Two months after Russia invaded Ukraine, we are beginning to understand the role of cyber in Europe’s largest land war since World War II. While there have been some initial surprises, Ukraine and the United States are settling into a posture focused on limiting Russia’s digital operations inside the warzone and preventing it from escalating cyberattacks internationally. Russia, on the other hand, is trying to get off its heels tactically, reassert itself as a force to be feared, and keep global leaders guessing about its capabilities and intentions.
Many, including myself, thought a conflict in Ukraine would begin with extensive Russian cyberattacks against Kiev's military command and control, air defense, civilian communications, and critical infrastructure networks. The rationale was that these operations provide significant military advantages, fall well within Russia’s demonstrated cyber capabilities, and pose little risk to the attacker. While the early hours of the invasion did include a hack of U.S. satellite communications provider Viasat and limited “wiperware” and distributed denial of service (DDoS) attacks, the anticipated cyber onslaught did not materialize.
Having learned more since the invasion began, there appear to be three primary reasons why events unfolded as they did.
First, Moscow seems to have made a strategic choice not to employ large-scale, destructive code in order to control escalation. While Russian hackers have previously used attacks like the NotPetya worm in Ukraine, the fact that this attack eventually spread across the globe and caused at least $10 billion in damages—including inside Russia—likely convinced Putin not to use similar attacks in this context. This was assuredly the right decision, considering that NATO is already nervous about cyber threats and it is unclear if a large-scale cyberattack that spread to one of its members would trigger the alliance’s Article V commitment to mutual defense.
Second, Russia may have left Ukraine’s critical infrastructure unmolested because its military needed it. The ability to deploy secure, tactical communications is a fundamental capability of modern combat. Yet Russia has utterly failed to do this at the necessary scale in Ukraine. Instead, the Russian military has frequently used commercial radios and civilian telecommunications that have been easily intercepted and exploited. While surprising from a military capability perspective, this dependency would explain the lack of offensive cyber operations against communications networks.
Similarly, critical infrastructure may not have been targeted because Russian forces assumed they would quickly achieve a decisive victory and that insulating vital services like water and electricity would be essential for reestablishing order and preventing significant civilian opposition. This too, while wildly optimistic, helps to explain why these sectors have not been taken offline.
Finally, Russia did try conducting other cyberattacks, but they were successfully repelled. Just last week, Gen. Paul Nakasone, Commander of U.S. Cyber Command (USCYBERCOM), testified to Congress that so-called “hunt forward” teams deployed to Eastern Europe in December of last year were working with Ukraine to harden its networks and evict Russian hackers. These teams remain in theater and have been engaged in online hand-to-hand combat with Moscow’s blackhat hackers ever since.
And this leads us to the current state of play, where operators on all sides are now circling each other, constantly matching and countering one another’s cyber moves.
Last week, for example, the Department of Justice disclosed that the Federal Bureau of Investigation (FBI) had secretly removed Russian malware from computer networks around the world, including from some networks owned by American companies without their permission. The FBI took similar actions last year and appears poised to do so again, rationalizing that these threats are too significant for responses to be delayed by slow or uneven efforts by the private sector.
The Biden administration has also issued a warning to commercial owners of critical infrastructure, asking them to redouble their defenses against threats like ransomware, with the president saying, “We need everyone to do their part to meet one of the defining threats of our time—your vigilance and urgency today can prevent or mitigate attacks tomorrow.”
The U.S. government is also cracking down on Russian-backed non-state hackers such as the various ransomware syndicates operating within Russia’s borders. In the weeks before and since the invasion of Ukraine, USCYBERCOM and the FBI have deconstructed many of these groups’ technical infrastructure, cut off and even reclaimed some of their cryptocurrency funding, and indicted key members.
But it is not just the government that is engaged in this fight. Microsoft, Google, Facebook, and other private companies are also actively working against Russian cyberattacks, removing destructive software, blocking propaganda, and helping Ukrainian users secure their data.
These and other efforts make one thing very clear: securing the U.S. homeland—as well as American allies and partners—from malicious cyberattacks requires sustained, multi-dimensional operations that will only be successful if they are done in partnership with the private sector. Anything less will result in failure.
Russia, for its part, remains dangerous and is far from out of the game. The Office of the Director of National Intelligence, for example, says Russia remains a “top cyber threat” that is “particularly focused on improving its ability to target critical infrastructure.” While its military operations in Ukraine have exposed many previously hidden weaknesses, its cyber capabilities are formidable and well-demonstrated, and Putin’s online strategy is being driven by political calculations, not by a lack of capacity.
In summary, it would be a mistake to conclude that the conflict in Ukraine undermines the notion that cyber operations are a critical part of modern warfare that pose a serious threat to international peace. In fact, other global challengers like China are likely observing Russia’s failures and concluding that the lack of decisive digital attacks has been a key variable in Moscow’s losses.
Putin himself may soon conclude that large-scale, disruptive cyberattacks in the United States or elsewhere are the best way to reassert himself, intimidate his foes, and regain the advantage. This would be a costly miscalculation on his part, but it would not be his first.
Klon Kitchen (@klonkitchen) is a resident fellow at the American Enterprise Institute. He is also the former national security adviser to Senator Ben Sasse and a fifteen-year veteran of the U.S. intelligence community.