Russia’s invasion of Ukraine has shattered many illusions. One of them is the idea that skill in offensive cyber operations can ever be a substitute for reliable computer and information systems.
There are lessons for the United States. Cybersecurity is not about who can do the flashiest hacks but about how to keep our networks safe. This is difficult because it requires powerful interests in the government and the private sector to invest resources and make trade-offs they would rather not make. An offense-based strategy that appears “tough” hides these trade-offs while actually making U.S. cybersecurity worse.
Illusions of deterrence
Cyberwar strategists have described cyber conflict as a kind of asymmetric warfare that puts advanced societies at a strategic disadvantage. Offense is easy, while defense is hard. The United States is in a uniquely tough position. Multiple skilled adversaries—Russia, China, North Korea, Iran— are ready to attack the United States’ modern, internet-dependent society. Meanwhile, U.S. political and economic culture is hostile to the regulation and public spending that are needed to stop data breaches, protect online privacy, and make networks safe.
Enter the siren song of offensive cyber operations. If the United States can make its adversaries fear its cyber warriors, then it can take its time with upgrading government systems, protecting its critical infrastructure with voluntary frameworks instead of mandatory rules, and allowing Big Tech to continue to monetize Americans’ sensitive data. U.S. adversaries will be deterred by their fear of some massive response if they cross U.S. red lines. Defense, the story goes, is simply too hard— perhaps impossible—so why bother?
Offense has dominated the conversation for decades. President Barack Obama launched the Stuxnet attack on Iran and created United States Cyber Command. His plan for legislation to require greater protection for critical infrastructure was blocked by Congress under heavy industry pressure. President Donald Trump’s national cyber strategy sought to “preserve peace through strength” by maintaining “United States overmatch in and through cyberspace.” Cyberspace is a “domain” of warfare, the Defense Department said; the military should “defend forward” by attacking the adversary first.
Talk of cyber offense extends well beyond the Pentagon. Cybersecurity start-ups offer private companies spyware and “hacking back” as strategies for protecting their data; some in Congress have even proposed legalizing private use of cyberattacks in the guise of “active defense.” The Department of Justice touts its prosecution of foreign hackers who will never see the inside of a courtroom, while dismissing the overwhelming expert consensus against its proposals to weaken the encryption systems that protect Americans’ data.
The Bear That Didn’t Bite
Russia is among a handful of countries that can compete with the United States in offensive cyber operations. It has invested heavily in an offense-based strategy, favoring cyberattacks, promoting online disinformation, and harboring criminal ransomware gangs that attack Western targets. It has been putting this strategy into practice in Ukraine for well over a decade now, most famously with a dramatic attack that took down Ukraine’s power grid in 2015.
As predicted, Russia’s invasion of Ukraine was preceded by cyberattacks. So far, Ukrainians— with a lot of help from their friends— have not only managed to beat them back but have exposed the shocking weaknesses in Russia’s heavily offense-based cyberwar strategy.
In the hours before the invasion, Ukrainian government departments and several banks were hit by distributed denial of service (DDoS) attacks, which flood websites with requests, crashing their websites. Most websites were back within hours. Around the same time, Russian wiper malware, disguised as ransomware, tore through Ukrainian government systems, destroying data and knocking out civilian government computers that facilitate border control—forcing desperate refugees to wait for additional hours in the cold. This was arguably the first example of many far more serious war crimes committed by the Russian invaders. Quick action by Microsoft and Ukrainian cyber defenders mitigated the malware’s impact.
Russia appears to have launched cyberattacks on a European satellite communications service in an effort to take down Ukrainian military communications. The attack forced thousands of German wind turbines offline and destroyed tens of thousands of modems across Europe. The company was able to quickly restore critical services. The value of the attack was “at best limited,” according to Lennart Maschmeyer, a cybersecurity researcher at ETH Zurich in Switzerland.
Russia has also been trying to take down the Ukrainian internet. The network provider for most of Ukraine was hit twice, once the day of the invasion and again on March 9. Still, even though the company is based in Kharkiv, a city under intense Russian bombardment, its specialists have managed to quickly restore more than 70 percent of the routers that had been affected by the attack. As a result, Ukraine is winning the information war, with inspiring video clips from its president, Volodymyr Zelenskyy, scenes of its underdog military taking out Russian planes and tanks, and ordinary citizens taking up arms and helping each other. “It would be a lot harder to do all that if there was a blackout,” one cybersecurity expert told the Washington Post.
