Background

Almost a year ago as of this writing, the Russian state initiated a new and astoundingly brutal campaign against Ukraine. While Russia had effectively been at war with Ukraine since not long after the Revolution of Dignity, late February 2022 initiated a far wider, nastier, and inhumane phase of this long-running conflict.

During most of the period between 2014 and 2022, outside of low-level (but still nasty) conflict in Donetsk and Luhansk, much of the war (at least in western awareness) moved to the information realm. Among other items, Russian government actors or proxies launched disruptive operations against Ukrainian government entities, elections, media, critical infrastructure, and civil society. Based on this (potentially myopic) view of events, many looked at Russia’s operations in Ukraine as a “testing ground” for asymmetric and information-centric capabilities – tying in to the old (and discredited) trope of the “Gerasimov Doctrine.”

From these assumptions – of Russian information warfare activities and a “free hand” in executing such capabilities in Ukraine – many Western “thought leaders” expected and anticipated significant cyber components to the renewed conflict as the new phase of Russia’s invasion edged closer. After nearly a year in this new and brutal phase of the long-running conflict, we can potentially assess where these experts (and their detractors) perhaps were right, and where they have erred.

First: Perspective

Discussions of “cyber warfare” and “information operations” are fun and interesting, but each and every person engaging in such discussion (including this one) must recognize something first: people are dying right now in this conflict we are discussing from the comfort of our homes or offices.

While for various reasons researchers and analysts should examine the entire span of Russia’s invasion of Ukraine, as there are many lessons to learn involving the entities involved as well as the evolution of conflict more generally, all of that should be tempered with a bit of humility and sadness. From late February 2022 to early January 2023, the United Nations recorded nearly 18,000 Ukrainian civilians killed and over 11,000 injured.

Ukrainians, in addition to dying on the battlefield, are dying in their homes, schools, and offices as well due to a horrific, indiscriminate, and illegal campaign by Russia’s military and national command authority. Ukrainian workers and engineers, while laboring to restore the country’s critical infrastructure from deliberate destruction, are dying in the field while trying to maintain some semblance of modernity for their fellows. The conflict has resulted in the largest dislocation of persons in Europe since the Second World War.

We will proceed with a discussion of cyber scenarios in subsequent sections – but will do so while keeping in mind the above. Perhaps some value will come from our academic discussion of issues involved in or surrounding this conflict, but ghoulish focus on such matters while avoiding or ignoring the humanitarian tragedy that has given them birth is immoral and disgusting.

Second: Complexity

Combined arms operations are hard. Fusing multiple capabilities, decision-makers, and perspectives on a given battlespace is not easy – if it was, everyone would be doing it, and conflict would be significantly “easier” for belligerents than it is at present. Volumes exist documenting the physical failures in combined arms operations on the part of Russia’s military in the past year. While Russia has been uniquely and savagely efficient in creating terror and suffering for Ukrainian civilians, Russia’s vaunted armed forces have been significantly less successful in achieving tangible military objectives.

Based on the above, we should not be surprised at an overall incohesive nature behind Russia’s attempts to fuse cyber and information operations with more traditional military action. Initial phases of the conflict, such as the attempted disruption of satellite communications and pre-conflict attempts to create disorder in Ukrainian society, telegraphed a desire to leverage cyber as a possible “force multiplier” for kinetic actions. Subsequent events, consisting (at least publicly) of a seemingly endless sequence of wipers and the failed Industroyer2 electric sector event, appear disjointed, at best modestly effective, and uncoordinated – on the battlefield. Yet in uncontested, civilian-focused space, Russian command authorities appear to be quite willing and capable of combining kinetic strikes with cyber disruption on critical infrastructure.

We thus have a dichotomy: cyber operations are very difficult to integrate into conventional military operations (at least given all the evidence available at this time), yet continue to function as a weapon of terror (along with conventional items such as missiles and artillery) against civilian populations. The former, where efforts would likely prove valuable and beneficial to battlefield success, have essentially been nonexistent, while the latter, consisting of war crimes and terror campaigns, have been frequent and (unfortunately) quite successful. From this, we can reach a provisional conclusion that cyber operations are difficult to integrate into more classic military operations, and along with Russia’s other struggles, have prompted this terror state’s decision-makers to divert their capabilities to softer, more permissive targets.

