With events developing rapidly in the Ukraine war, some of the more interesting questions revolve around what has not happened. Why did Russia think Ukraine would not seriously resist? Why did Russia not coordinate its forces better? And why did Russia not use its vaunted cyberattack capabilities against Ukraine and its Western backers?
It is possible that Russia is not as capable as we feared. However, that does not mean we should neglect better preparation and defenses.
To date in the war, cyber effects by both sides have been limited. Attackers hit Ukrainian government websites with fairly unsophisticated and short-lived distributed-denial-of-service attacks, which involve overwhelming a website with too many requests for data. Russian propaganda websites have also been on the receiving end of this method. More seriously, some ATMs in Ukraine were unable to dispense cash in the early phase of the conflict.
Beyond those methods, there have been some actions directed at U.S. satellite networks. In early March, hackers successfully targeted Viasat, an American provider of broadband internet service that connects users on the ground in Ukraine with the web by satellite. While Viasat’s CEO declined to finger the Russians specifically, the timing and target are highly suspicious. The
FBI and the U.S. Cybersecurity and Infrastructure Security Agency put out a warning on March 17 urging satellite operators to strengthen network security and lower the threshold for reporting malicious cyber activity to the government.
SpaceX, which scrambled to provide its own satellite-based Starlink internet service to Ukrainians as the war began, announced it was devoting much of its attention to defending its network from cyber-attack. Its CEO, Elon Musk, challenged Russian President Vladimir Putin “to single combat” over the fate of Ukraine. At the onset of the war, someone jammed Starlink terminals near Ukraine, prompting a software update that Musk said defeated the jamming. It may be that this initial interference was not caused by exploiting a software flaw (e.g., hacking) but by jamming a signal the old-fashioned way with an interfering radio transmission.
In the same way that Russia has performed below expectations on the physical battlefield, does the lack of shock and awe in the cyber realm mean it is less digitally threatening than we thought? A line from The Dirty Dozen comes to mind when Donald Sutherland’s character plays a general and inspects the troops: “They’re very pretty Colonel. Very pretty. But can they fight?”
Certainly, Russia has demonstrated cyber-attack capabilities in the past. The 2020 SolarWinds attack, which many experts attribute to Russia, went far beyond mere ransomware or theft of files. That sophisticated attack infiltrated a supply chain of software updates that in turn compromised the networks of tens of thousands of organizations. It took planning, surveillance, technical knowledge, social engineering, and patience.
Russia is consistently ranked among the top cyber-capable actors in the world, alongside China, Israel, North Korea, and the United States. It has developed capabilities within government, but also has a sizable cadre of private citizens with deep technical knowledge of hardware and software. These private keyboard warriors, now cut off by sanctions from high-tech careers and business opportunities in the rest of the world, are a modern form of privateer—freelancers doing damage at government request.
But despite this track record and a cyber army, is Moscow just not that good at cyberwar, whether directed against satellites or terrestrial networks?
The answer is maybe. It is still possible that Russia is holding back. Clearly, the U.S. government is worried about critical infrastructure. On March 18, the FBI warned the energy sector about network scanning activity that suggested Russia is exploring options for attacking the United States directly. If Russia has a major “zero-day” exploit, which is a vulnerability in software or a network that we do not about, but which an adversary does, it may be hesitant to put it to use. Once used, it cannot be used again since organizations will patch vulnerable software. Furthermore, the demonstration effect from a cyberattack is not quite the same as one from a nuclear test. It may actually show the limits of one’s capabilities rather than scare the opposition.
Nonetheless, we should be cautious. Our militaries and economies are highly dependent on satellites, and we are not adequately prepared. Unfortunately, satellites, which can be thought of increasingly as flying computers, have many of the same cyber vulnerabilities as computer networks on Earth—they are just harder to repair. Until we switch to satellite software based on “zero trust” principles—in which each function and data file is off-limits except to clearly known and authorized users—and encrypt every file and function on every satellite and throughout its command and communications chain, we will be at risk.
Matt Erickson is the VP Solutions of SpiderOak, a space cybersecurity company.
Christian Whiton is a senior fellow at the Center for the National Interest.