Since the beginning of the war in Ukraine, many experts and cybersecurity agencies have issued warnings about possible Russian cyberattacks against critical infrastructure. So far, this threat has not materialized, although there have been attempted attacks. Additionally, many pro-Ukrainian and pro-Russian hacktivists and cybercriminals have aligned themselves with the warring parties. These non-state actors have engaged in indiscriminate cyber operations against organizations associated with “the enemy," including Western companies such as Nestlé. At the same time, Russia has announced that it will respond to this “cyber aggression” by the “collective West.” This begs the question of whether the cyber conflict surrounding the Russo-Ukrainian war will escalate. Moreover, is it possible that cyber operations will cross the conventional threshold and draw NATO directly into the conflict?

Escalation in Cyberspace

Escalation dynamics are often described in terms of a ladder, where certain activities either escalate up the ladder or de-escalate down it. Escalation can also widen the scope by opening up new theaters of war, for example.

Analyzing over 300 collected cyber incidents during the war in Ukraine, two things can be preliminary concluded regarding escalation in the cyber domain. First, most cyber operations seem to have occurred in the first three weeks of the war, with the tempo slowing down somewhat in early April. The majority of visible cyber operations were website defacement attacks, distributed denial of service attacks (DDoS), and hack and leak operations. However, the impact of most of these attacks has been rather limited. Most of this activity is conducted by hacktivists who go after vulnerable targets. Once this low-hanging fruit is exploited, however, cyber actors have to turn to more secure targets, which slows down operational speed.

Second, the most impactful operations occurred at the beginning of the war. Notable examples include multiple generations of wiperware being used to delete files in Ukrainian government systems and the hacking of satellite communication modems in Eastern Europe. These attacks were likely conducted by Russian intelligence agencies. This fits with the operational cycle typically seen when cyber operations require preparation time; once initial access vectors are uncovered or vulnerabilities are patched, attackers need to find new ways to get in. It is likely that Russian hackers burned some of their pre-prepared access by triggering the wipers and now need to establish new attack vectors. This aligns with observations that, since mid-March, there has been an increase in Russian phishing and command and control server activity, as well as a rise in efforts to set up new attack infrastructure.

So far, the Russo-Ukrainian cyberwar generally appears to be “business as usual” for Ukraine, which has been dubbed as a testing lab for cyberwarfare in the past. While the frequency of cyber operations appears to be higher than before Russia’s invasion, the scale of the operations’ impact has been limited. However, this could change once a new phase of the war begins. For example, on April 12, it was reported that a cyberattack against electrical substations in Ukraine was foiled. As this war has no end in sight, more attacks are likely to come.

Cross-Domain Escalation

The question of whether a cyberattack against a NATO country could lead to cross-domain escalation and draw the alliance into a conventional conflict is more difficult to answer. The general consensus among experts is that cyber operations are imperfect tools for escalation in general. Although not impossible, it is time and resource-intensive to achieve conventional effects with cyber operations, making it challenging to escalate into the conventional domain through cyberattacks. Cyber operations have less destructive potential, immediate impact, and certainty of operational success than conventional attacks. At the same time, they demand longer preparation times and entail the risk of uncontrollable collateral damage. This helps explain why cyber operations rarely cross the conventional threshold. Moreover, some suggest that cyber operations can provide an offramp by giving decisionmakers alternatives to conventional force.

However, there are gaps in these arguments that must be considered—particularly given the likely consequences of any escalation. First, there are almost no available case studies in the context of a conventional ground war, and escalation dynamics may become stronger when the gloves come off in times of war.

Second, cyber activity can be particularly destabilizing in an acute crisis. The interconnected yet opaque nature of cyberspace increases complexity and makes miscalculations more likely. This complexity is particularly glaring when considering cross-dimensional deterrence and the threat of cyber operations disabling strategic nuclear deterrents.

Lastly, while most analyses concentrate on rational state actors that restrain their cyber activities, more severe dynamics could emerge in the context of unrestrained hacktivist activity or a leader like Putin adopting the “madman theory” of diplomacy. 

Preliminary Lessons From the War

The Russo-Ukrainian is a tragedy, but it offers valuable lessons on cyber escalation dynamics during a conventional war. First, conventional operations appear more effective than cyber operations for achieving various tactical goals. Russia does not necessarily need to shut down the power grid with cyber attacks, as its forces were able to gain physical control over nuclear power plants and destroy relay stations from the air. With this in mind, the inherent challenges of using cyberattacks make them an imperfect tool for escalation.

Second, the scope of escalation is currently focused on Ukraine, but Russia is also probing NATO countries’ infrastructure. For instance, the aforementioned wiperware attack on KA-SAT satellites disabled almost 6,000 wind turbine modems in Europe, and NATO countries have faced low-intensity attacks and probes of their critical infrastructure.

While some argue that Putin might unleash more destructive attacks if he has his back against the wall, others counter that states will restrain their cyber activities because of mutual interdependence and vulnerability. Numerous hack and leak operations show that Russia is indeed vulnerable to cyber attacks.

In addition, more destructive attacks against NATO members would likely entail high costs for Russia. In an effort to establish deterrence against highly destructive cyberattacks, NATO declared in 2014 that it could respond to cyberattacks that cross the conventional threshold, either in kind or through conventional means. Regarding the war in Ukraine, this means a destructive cyberattack could lead to cross-domain escalation, pushing NATO into the conflict and increasing the risk of nuclear escalation. Currently, there are signs—particularly the lack of high-level cyberattacks—that the United States and Russia are trying to avoid this. If this remains the case, it is likely that cyberattacks against NATO countries will continue, but that they will stay below the conventional threshold.

The Hacktivist Wild Card

A separate, vital question is whether hacktivists will also restrain their activities in order to avoid provoking unintended cyber escalation. There is no way to know, but they have acted largely without restraint since the war began. Russian hacktivists have targeted Ukrainian critical infrastructure as well as Western countries deemed complicit in supporting Ukraine. Unlike military or intelligence agencies, vigilante collectives don’t have targeting processes that anticipate second-order effects and the potential political implications of their activities.

While hacktivist cyberattacks tend to be less destructive, even a smart teenage hacker could potentially cause enough damage to trigger an escalation dynamic. In addition, the globally distributed nature of hacker collectives is a key factor that raises the risk of escalation. If, for example, hacktivists operating from NATO countries are not careful in hiding their digital footprints, they might implicate Western governments in their hacks. Russia has already declared its intention to respond to the “collective cyber aggression by the West” with all legal means, which could lead to more cyberattacks against the West by Russian state entities or state-aligned proxies.

As the conventional dimension of war plays such an important role, it stands to reason that if escalation dynamics emerge, they will likely unfold in the conventional domain. Non-cyber measures, such as harsher sanctions or the delivery of heavy weapons to Ukraine, will likely have a greater impact on policymakers’ decisions regarding escalation. Still, the risk cannot be dismissed, and policymakers must be wary of the possibility of escalation when making decisions in cyberspace.

Dr. Matthias Schulze is the deputy head of the security division at the German Institute for International and Security Affairs (SWP). He also runs percepticon.de blog and podcast on cybersecurity issues.

Image: U.S. Air Force/Flickr