Pages

19 October 2022

Why Cyber Dogs Have Yet to Bark Loudly in Russia’s Invasion of Ukraine

Nadiya Kostyuk, Erik Gartzke

As Russia’s massive armored buildup on the Ukrainian border became apparent in the fall of 2021, pundits began to offer contrasting predictions about the likely role that cyber war would play in any escalation of the crisis.1 These disparate claims mirror a larger ongoing debate about whether cyber war is more likely to supplant or exacerbate traditional modes of warfare in the 21st century. Specifically, advocates of the theory that cyber operations will increasingly substitute for conventional conflict argue that cyber conflict today and in the future could achieve what tanks did in the 20th century.2 Advocates of a competing theory argue that cyber operations will tend to coincide with, rather than replace, any significant use of military force.

While Russia has conducted some cyber operations in Ukraine, both in the lead-up to and after the February invasion, these have neither supplanted nor significantly supplemented conventional combat activities. Given Russia’s highly sophisticated cyber capabilities and its long-term presence in Ukrainian networks,3 why has it failed to utilize such apparently potent tools in seeking strategic or tactical advantages?

The answer to this perplexing question can be gleaned from a more systematic empirical assessment of cyber conflict. In a recent study, we examined whether cyber operations mostly serve as complements to, or substitutes for, conventional conflict, or whether the two forms of conflict more often occur independently.4 Our statistical analysis of global conventional military campaigns over an 11-year period suggests that, with a few notable exceptions, cyber operations are rarely used as either complements to or substitutes for conventional military operations. Instead, countries tend most often to use these two types of operations independently of one another, due to both the difficulty of coordinating them and the different political purposes served by the two modes of conflict. Ultimately, our results show that, while cyber operations are far more likely to be used independently of conventional warfare than as a direct substitute for or complement to it, there is an indirect link between cyber and conventional conflict: The more access a country has to the internet, the more likely it will be involved in cyber conflict, whether as the target or the aggressor. We call this effect “indirect substitution.”

In this article, we apply our more general argument to explain Russia’s limited cyber efforts in Ukraine. We start by discussing the most prevalent theories regarding a direct relationship between cyber and military operations, including a summary of our own research. We then go on to explain the theory of indirect substitution. Next, we apply these theories to explain Russia’s cyber efforts in Ukraine. Then, we refute a number of alternative explanations for Russia’s limited visible cyber efforts in Ukraine. Finally, we conclude with some lessons for future conflicts.
Existing and Proposed Theories of the Relationship Between Cyber and Conventional Conflict

Direct Links Between Cyber and Military Operations

Existing theories of cyber conflict posit one of several possible direct links between cyber and conventional modes of combat. Most commonly, cyber conflict is viewed as either a direct substitute for or a complement to conventional conflict.5

Cyber Conflict as a Substitute

Advocates of the substitution theory argue that states should be able to use cyber operations to degrade or destroy enemy capabilities in peacetime, rather than being forced to initiate and engage in costly conflicts in the physical world.6 By doing so, leaders can deny responsibility for damaging and invasive operations, lowering the prospect of incurring harmful retaliation from the target and limiting blowback at home.7

There are, indeed, cyber operations aimed at disruption and degradation that can serve as strategic substitutes for military operations. For instance, the Stuxnet worm — an allegedly joint operation between the United States and Israel — targeted an Iranian nuclear enrichment facility to slow down the country’s development of a nuclear weapon.8 These governments strategically used Stuxnet as a substitute for a more escalatory military option: Israeli air strikes.9 As an alternative to full-scale war, the U.S. government also developed a comprehensive cyber-attack plan called Nitro Zeus to disrupt and degrade vital systems of Iran’s infrastructure.10

Cyber Conflict as a Complement

On the other hand, advocates of the complementarity theory argue that governments can use cyber operations during combat to affect the balance of military power.11 In other words, they claim that cyber operations can exploit a target’s unrecognized vulnerabilities, allowing attackers to disrupt an opponent’s command and control, hindering communication and creating obstacles to the opponent’s ability to sustain military operations.