Yet we should not immediately look at this as a “Russia-centric” problem, or a display of unique incompetence. Rather, those wishing to learn from this horrific event should place what has been observed to date in context of historical activity. Essentially, no one (to date and to anyone’s public knowledge) has successfully fused cyber operations with kinetic military action. For every debunked story about viruses taking down air defense systems or alleged attempts to do so, actual cyber operations (such as the CAUI EXORD linked to the US “War on Terror,” or the subsequent GLOWING SYMPHONY operation), while maybe demonstrating some immediate tactical utility, have done little to move the needle for the broader success of the conflicts in which they were used.

There are multiple points of operational “friction” that emerge when attempting to apply cyber effects to physical conflict. For the latter, events develop quickly and can rapidly change from expected outcomes requiring a significant degree of flexibility. While for cyber operations, prerequisites in terms of access and effects development may make this field, for all its presumed dynamic nature, significantly harder to operationalize. As noted by Max Smeets and James McGhee, cyber command, control, and execution remain hard problems, especially when coordinated with dynamic situations occurring on the battlefield, given the prerequisites of having capabilities and the access necessary to deploy them.

Some might argue that the above present bureaucratic, but not technical hurdles to cyber operations contributing to physical effects. While there may be a wealth of covert, clandestine, or similar actions (under PPD-20 and Title 50 authorities from the US perspective), these also contain a degree of risk and difficulty. For example, an effort can be so secretive and “silent” that its efficacy is undermined as a result – essentially, a problem or failure is written off to “gremlins” or natural failure instead of some deliberate assault. On the other hand, an event can be successful but in doing so announce its presence (and capabilities) as observed with the Stuxnet event. From an adversary’s perspective, they face a potential dilemma of events being so secretive that they ultimately go unnoticed, or successful but in the process “burning” capabilities and accesses that cannot be used again.

From this perspective, complexity emerges from a different sector – the difficulty in balancing immediate operational needs with longer-term intelligence collection and strategic priorities. Perhaps this is why, after multiple published articles on the failures of Industroyer and nearly five years to prepare for a follow-on, Industroyer2 represented a significant step back in ambition and capability (even if it did manage to correct its malfunctioning IEC-104 communication capability). Meanwhile, a host of other entities linked to or hired by the Russian state continue to engage in research and capability development for industrial environments – yet none of these capabilities (except for Triton) appear to have ever been used since 2016.

In this sense, Russia may have erred on the side of caution in not leveraging especially novel or “interesting” capabilities in its renewed invasion of Ukraine, because of a combination of not wanting to disclose such items to watching researchers and governments, and since kinetic strikes on all types of Ukrainian targets and infrastructure are viewed as acceptable. Why bother with a secretive, complex cyber impact on Ukrainian infrastructure, that US or other entities would likely observe and reverse engineer, when a repurposed Kalibr missile will work fine?

Third: The Private Sector

A continuing claim made by many analysts (although not publicly, for ‘reasons’) is that Ukraine’s digital survival hinges on the capabilities and charity of private sector organizations such as Microsoft and ESET. That these organizations, among many others, have worked diligently to support Ukraine’s cyberdefense posture is undeniable, and Ukraine should feel no shame whatsoever for leveraging any and all capabilities offered to them or at their disposal.

But there is also a wider point to this commercial quasi-intervention in an active conflict. There are certainly Law of Armed Conflict (LOAC) concerns for private organizations inserting themselves into an ongoing war, but this is a far deeper and more philosophical discussion than what I wish to develop in this article. There is a much more immediately relevant discussion, though, around how private sector, multinational entities respond to (and potentially intervene in) inter-state conflicts.

To put this very bluntly: the United States (and for that matter most of the rest of “The West”) would be completely screwed if, in the event of conflict, all private sector entities stood aside saying they cannot take a position in an active conflict. While the US, UK, France, Netherlands, and others may possess non-trivial cyber capabilities for espionage and offensive operations, defending myriad civilian networks (almost all in private hands and management) and other technologies necessary for the continuation of “modern life” is a tall order. 

As a result, any state entering a future conflict that may have a cyber component (even if only limited to unsexy techniques such as denial of service and wipers) will find themselves in a very awkward (and likely untenable) position unless they have active cooperation from tech and infosec corporations. While governments are largely directing and controlling the field of offensive operations (more on that in a bit), the software, networks, and ecosystems in which they operate are dominated by commercial entities: Microsoft, Amazon, Lumen, and various other organizations both large and small. While such organizations may think they can avoid entanglement in conflict, and governments may assume they can avoid seeking support from commercial entities in war, the realities as expressed by the resumed invasion of Ukraine indicate differently.

