Even as fighting in Ukraine intensifies around key cities, Russian forces have yet to undertake cyber activities much different from those seen years past. True, expert observations are reporting more widespread espionage, phishing campaigns, and disinformation efforts linked to established threat actors from within Russian IP space following the country’s invasion. But the cyber blitzkrieg expected by numerous pundits and commentators simply hasn’t happened.
The Sensibility of Russian Cyber Restraint
As several academics have pointed out, this lack of a lightning digital volley from Russia makes a lot of sense. It corresponds with what years of research into cyber conflict tells us about why nations build such capabilities. Cyber operations are useful for espionage and reconnaissance, sabotage, and for subversion. They are useful, in short, for shaping international affairs to create favorable conditions. What they’re not good for is coercion or for significantly enhancing battlefield effectiveness, not least because they tend to produce temporary effects.
The geopolitical and operational contexts of Russia’s war against Ukraine also explain why a cyber onslaught has not occurred. After all, if Vladimir Putin’s plan is to resurrect a defeated Ukraine as a puppet bulwark against NATO expansion, there’s little point in breaking what’s being bought. Temporary disruption of certain services might help the war effort but manufactured calamity just makes the reconstruction job of a victorious Russia that much harder. Added to that was Putin’s clear over-reliance on the conventional forces of the Russian military to achieve a quick victory. By some estimates, Russia intended Kyiv and the Ukrainian government to fall as quickly as Kabul to the Taliban in 2021. In such a scenario, the use of Russia’s most sophisticated cyber instruments would have been wasteful and expensive. That scenario did not come to pass, of course—something that just adds to our understanding of the relative irrelevance of Russian cyber activities. Clearly, the logistical mess seen in the first two weeks of the Russia-Ukraine war has made it difficult for Russia’s cyber forces to effectively augment the military’s kinetic capabilities.
A Coming “Cyberwar”? Not Likely.
In spite of Russia’s relative restraint in cyberspace, media reports and even some practitioner assessments continue to expound on the possibility of a coming “cyberwar” in which Moscow strikes back at the West for its support of Ukraine. Certainly, there is some room for concern. Russia has increasingly turned to the use of its “gray zone” capacities for disrupting Western competitors and degrading their ability to act. And yet, warnings about digital disasters to come persistently fail to place the Russian cyber threat in a strategic context, even as experts leverage astute geopolitical analysis to help make sense of current patterns.
Fears of “Cyber Pearl Harbor” or “Cyber 9/11” events in which digital actions produce devastating societal disruption are not just unrealistic; they are irresponsible. While it’s true that Russia’s cyber capabilities are immense and include assets prepositioned in Western networks, there is little strategic utility to be found in such an attack. Absent the outbreak of conventional conflict between NATO members and the Russian Federation, the truth is that cyber spectacles would be walked back in days or weeks at most. Victory in the “cyberwar” predicted by some will always be temporary and so generally not worth the effort.
What’s more likely in the near- to medium-term is that Russia will continue to seek out lateral means of disruption to address its new, more isolated state. Above the baseline, sanctions are likely to push Russia to increasingly use cyber to ease economic tensions and retaliate against specific Western political factions without fearing escalation. Just as sanctions have pushed North Korea towards cyber crime as a method of bypassing economic hurt, Russia will likely feel freer to utilize its substantial cyber capabilities in months to come. As such, businesses and societal institutions in Europe and the United States would be foolish if they did not expect, as the Cybersecurity and Infrastructure Security Agency has already warned, Russian digital antagonism to find its way into networks closer to home.
Russia’s Changing Relationship with the Web
Thinking about Russian cyber aggression beyond the next few months is where the task of expert forecasters gets exceedingly difficult. It simply isn’t fair of us to use what we know of past Russian cyber aggression to project the future in large part because we are at an inflection point with regards to Russia’s relationship with the internet. In response to Moscow’s invasion of Ukraine, companies across the West have shuttered physical locations and shut off access to services for Russians. In retaliation, the Russian government itself has taken sweeping action to nationalize withdrawing companies’ assets and ban access to certain Western social media services and information services. Significantly, the Russian government appears to be committing to broad changes in what web access within Russia will look like going forward.
Perhaps partially in response to certain web hosting firms kicking Russian businesses from their infrastructure, a document promulgated by Russia’s Ministry of Digital Development (MDD) has demanded extreme changes in how state-linked enterprises must function online. In addition to beefing up security, all online services of state-owned or -affiliated organizations must shift to Russian-based hosting options this week and remove certain code elements from site pages. Most significantly, those same services must switch to using Domain Name System (DNS) servers within Russia by week’s end.
This move by Russia is perhaps the most significant shift towards the reality of a global “splinternet”—wherein some of the Internet remains the open, decentralized space idealized by Western societies whilst other bits become closed-off spaces in which authoritarian regimes dictate the reality of information access for their citizens—in at least a decade. The DNS demand made by the MDD is particularly telling of Moscow’s intention to disconnect from Western systems and move to emulate the Chinese model of web control, replete with strong constraints on free access to data and services. Devices attempting to navigate the internet use the DNS as a digital address book, sending a request for technical information about the location of desired spaces and services to a specialized server. By locating this process entirely within Russia, Putin’s government is attempting to both prevent traffic from leaving the country and stake control over what information is presented to users as they navigate the web.
While it’s tempting to think that Russian cyber activities will simply continue to follow the pattern set by diverse efforts to spy, interfere, and disrupt Western societies over the past decade, strategic planners of all stripes would do well to consider the effects of a shuttered Russian IP space on the strategic context of future cyber engagement. At the very least, adherence to the Chinese model of internet control is likely to make the Russian government far more hostile to Western intrusions into Russian systems. Likewise, the significance of network spaces most closely connected to the Russian backbone, including in the territories of states like Ukraine and Belarus, is likely to rise as they become critical access avenues for cyber operations on both sides. And, perhaps most importantly, a successful Russian retreat from global Internet access will produce divergent norms of behavior over time. Something like cyber-enabled disinformation efforts that may be seen as a mere nuisance in Western web spaces will be seen far differently in Russian IP space, as such interference is seen to more closely threaten strategic fundamentals (i.e. control of Russian society) than the alternative.
Shifting Logics of Cyber Conflict
The future of cyber engagement with and from Russia is nowhere near as clear-cut as many pundits would suggest. Yes, Russia’s reliance on its “gray” tools of contestation seems likely to remain and even deepen. But strategic context dictates that Russian cyber aggression will be shaped by unprecedented circumstances. In the near term, the forced isolation of the Russian economy and the shape of the ongoing conflict in Ukraine will likely make lateral efforts to harass Western societies more likely than the “cyberwar” imagined by so many pundits. In the longer term, Russia’s changing relationship to the internet itself actually suggests that perhaps old ideas about the logic of cyber conflict will have to give way to a nested understanding of why countries use cyber. After all, cyber action and reaction in a world of walled-off kingdoms amidst open terrain will inevitably look different from that in a world of free movement of information.
Dr. Christopher Whyte is an assistant professor in the homeland security and emergency preparedness program in the Wilder School of Government and Public Affairs at Virginia Commonwealth University.