Disruption and degradation operations might be useful complementary tools of combat because they focus on degrading an enemy’s command and control. Specifically, actors can use cyber operations to disrupt early-detection radar sites, allowing their military to approach undetected, or they can use cyber operations to disrupt command-and-control systems, making military operations more efficient and effective. Actors can also seek to flood their opponent’s cellular phone systems with calls and text messages to prevent these systems from being used for effective communication on the battlefield.12 Additionally, they can use malicious code to damage or compromise military infrastructure, making it ineffective and thereby disrupting battlefield command and control.

By contrast, information operations do not directly affect the battlefield, but can nevertheless indirectly influence military operations by undermining an adversary’s support base and shaping perceptions of events. For instance, Russian government-sponsored hackers extensively used cyber and information operations to complement Kremlin military operations during its 2008 war in Georgia.13 Weeks before the Russian invasion, several Georgian governmental websites were either taken down or displayed pro-Kremlin propaganda. During the five-day war, key sections of Georgia’s internet servers were under the external control of Russian hackers.14 These actions, deployed in conjunction with tactics used in military operations, aimed to make Russia’s victory swift and decisive.15

Cyber Conflict as an Independent Tool

Outside the realm of cyber operations, there are abundant examples of various warfare technologies being used to complement and substitute for more traditional operations. For instance, during Operation Desert Storm — the U.S.-led campaign to recapture Kuwait in response to the Iraqi invasion — strikes by Apache attack helicopters were used as both a substitute for and complement to more traditional bombing runs by fixed-wing aircraft, which retain the relative strengths of greater range and payload. Apache helicopters carried out “surgical” attacks that disabled Iraqi early-warning radar sites, allowing coalition fixed-wing aircraft to approach Iraqi targets undetected and minimizing “collateral damage.” It is thus not unreasonable to imagine that the increasing potential for harm through virtual conflict could enhance or replace more traditional modes of political aggression and defense.

However, despite scattered individual instances of substitution and/or complementarity, pundits’ predictions on this score have largely not come to pass. In a recent study, we examined whether cyber operations mostly serve as complements to, or substitutes for, conventional conflict, or whether the two forms of conflict are more often exercised independently.16 Our statistical analysis of global conventional military and cyber campaigns conducted by rivals between 2000 and 2010 suggests that cyber operations are generally not being used as either complements to or substitutes for conventional military operations.17 Instead, countries tend most often to use these two types of operations independently from each other, due both to the difficulty of coordinating these modes of conflict and to the different strategic goals of each mode. For these reasons, our findings suggest, we have yet to witness the systematic use of cyber operations in a manner that is clearly coordinated and designed either to supplant or to further the traditional physical means and ends of conventional battle.

Tactically, force synchronization is difficult to achieve across domains. To execute an attack, an actor needs to find an exploitable vulnerability in a system or network. Given that this process takes significant time, it becomes quite difficult to coordinate its development with what is happening on the ground, making its use as a complement to traditional warfare challenging.18 In addition, substitution is difficult to achieve because the different domains (cyber and conventional) are each better suited to achieving distinct objectives. Cyber operations are most effective in pursuing informational goals, such as gathering intelligence, stealing technology, swaying public opinion, or winning diplomatic debates. In contrast, a nation that covets a neighbor’s territory, seeks to plunder natural resources, wishes to hobble an enemy’s military capabilities, or intends to terrorize a population or replace a political regime must still physically cross an adversary’s borders in order to conquer or compel.

Given the difficulties of coordination and the lack of fungibility between actions and effects across domains, we argue — and report systematic evidence19 — that cyber and conventional military operations operate largely independently, at least for now. As armies become better at synchronizing conflict across domains (i.e., multi-domain combat), cyber and traditional military operations may start to operate more as complements to one another in shaping battlefield dynamics.