Russia’s cyberwarfare against Ukraine has been the dog that didn’t bark or, more accurately, the bear that growled but didn’t bite. Meanwhile, the Russian military has failed at basic information security. Deprived of dedicated, secure communications, it relies on insecure radios and mobile phones. After Ukraine’s telecommunications providers cut off Russian numbers, some soldiers resorted to stealing Ukrainian mobile phones. Even top commanders have been using insecure devices; one general was geolocated and killed as a result.
Why Did Their Attacks Fizzle?
So why have Russian offensive cyber operations been underwhelming, especially compared to the prewar hype? Cyberwar experts are puzzled: perhaps Russia is holding back, keeping more diabolical attacks in reserve, ready to launch if NATO becomes more involved. For others, this was a sign that cyber is a tool for the “grey zone.” As John Hultquist of Mandiant put it, once the shooting starts, “the pragmatic effects may be achieved more easily through other means.”
While there is much we don’t know, the explanation is probably much simpler. The Russians launched their attacks and are continuing to do so; they just haven’t worked. Perhaps Russians mistakenly thought they would win quickly and did not want to take down vital systems they expected to use. Maybe they are incompetent. Still, we should consider a third possibility: offensive cyber operations just aren’t that effective against a well-defended adversary.
Ukrainians didn’t just get lucky. They had long planned for this day. DDoS attacks can be thwarted with proper planning, simply be surging capacity temporarily. None of this would have been possible without years of investment in cybersecurity following Russia’s invasion of Crimea in 2014. Since then, Ukraine has focused on cybersecurity, with millions in assistance from the European Union and expert help from the United States.
Russia’s 2015 attack on Ukraine’s power grid was a wake-up call, and Ukraine woke up. For seven years, the Ukrainians—with substantial assistance from the United States and other NATO countries—have worked hard to improve their cybersecurity. Their strategy has now paid off.
Russia and Threats to Power Grids
Many experts believe that Russia can still attack civilian critical infrastructure in other countries, including the United States. “We still believe retaliation, including cyberattacks, is coming,” said Richard Clarke, who literally wrote the book on cyberwar. President Joe Biden has repeatedly warned President Vladimir Putin that the United States is prepared to respond to Russian cyberattacks on critical infrastructure. Would this be the time to bring out America’s offensive cyber capabilities?
In fact, the case for taking down Moscow’s power grid is weak, even as a deterrent. A period of heightened tension between nuclear powers calls for restraint, not retaliation. The United States is worried that any hacking—even for espionage purposes—might be misinterpreted. “Now is not the time to go poking around,” one former National Security Agency (NSA) official explained. Even if Cyber Command decided to throw caution to the wind, indiscriminate attacks on civilian networks are a war crime.
The most thoughtful cyber warriors understand that strengthening our defenses is far more valuable than deterrence through offensive operations. “That the United States has to resort to threats of retaliation” for Russian attacks is precisely the problem, according to Glenn Gerstell, former NSA general counsel. “America should already be cyber-attack proof.”
What Should We Do?
For too many years, this offense-heavy approach has been described as the tough approach—the hawkish approach—when the reality is just the opposite. Offense has been a distraction, avoiding the tough choices needed to protect U.S. computers and information networks. It is high time for a heavily defense-focused—or even defense-only—strategy.
First, the United States should prioritize fixing its networks over almost everything else, including developing cyber weapons, intelligence collection, and surveillance.
Penetrating adversary networks requires maintaining persistent access using unknown vulnerabilities—“zero-days”—which the United States has been stockpiling for years. Weaponizing zero-days has come at severe cost to the United States itself, because these vulnerabilities also exist within U.S. networks. Failing to patch them has resulted in some of the worst cyberattacks of the last decade, costing billions to remediate. Stolen NSA offensive tools were used by North Korea and by Russia in the WannaCry and NotPetya ransomware attacks of 2017.