Pages

2 April 2023

Russia's War in Ukraine: Examining the Success of Ukrainian Cyber Defences


With Russia’s war in Ukraine now in its second year, indications point towards Moscow preparing a renewed cyber offensive. However, a repeat of what transpired last February is unlikely. Russia’s cyber forces had reshaped their operational approach over the past year to better coordinate their actions and account for fighting a longer conflict. It is therefore important that specific drivers for Ukraine’s defensive success are identified, analysed and where appropriate, reinforced. The issue at hand is not just ensuring Western preparedness for future conflicts, but more urgently, to safeguard the continued success of Kyiv’s cyber defences.

Despite expectations to the contrary, cyber defence, not offence, has been the story of Russia’s war against Ukraine as it enters its second year. Shattering concepts of offence dominance, Kyiv’s cyber-defensive effort has shown that a strong and layered cyber defence can be mounted against a well-resourced and highly capable adversary. The preeminent question in policy debates has been: ‘How can other states replicate Ukraine’s success?’

This is a complex issue. The fog of war has been even thicker on the defensive side of the war, with many Ukrainian activities necessarily shielded from public view for operational security. Yet careful examination of the available evidence would suggest that the primary lessons lie less in what Ukraine has done and more generally in its superior capacity to adjust to various aspects of Russia’s cyber offensive. Institutional adaptations such as legislative change in Ukraine and measures taken to garner public- and private-sector support have driven much of Kyiv’s defensive success. At this stage of the war, it is uncontroversial to argue that Ukraine has decisively won the adaptation battle in cyberspace.

This adaptive capacity was engineered well in advance of the February 2022 invasion. As this paper details, underlying Ukraine’s ability to make agile decisions and outmanoeuvre Russia’s cyber forces is the culmination of years of experience, investment and high-level policymaker attention dedicated to improving the country’s cyber defences. Kyiv’s familiarity with Moscow’s approach to information confrontation and the former’s years of defending against network attacks are equally crucial. The Ukrainian experience hence teaches a twofold lesson that while early contestation and defensive reinforcement can undermine the adversary’s plans and intentions, sound defensive fundamentals are required to sustain those advantages.

There are also other pressing policy questions. The first is: how durable is the ‘Ukrainian model’ as the war enters another year with seemingly no end in sight? To date, Kyiv has deftly marshalled its defensive resources and orchestrated diverse forms of external support to stem the Russian cyber offensive. However, concerns of ‘fatigue’ setting in are just as consequential to Ukraine’s cyber defence as they are in other domains of war. After all, defensive reinforcements are not limitless, and competing priorities or emerging crises elsewhere in the world could divert attention and resources away from the Ukraine front. Changing economic conditions could also stem crucial private-sector support for Ukraine’s cyber defence. Moreover, notwithstanding popular narratives about the ineptitude Russia’s cyber forces have displayed so far, they remain highly skilled and have shown that they are tactically adaptable. We should therefore not underestimate Russia’s cyber programme nor think that its hitherto shortcomings will persist. Governments should therefore undertake proactive efforts to prioritise critical collective-defence measures to ensure their long-term sustainability. Notably, there are significant opportunities to be realised here to bolster existing multilateral mechanisms and better coordinate public- and private-sector commitments.

A second question is: what more can be done to bolster Ukraine’s cyber defences? It is easy to get carried away by triumphalism about Kyiv’s cyber successes and the vital role that Western support has played in this regard. But many aspects of this effort have been improvised. Governments and private firms assisting Ukraine have been thrust into the war with limited planning and forethought about Ukraine’s specific needs or how to respond as part of a collective-defence architecture. This means that to truly learn the appropriate cyber-defence lessons from the war, we must approach Ukraine’s defensive success with a critical eye. There remain critical gaps, unmet needs and significant opportunities for improvement.

The third question is: how relevant would the Ukraine model be for future conflict scenarios, such as a potential Chinese invasion of Taiwan? Here, the takeaways are murkier. Broad-based and sustained investments to boost visibility, detection and resilience will surely help position Taipei to win its own adaptation battles. But we also must recognise that China is likely to exercise cyber power in fundamentally different ways than Russia. Unique challenges such as Taiwan’s geographic position and Chinese cyber and economic power suggest different approaches and partners may be required to bolster Taipei’s cyber-defence posture.

No comments:

Post a Comment