The Indirect Link: Theory of Indirect Substitution

Though our research indicates that, for the time being, cyber warfare is more likely to be deployed independently from, rather than as a substitute for or complement to conventional warfare, it also indicates that a country’s increased internet access is likely to lead to more cyber conflicts and less conventional conflict behavior. We label this effect “indirect substitution.” This happens as a result of the following two circumstances.

First, cyberspace as a domain facilitates “useful” forms of international conflict. While information has been the focus of considerable attention and concern in warfare for centuries,20 it became especially critical in the information age. Cyberspace is an environment in which adversaries seek out information about one another. Everyone is spying on everyone else, to discover intentions, to acquire knowledge, or to shape beliefs and thus behaviors. China has stolen both military and civilian industrial technology from the West through cyber operations.21 Russia has used cyber operations to seek to influence the domestic politics of target nations.22 The United States and perhaps Israel have used cyber attacks to counter Iranian efforts at nuclear proliferation.23 In each case, the virtual domain was an extremely attractive space in which to operate, given these actors’ objectives. While spies could have used physical means to obtain sensitive technologies or coerce opponents, these methods are costlier, riskier, and more difficult to conceal than cyber operations. Specifically, the bulk of traditional conventional military operations are not subtle, causing collateral or environmental damage and leaving an attacker open to international condemnation and possible retribution. As a result, cyber operations can be cheaper and more attractive than conventional tools of conflict, allowing an attacker to rebalance power anonymously.24

Second, traditional conflict domains are no longer adequate to achieve some of modern competitors’ most important aims, which have shifted from acquiring land to acquiring information. For much of history, more land meant more wealth, which translated into the productive and destructive capacity of states. Today, much more of this capacity rests with human and financial capital. This transition in the motivation of states to pursue different aims has begun to transform international conflict. With the decline in the value of territory as a means of achieving wealth and power, the utility of conventional force has also declined, at least in its most traditional forms. The global spread of the internet has increased the need to acquire and control information. Information is power, especially in the information age. As a result, increasingly, contestation is occurring over the control of information, because of the increase in the value of information relative to other goods, such as territory or industrial equipment and facilities. Conventional military operations do not always provide an advantage over cyber operations for actors seeking to acquire or control information.

Before we apply our findings to explain Russia’s actions in Ukraine, it is important to note that our analysis presents an overall relationship between cyber and military operations and does not focus on explaining individual cases. Extensively covered by prior research, these cases do not bear directly on our findings because they present behaviors that prove to be exceptions to prevailing patterns and not a general rule.25 Despite that, the basic logic of complementarity and substitution in military affairs remains compelling, even if we do not find that it is exercised systematically in cyberspace, at least not yet. While we might see more systematic complementary and substitutive use of cyber and military operations in the future, we also expect that increasing global reliance on the internet, and the rising relative value of information, will continue to motivate countries to use cyberspace to strategically pursue information-related objectives independently of conventional military aims.

Russia’s Cyber and Military Actions in Ukraine

While numerous details remain obscure in the midst of any war, consensus opinion seems to be that no major cyber operation has successfully disrupted any essential services in Ukraine during the period of the war. For the most part, Ukraine’s internet infrastructure has remained functional despite the ongoing conflict. There is, however, no doubt that Russian hackers have sought to penetrate Ukrainian networks and will continue collecting intelligence to further Russia’s strategic objectives. Moreover, the Russian government has been waging a vigorous series of information campaigns against occupied and free Ukrainian territory, as well as the rest of the world.26 Why is this the case? What is the role of Russia’s cyber efforts in this conflict? Is it using cyber operations to substitute for, complement, or operate independently from military operations?