But matters do not stop there. Offensive capability development (and potentially even deployment) is increasingly democratized to a variety of organizations beyond the GRUs, SBUs, and NSAs of the world. Various organizations – consisting of a variety of contractors and defense-associated “hangers on” – are increasingly relied upon to contribute tools, expertise, and at times even bodies to support cyber operations. As documented with respect to XENOTIME, various non-state or non-military entities already exist supporting cyber tool development and potential operations – and the same is reflected across western governments including the US. A simple drive looking at the signs on office towers along the I-95 and related corridors through northern Virginia and southern Maryland will establish this point, as a number of entities, either known or obscure, have basically made a sustainable business out of supporting US intelligence (and related) operations.

At this stage of cyber operations, any state entity thinking they can simply remove themselves from or operate independently of commercial, private sector interests is living a fantasy. Whether it is Russian authorities leveraging private research and tool development shops for capabilities or Ukraine using western security firms to bolster defenses, the scope and reach of non-state organizations in cyber operations is vast and – arguably – insurmountable. A US or other western government thinking it could engage in cyber operations (offensive or defensive) without the support (tacit or direct) of the companies producing the software or controlling the networks involved would be delusional.

Determining the manner in which commercial entities become involved in cyber operations – either defensive or potentially offensive – remains an unexplored and interesting point. But that such organizations will need to be engaged (willingly or otherwise) should be beyond a doubt now given what we have observed over the past year. States may continue to have a monopoly on legitimized violence, but in the scope of cyber operations such violence will be severely circumscribed without the cooperation or involvement of non-state entities.

Conclusions

The long-running war in Ukraine entered a new, deadly, and depressing phase when Russia engaged in a full invasion of the country in late February 2022. The costs to the Ukrainian people have been immense, and continue to rise as the criminal regime in Moscow, unable to press forward militarily, engages in callous, inhumane revenge attacks against civilians.

Concomitant with these horrific events, a steady drumbeat of cyber operations has taken place. In examining these events, we see a variety of items that shed light on trend lines otherwise obscured in cyber operations more broadly: how they are difficult to coordinate with kinetic operations, the overall utility of such actions when kinetic strikes are possible, and how non-government entities can enter into the fray as force-multipliers (or potentially deniers).

Overall, while we cannot and should not look away from the suffering of the Ukrainian people, this conflict provides numerous lessons for how cyber operations can (and cannot) be integrated into larger wartime plans. At present, the Russian record is decidedly mixed – certainly involved, but without decisive effect. But we should be cautious in chalking such failure up to Russian-specific incompetence or failure – rather, we should be humble in understanding no one has yet figured out precisely how and where “cyber” fits into traditional military operations. Perhaps later phases of this conflict will provide counter-examples, but for now cyber’s ability to provide decisive effects on the actual battlefield appear ephemeral and fictitious, even if such capabilities are able to amplify civilian suffering.


4 Comments

A year after Russia’s invasion, the scope of cyberwar in Ukraine comes into focus | CyberScoop · 02/24/2023 at 10:18

[…] arms operations are hard,” the analyst Joe Slowik observed in his examination of the past year’s cyberoperations in Ukraine. “We should not be surprised at an overall incohesive nature behind Russia’s […]

A year after Russia’s invasion, the scope of cyberwar in Ukraine comes into focus – F1TYM1 · 02/24/2023 at 10:36

[…] arms operations are hard,” the analyst Joe Slowik observed in his examination of the past year’s cyberoperations in Ukraine. “We should not be surprised at an overall incohesive nature behind Russia’s […]

A year after Russia’s invasion, the scope of cyberwar in Ukraine comes into focus - Chester Networks · 02/24/2023 at 14:34

[…] arms operations are hard,” the analyst Joe Slowik observed in his examination of the past year’s cyberoperations in Ukraine. “We should not be surprised at an overall incohesive nature behind Russia’s […]

A year after Russia’s invasion, the scope of cyberwar in Ukraine comes into focus – eliasgroll - AttackFeed by Stetson Cybergroup · 02/24/2023 at 17:52

[…] arms operations are hard,” the analyst Joe Slowik observed in his examination of the past year’s cyberoperations in Ukraine. “We should not be surprised at an overall incohesive nature behind Russia’s […]

Comments are closed.