A Russian Cyber War in Ukraine Was a Fantasy
For all the cyber activity, Russia’s vaunted “hybrid operations” were not employed in the initial fighting between Russia and Ukraine.
Despite an initial series of disruptive denial of service (DDoS) attacks on Ukrainian sites and malware launched at government servers, Russia’s invasion of Ukraine opened with special operations, missile strikes, and probing attacks. There was no cyber fait accompli that wiped out Ukraine’s ability to defend itself. Russia’s inability to ensure secure communications, gain air superiority, and supply its forces exhibited a rather perplexing failure to leverage the expected tools of modern warfare, including cyber operations and electronic warfare, during an all-out war.
There are three explanations for the subdued role of cyber operations in the Russian-Ukrainian war to date: Ukrainian defensive operations, the inflation of Russian capabilities, and external pre-emption. All three reinforce key recommendations in the U.S. Cyberspace Solarium Commission report, which demonstrates the need for a clear grasp of cyber strategy and public-private collaboration to ensure state security during conflicts.
First, the lack of catastrophic cyber events during the early stages of the war might be a result of Ukrainian defensive operations, including the country’s historical collaboration between the public and private sectors. Russia consistently leveraged cyber operations against Ukraine during the years leading up to the current war. Moscow combined propaganda with proxy actions, disruptive cyber operations, and fifth column activity in an attempt to destabilize Kyiv.
However, for all the cyber activity, Russia’s vaunted “hybrid operations” were not employed in the initial fighting between Russia and Ukraine. Visions of success were fleeting and exhibited the fantastical relationship observers have with technology and modern warfare. Russian active measures, long thought to be decisive, failed to position Russia to win the information war. International society swiftly condemned Russia and attempted to cut the country off from international services and communications, following the war from the Ukrainian perspective on YouTube, Twitter, TikTok, and Telegram instead.
Ukraine began developing a national cyber strategy in 2021 and reached out to Solarium Commission staff for support. Some of the recommendations in the Solarium Commission’s report appear to have been taken to heart by Ukraine. Notably, Ukraine has protected the continuity of the economy and the presidency by backing up key data and services, a move that demonstrates the importance of ensuring the continuity of operations during disasters. Properly layering defenses and ensuring the continuity of operations despite attacks is critical to mission success in modern warfare. Maintaining communications with the outside world during the war is a victory for Ukraine.
Second, there is a tendency to hype up abstract threats. Despite the perceived success of past operations, including Russia’s 2016 election interference campaign and the SolarWinds attack, evidence of the impact of cyber operations has been sorely lacking. Russian cyber operations tend to focus on low-cost disruption efforts that demonstrate a reliance on criminal hackers and cyber patriots more than an ability to carry out sophisticated degradation campaigns.
The logic of large-scale cyber action for battlefield effect is lacking. The feared cyber first-strike capable of producing a fait accompli was not seen in the Russian invasion. A fait accompli is a move typically associated with the seizure of territory, yet this restrictive framing only marginalizes the idea to a small subset of territorial disputes. Instead, a better frame associated with the true meaning of the word would be an action taken where the opposition has little choice but to accept the results.
Wiping out the opposition’s ability to plan, communicate, and control its weapons systems is the dream of many cybersecurity prognosticators. Despite little evidence for the coercive impact of cyber operations, the response is typically that a real war will allow cyber capabilities to shine. That the war in Ukraine has only resulted in more of the same—disruptive operations and the use of proxy actors—illustrates a serious limitation for the scholars of the cyber revolution who bought into the hype.
Finally, cybersecurity is a multi-stakeholder domain where third-party intervention is the norm. It is not just other states that might disrupt cyber operations by acting preemptively. Private sector networks are constantly being surveilled and updated by leading firms like Microsoft, a phenomenon that was seen in Ukraine as proactive moves forestalled more impactful operations. There is also a global network of activists ready to hack for Ukraine and identify potential vulnerabilities in Russia.
There is a clear need to think about cyber strategy in terms of layered deterrence and efforts to incentivize public-private collaboration in order to secure critical networks. The Biden administration and many critical states in the international system have not yet articulated a strategy for cyber operations as a source of national power. Clearly stating what actions are allowed and discouraged is important to direct the flow of action in the cyber domain. Including requirements for incident reporting and building open data sources that track cyber incidents are national priorities. Otherwise, we are operating without evidence in a space where fictions like a cyber fait accompli tend to be dominant.
That many are surprised by the evident lack of outright cyber war at the onset of Russia’s invasion of Ukraine reveals a critical lack of awareness of the course of modern warfare. In cyberspace, political warfare dominates, and disruptive incidents take precedence because they can harm the stability of the state and the trust that citizens have in government. What happened during the invasion of Ukraine should be surprising to no one. It merely underscored the continued prevalence of low-level cyber operations that fail to have a strategic impact.
Brandon Valeriano is a Senior Fellow at the Cato Institute and a Distinguished Senior Fellow at the Marine Corps University.
Benjamin Jensen is a professor of strategic studies at the School of Advanced Warfighting at the Marine Corps University and a Senior Fellow for Future War, Gaming and Strategy at the Center for Strategic and International Studies (CSIS). Together they wrote Cyber Strategy: The Evolving Character of Power and Coercion for Oxford University Press with Ryan Maness and served on the Cyberspace Solarium Commission.