Substitution

Advocates of the substitution argument have suggested that Russia would not need to use military force in Ukraine because cyber attacks would achieve similar goals. In effect, Russia would cross the border into Ukraine virtually, rather than physically, substituting cyber war for conventional conflict. Keir Giles of Chatham House, for example, argued that “a destructive cyber onslaught could target military command and control systems or civilian critical infrastructure and pressure Kyiv into concessions and its friends abroad into meeting Russia’s demands.”27 A senior Biden administration official also espoused this logic, arguing that Russia “could opt to launch a sweeping cyber and disinformation campaign against Ukraine and its government rather than a traditional military invasion of the country.”28

Some cyber attacks did take place while NATO and some of its member countries were still trying to negotiate a peaceful resolution of the crisis. These attacks suggested to informed observers that the Kremlin was more serious about cyber aggression than a physical invasion — perhaps to put pressure on NATO and Ukraine to accept some of its demands, thereby obviating military incursion.29 In January of 2022, for instance, cyber operations defaced 70 Ukrainian websites.30 Two days later, Microsoft identified the WhisperGate malware — a “pseudo ransomware”31 — on computer systems belonging to Ukrainian government agencies, the purpose of which was to corrupt the contents of files on the computers it infected.32 In February, cyber disruptive operations targeted PrivatBank, Ukraine’s largest commercial bank,33 and the websites of the Ukrainian Ministry of Defense and armed forces.34

However, if Moscow had used cyber operations to substitute for military operations, we should have seen a full-blown cyber war instead of a conventional invasion. The objective of Russia’s pre-invasion cyber operations remains unclear. Even taken collectively, they resulted in modest damage and seemed to be rushed or poorly planned. For instance, the impact of web-defacement attacks was largely inconsequential, because most websites were quickly restored, and no data was lost or rendered unusable.35 Microsoft discovered WhisperGate before it could cause serious damage.36 PrivatBank restored its services within hours.37 Ukrainian officials reported no significant damage to the websites of the Ukrainian Ministry of Defense and armed forces.38 Though Russia has apparently tried, over the last eight years, to use cyber operations to supplant its conventional front,39 Moscow’s limited cyber efforts in the period immediately prior to the invasion suggest that it recognized the futility of such efforts. While a systematic analysis of the relationship between Russia’s cyber and military operations is in order, it appears that, having failed to achieve its strategic objectives using cyber operations, the Kremlin perceived that its only option was to launch a military campaign.40

Complementarity

Rather than act as a substitute, other observers and pundits have argued that cyber operations may be used to complement conventional military operations in a Russian assault on Ukraine. Jason Healey of Columbia University predicted that Russia would initiate any invasion of Ukraine with offensive cyber attacks.41 William Courtney and Peter A. Wilson from the RAND Corporation warned of the “massive employment” of cyber operations to create “shock and awe causing Ukraine’s defenses or will to fight to collapse.”42 A report from Microsoft Corporation published in April of 2022 seemed to substantiate these claims of the complementary use of cyber and military campaigns, at least at first blush.43

Cyber attacks that took place during the NATO-Russia-Ukraine negotiations — some of which are outlined above — could have suggested that Moscow was planning to unleash congruent, complementary cyber Armageddon as it crossed the Ukrainian border with tanks.44 Moreover, a number of cyber disruption and degradation attacks followed Russia’s invasion of Ukraine, hinting at their potential complementary use alongside Russia’s military campaigns. For instance, on February 24, the start date of Russia’s invasion, large parts of Viasat’s KA-SAT network of high-speed satellite services went down,45 causing a partial outage in its residential broadband services in Ukraine and in other European countries46 (thousands of wind turbines in Germany were forced offline by the outage).47 The heavy reliance of the Ukrainian military on the compromised KA-SAT segment in Central and Eastern Europe led German government officials to associate the cyberattack on Viasat with the war in Ukraine.48 On March 17, 2022, the Ukrainian government and military entities were targeted using spear-phishing campaigns — e-mails containing malicious files with the purpose of obtaining access to information available to these entities.49 On March 28, 2022, Ukraine’s national provider Ukrtelecom experienced a major internet disruption due to a cyberattack, with its connectivity collapsing to only thirteen percent of pre-war levels.50

But as with cyber strikes prior to the invasion, the strategic impact of these attacks remained relatively minor, suggesting that the Russian government had not expected these cyber operations to significantly complement its actions on the ground. The German federal government characterized the effect of the attacks on Viasat’s KA-SAT network as a case of “cyber collateral damage”; there were no further effects on German critical infrastructure or on Germany’s ability to provide for its security.51 In the aftermath of the above-listed cyber attacks, Ukrtelecom was able to quickly resume regular services.

