senate Select Committee on Intelligence that this resistance “deprived Moscow” of a quick victory. However, it remained puzzling to many cyber experts why Ukraine did not suffer massive cyber attacks in the beginning phase of the war. Current cyber conflict theory generally holds that cyber attacks are used primarily at the onset of armed conflict, to confuse, disorient, or disable an adversary in order to gain a decisive advantage and make key advances early on. This would have been invaluable to the Russian advance, especially given what has befallen it without these cyber-driven advantages. In the first days and weeks of the war, we had only foggy clues and guesses as to why the theory did not match reality. Now, however, we have a better, though still incomplete, picture of what really happened in cyberspace in those fateful days.

On March 10, Haines testified that “We are providing an enormous amount of intelligence to Ukraine.” She did not elaborate in the public session but offered to give more details during the subsequent closed-door session. The National Security Agency’s General Paul Nakasone elaborated that he attributes the defensive fortitude of Ukraine’s critical infrastructure and other computerized assets in large part due to U.S. Cyber Command’s (CYBERCOM) involvement in the early stages of Russia’s invasion. Much akin to the United States and NATO steeling the Ukrainian kinetic defense with anti-tank munitions as well as small arms, we now know the United States and its partners have, from the very beginning, been doing much the same in cyberspace. Despite these apparent early successes, Nakasone stated “We remain vigilant,” referring to the ongoing threat of Russian cyberattacks that would be more difficult to parry. So far, the Russian high command has not explicitly indicated that it perceives this aid in cyberspace as escalatory.

In that same March 10 hearing, Senator Tom Cotton (R-AR) asked Defense Intelligence Agency chief Lieutenant General Scott Berrier whether the Russians would “want a piece of us now,” after the kinetic aid continued to flow into Ukraine. Berrier and Haines responded that shoulder-mounted rockets and their like did not rise to the same level as, say, combat aircraft, because the Russians would not “perceive us as being in that conflict with them.” While it is certainly true, as President Joe Biden repeatedly reiterates, that U.S. soldiers are not fighting alongside Ukrainians in the country’s warzone, the same cannot be truly said about U.S. cyberwarriors. This would seem to indicate a difference in perceived escalatory levels across domains. According to the president and his director of national intelligence, both the Americans and the Russians would consider American troops entering Ukraine to be an escalatory step too far, while the parallel in cyberspace could be overlooked.

That is, until earlier this week when Biden released a statement warning “that the Russian Government is exploring options for potential cyberattacks.” Biden stated that “[it’s] part of Russia’s playbook” to “conduct malicious cyber activity, including as a response to the unprecedented economic costs we’ve imposed on Russia.” The president went on to caution that while his administration had worked to strengthen the nation’s cyber defenses, the federal government was incapable of protecting all of the United States’ critical infrastructure without help from the private sector that owns it. He encouraged owners and operators of these critical features to “lock their digital doors” and to heed the Cybersecurity and Infrastructure Security Agency’s (CISA) “Shields Up“ campaign. The president’s message concluded with another urgent call to harden cyber defenses in a collective effort to mitigate “one of the defining threats of our time.”

It is possible that Biden’s “significant intelligence capability,” which accurately predicted the Russian invasion, has now seen indications that the Russians do, in fact, perceive CYBERCOM’s presence in Ukrainian cyberspace the same way Haines worried they may perceive NATO blessed combat aircraft in Ukrainian airspace. If so, and the Russian brass has now decided the Americans are “in that conflict with them,” then the Russian war in Ukraine may be on the verge of surging past the embattled country’s virtual borders.

Aaron Crimmins, Esq. is a cyber strategy and governance consultant and writer based in San Diego, California. He tweets @00crims.

Image: Flickr.