Even though the impact of cyber operations seems to be limited given the scale of the full-blown conventional war, it is quite possible that a greater number of attacks might eventually come to light. Still, even if much of the goings-on in cyberspace occur behind the scenes, there is clearly little support for claims that cyber operations are being conducted in a direct, overt manner to impact the reality of combat on the ground. Had we witnessed cyber operations that misdirected enemy forces, confounded the disposition of forces, or damaged or immobilized equipment, especially high-tech electronics systems (ELINT, etc.), we would of course have to conclude otherwise.

Independence

Having detailed the failure of the Russian government to implement cyber operations either to complement or substitute for military operations, we next apply our study’s findings to show how the Kremlin has used its cyber and conventional capabilities independently of each other.

One of the reasons for this independence, as noted above, is the difficulty of coordinating operations across domains, a known challenge even for the most sophisticated militaries.52 Cyber attacks are generally more planning intensive than conventional operations because they require significant time and resources to conduct reconnaissance to determine which vulnerabilities an actor can exploit.53 Having exploited a given vulnerability, the actor has to start the process all over again. By contrast, in the case of conventional military tools, once an actor has started shooting it can continue shooting as long as it has available ammunition.

Russian military actions in Ukraine show that Russia’s forces are having difficulty coordinating, even within a single domain.54 Moreover, since there is anecdotal evidence suggesting that the Kremlin expected the war in Ukraine to be of short duration,55 Moscow might not have prepared its forces to execute time-intensive cyber operations to complement its actions on the ground. As a result, Russian commanders would have had little choice but to employ conventional military operations to seek to capture, damage, or destroy critical infrastructure. That could be one reason why, for example, Russian officials relied exclusively on conventional military operations to capture the Zaporizhzhia nuclear power plant, which generates more than one-fifth of Ukraine’s total electricity. And, as demonstrated by the 2015 and 2016 attacks on Ukraine’s electric power grid, which led to power outages that lasted only a few hours, the potentially limited strategic impact of infrastructure-targeted cyber operations might also help explain Russia’s reliance on conventional military operations in the current campaign.56

Moreover, the gains of using disruptive and degrading cyber attacks as complements are lower than their costs. Ukraine’s decentralized internet, which includes multiple fiber lines that cover the same areas, makes it difficult to effectively attack Ukraine’s network connectivity.57 In addition, Russian forces in Ukraine have utilized the well-connected Ukrainian commercial networks for their own battlefield communications.58 Finally, if the Kremlin were to succeed in conquering Ukraine, it would be expensive to rebuild the country’s internet infrastructure. In civil conflicts across the globe, governments and nonstate actors both rely on cellular communications. As a result, both are inclined to leave cell towers and other vulnerable infrastructure alone. There is little evidence that Russia is using disruptive and degrading cyber attacks to complement ground operations, in part because such attacks would also degrade Russia’s own efforts to maintain communication, now and in the future. This lack of evidence of the complementary use of disruptive and degrading cyber attacks and military operations provides preliminary support for the independence of these modes of fighting. This suggests that each tends to operate in its own bubble — the findings demonstrated in our global analysis as well as in research that investigated the role of these operations during the earlier stage of the Ukraine conflict between 2014 and 2016.59

Another reason why we do not observe complementarity between Russia’s known cyber attacks and military operations might be because it is more valuable to Moscow to use the internet to eavesdrop on the conversations of the Ukrainian military and civilian population, in order to gather information about the territory and to geolocate objectives, than it is to take the internet offline.60 Cyber espionage may assist the Kremlin in obtaining Ukrainian battle plans in order to better execute its military campaigns and target valuable objects, or assist in meeting even more basic needs like navigation. There is evidence that Russian forces — supplied with only rudimentary GPS capabilities and outdated, inaccurate paper maps — have relied on Google Maps and other internet-based geographical information systems to find their way around.61

Since this information collected via the internet has benefitted the Kremlin, one might well argue that the Kremlin’s cyber espionage operations are therefore complementing efforts on the battlefield. But it is important to note that cyber operations are not enhancing any of the physical effects of conventional warfare, for Ukraine or Russia. They are not, as predicted, being used in a coordinated manner to make either side more lethal on the battlefield. The explosion of artillery shells is not bigger. Tanks are not more immune to interdiction by precision-guided munitions such as the Javelin or NLAW. Nor does the availability of networks seem to be coordinated with battlefield conditions. If, for example, we accept for the moment that cyberspace is helping Ukrainian forces master the battlefield, then why would Russian commanders wish to allow this to continue? At the very least, the complementarity theory implies that Russia should shut down the internet, or cellular communications, when and where these systems become a tactical liability. This has not generally been the case. As a result, while there might be some individual cases of the complementary use of cyber and conventional operations for tactical purposes, both modes of fighting seem to be used independently from each other.

Another reason why cyber and conventional operations are being used independently of one another is that different political objectives require the use of disparate conflict domains to achieve various aims.62 This also explains our indirect substitution argument, discussed below.

Indirect Substitution

As our theory explains, traditional military operations are the most effective method of occupying territory, capturing resources, attriting an enemy’s conventional military capabilities, and terrorizing populations. Cyber operations, on the other hand, are most consistently effective in gathering intelligence, stealing technology, and winning public opinion and diplomatic debates. As a result, conflict in cyberspace has more typically been about winning information contests than it has been about augmenting or replacing the physical aspects of a conventional war, at least directly. As noted earlier, because of the unique objectives that each mode serves, they can instead act to indirectly substitute for one another. Existing evidence suggests that Russia has used its information campaigns to indirectly substitute for conventional conflict in the longer term, especially given that Moscow seems to have expected the war to be short.

During the invasion, the Russian government continued using the internet to shape the hearts and minds of Ukrainians and the rest of the world. The Kremlin launched a number of disinformation campaigns using compromised accounts of high-profile Ukrainians, including military officials and public figures.63 As of the end of March 2022, for instance, the Security Service of Ukraine (SBU) had identified and shut down five bot farms operating 100,000 social media accounts spreading fake news related to the invasion.64 Hackers broke into local government websites to spread false information that Kyiv had capitulated and had signed a peace treaty with Moscow.65 Given that information campaigns are meant to shape public opinion in the long term, the Russian government might have been using these campaigns to indirectly substitute for fighting in the future.

Indirect Complementarity

While Russia has arguably used its information campaign to indirectly substitute for conventional conflict in the longer term, it may also have used information and cyber espionage operations to indirectly complement its conventional invasion in the short term.66 Some experts have suggested that Russia has most likely been trying to retain access to information about decision-making processes not only of the government of Ukraine, but also of Western states. The Kremlin has tailored its cyber espionage activities in order to obtain information about Western governments’ discussions of economic sanctions against Russia, how these governments work together to address Russia’s invasion, and the types of divisions that the Kremlin might be able to exploit and use as leverage in future negotiations.67

Russia’s extensive use of the internet to spread disinformation demonstrates that its other priority in cyberspace is to target the hearts and minds of domestic and international audiences. Prior to the start of the conflict, the Russian government had actively engaged in a number of disinformation campaigns aimed at shaping the beliefs of the Ukrainian population.68 In November 2021, we observed a 2,000 percent daily average increase in Russian-language content about the situation in Ukraine.69 At the time, White House Press Secretary Jen Psaki stressed the potential psychological effects of these operations by Moscow, which sought to make the case for Russia’s intervention in Ukraine and to build support among Russian-speaking Ukrainians for a possible Russian invasion. Through these efforts, Russian officials hoped to exploit divisions in Ukraine to accelerate the march to Kyiv, and to smooth the installation of and transition to an anticipated pro-Kremlin regime.70

Russia’s extensive use of the internet to spread disinformation demonstrates that its other priority in cyberspace is to target the hearts and minds of domestic and international audiences.

Note that, while using cyberspace in this manner changed important details of the eventual Russian invasion — streamlining the order of battle and convincing Putin and others in Moscow that they could prevail on the cheap — it did not obviate the need for an invasion. Sowing dissension in Ukraine would not have led to regime change by itself. Nor could the invasion prevail with only light force if a critical mass of citizens failed to greet the invaders with flowers. The information campaign and the invasion were intended to accomplish different things, one capturing hearts and minds, and the other grabbing territory. In other words, though each complemented the other, they did so separately, independently, and indirectly.

While our analysis does not point to indirect complementarity of cyber and conventional fronts on a global scale, Russia’s actions in Ukraine suggest the possibility of this new relationship between these two types of operations in future digitally enabled conflicts. Future research should further explore this possibility.
Alternative Explanations for the Lack of Full-Blown Cyber Warfare in Russia’s War Against Ukraine

A number of alternative arguments have emerged to explain why Russia has not engaged in full-blown cyber warfare in Ukraine. One argument focuses on Ukraine’s cyber defenses, which may have been highly effective, perhaps as a result of cooperation between NATO countries and the Ukrainian government.71 While it is perhaps an understandable generalization triggered by the notable successes of Ukrainian ground and air forces, this seems unlikely. While numerous unobserved Russian cyber attacks might have been thwarted behind the scenes by Ukrainian (or other) cyber defenders, the attacks that have been observed are less of a reflection of Ukrainian excellence than of Russian lethargy; Russia’s lack of preparation; or Russia’s lack of a desire, need, or intent to execute disruptive and degrading cyber attacks. Specifically, Russian cyber attacks undermined their targets only temporarily and seemed to have been hastily planned.72 Moreover, given its access to Ukraine’s networks, it seems most likely that the Kremlin has made a decision not to use that access to disrupt the internet and instead had decided to use access information, both in order to listen in and to spread disinformation.

A second alternative is that Russia may be holding some of its cyber assets in reserve and is waiting for the right moment to strike. This argument suggests that a major cyber onslaught may be in the offing that would act as a force multiplier to propel Russia’s conventional military operations.73 If so, then there could not have been a better time to unleash this torrent from cyberspace than in the early weeks of the conflict, a period during which Russian forces suffered a prodigious level of casualties, failed to capture any of their putative objectives, and demonstrated significant incompetence as a military organization. If Russian hackers are holding back, waiting for a moment when they are really needed, it is unclear what needs to take place in order for them to be mobilized.

Since it takes significant time to build access and capabilities, which the Kremlin had not planned on using against a seemingly weak actor, the third possibility is that we can expect to see a more coordinated use of cyber operations along with military operations in the future. This, however, is unlikely to take place, given that the Russian government has been present in Ukraine’s cyber infrastructure for the better part of a decade.74 While it might not have access to every target of significant value, it is likely that Russia has access to more targets than it has damaged, disabled, or destroyed to date. The fact that Moscow has generally failed to exploit such vulnerabilities in a destructive manner, rather than in order to conduct espionage, suggests it does not see significant advantages in doing so.

The last possibility is that there is a lack of suitable targets. Many Ukrainian objects of critical infrastructure may not be connected to the internet. Much of Ukraine’s military equipment, for example, is leftover from the Soviet era.75 There is no point in seeking to attack, say, a radar site via the internet when the radar runs on vacuum tubes and the only cyber links are the operators’ smartphones. Yet again, however, this does not explain the lack of cyber aggression where the environment is more target rich, either in Ukraine or the West. A limited target set implies that it is that much easier to achieve target saturation, something we have not seen come to pass four months into the war.

While there are many possible reasons for the limited nature of Russia’s cyber war in Ukraine, the arguments outlined above suffer from various fairly obvious flaws. Russian hackers are probably not pulling their punches. More likely, as argued above, cyber war is deemed by the Kremlin to impede rather than enhance battlefield conditions. Attacks over the internet that are designed to damage or destroy are not nearly as attractive as maintaining access in order to collect information, shape perceptions, and gauge the effects of one’s actions in other domains.

Lessons for the Future

The old Clausewitzian dictum still holds, even in the 21st century: Warfare is the continuation of politics, even by an increasing number of other means.76 But the goals of politics are heterogeneous, and the means themselves differ in their efficaciousness, depending on the goal. Cyber war is first and foremost about information — its control and utilization as a means of realizing political goals.77 Because it is primarily an informational domain, cyberspace is most useful in pursuing informational goals. In Ukraine, we can see that this is precisely what Russia is doing: using the internet to seek to shape the beliefs of Ukrainian citizens and perhaps also to glean better insights about the conduct of the war and order of battle, both in practice (i.e., against Ukraine) and in prospect (i.e., against NATO and the West generally).

Hollywood has gotten cyber war wrong, preferring to imagine a domain in which bits and bytes somehow lead to spectacular explosions.78 Intellectuals have not done much better. Rather than looking for direct, palpable effects, we are better off considering how information shapes political affairs indirectly and how politicians seek to condition information. Cyber war is more about beliefs and data than it is about wresting physical control over objects or destroying material capabilities.

What can we expect from cyberspace in future wars? Most likely, more of the same. The Russo-Ukrainian conflict has already demonstrated tendencies that we identified in a more systematic analysis. Cyber attacks do not generally lead to increased conventional conflict behavior. Nor does cyber war make redundant conflict in other domains. Instead, there has been a decline in conventional war, brought on by the diminishing utility of controlling tangible goods. Taking territory is no longer the fast route to wealth and power that it once was. Instead, important nations collect, contain, and acquire knowledge. The ability to build sophisticated technologies and glean and process insights about one another differentiates powerful nations from those that can only wish to be so. These diverging objectives point to the possibility of indirect substitution of the two modes of fighting.

The Russo-Ukrainian war has been a surprise in many ways. Few observers expected a major European conflict in the 21st century. Most experts vastly over-estimated the efficacy of the Russian army and perhaps under-estimated the fighting spirit and acumen of Ukrainian forces. Yet another surprise has been the relative lack of combat in the cyber domain. However, we anticipated this particular tendency in our explanation of the independence of cyber and conventional domains. The war in Ukraine is fundamentally about territory and physical control. Cyberspace can do little to capture a nation. It can, however, serve as a vehicle through which one can attempt to capture the hearts and minds of a people. But to compete in this manner, both sides must maintain access to the internet.

It is quite possible that in the future other nations will behave differently than Russia has in Ukraine. Despite this, our systematic analysis of global military and cyber campaigns and descriptive anecdotes from the Russo-Ukrainian war suggest that cyber war cannot replace traditional forms of combat. Cyber attacks will also often fail to make physical attacks more effective or practical, unless and until each is well coordinated with the other. Even then, it will make little sense to coordinate across domains unless each domain is utilized for its primary purposes. Breaking things over the internet is hard work and not very productive in political terms. Much more can be done by collecting and disseminating (dis)information in cyberspace, which can then be used to enhance outcomes in other domains. Differences in these respective arenas mean that the future of warfare will likely not be fundamentally altered by cyberspace. Instead, the objectives of states are already evolving in an informational world. Nations will not use cyber war in the place of more traditional war, but they will rely increasingly on cyberspace as a domain for pursuing these new, informational objectives.

No comments:

Post a Comment