The writer is former head of the US Cybersecurity and Infrastructure Security Agency and the co-founder and partner of the Krebs Stamos Group
In the build-up to Russia’s invasion of Ukraine, the national security community braced for a campaign combining military combat, disinformation, electronic warfare and cyber attacks. Vladimir Putin would deploy devastating cyber operations, the thinking went, to disable government and critical infrastructure, blind Ukrainian surveillance capabilities and limit lines of communications to help invading forces. But that’s not how it has played out. At least, not yet.
There were some modest cyber attacks ahead of the invasion, including website defacements on Ukrainian government and financial services in January, and similar follow-on operations in February. Satellite broadband provider Viasat was hit with an attack that disrupted commercial and industrial operations throughout Europe, though that event has not been tied to Russia yet. Of course, that’s our assessment right now: the fog of war, combined with the fact that many Ukrainian businesses are shuttered , means there are quite likely more we don’t know about.
We also need to be realistic about the role of cyber attacks — they are not in the same league as the tools of conventional warfare. To put it bluntly, when your family is being gunned down, does it really matter if you can’t check your email? Instead, cyber operations are more ideally suited to the “greyzone” — the arena of conflict below the threshold of bombs and bullets — where tactical objectives are not only about disrupting services, but also about intimidation, distraction, and confusion.
The future think-tank monographs and war college lectures which will inevitably unpick Moscow’s strategy are likely to focus on the surprising lack of cyber attacks in Putin’s invasion plan. Theories range from the Russians not trying all that hard on the offensive cyber front, to the idea that they did — but that Ukrainian and western defenders proved too formidable.
In fact, there are several factors which would explain why Moscow’s proven cyber capabilities took a back seat in the overall strategy. For one, it seems the Kremlin kept battle-planning to a small group that may have excluded the Russian security services’ cyber personnel. Successful cyber operations require careful planning, targeting and development, often taking months if not years. Instead, it seems the teams may have had to scramble existing network access and attack tools to fit the battle plan.
There’s also the matter of necessity. Intercepted transmissions point to Russian forces using radio handsets and Ukrainian telecommunications networks to co-ordinate movements and update commanders back in Russia. In this scenario, Moscow would keep networks operational for their own use. If the Kremlin thought Ukrainians would fold in the face of a lightning strike on the capital, then they would have wanted to maintain critical infrastructure services for when they moved in.
But the war isn’t over, not by a long shot. The Ukrainians continue to punch back militarily with stunning effectiveness, while also dominating the information battle. Western unity against Putin’s tyranny shown in the devastating sanctions, combined with international businesses self-sanctioning their Russian operations, has wrecked the economy and cut off essential services and supplies. The preliminary economic outlook for Russia is grim, not just for the next few weeks or even months, but possibly for years.
The danger is that as political and economic conditions deteriorate, the red lines and escalation judgments that kept Moscow’s most potent cyber capabilities in check may adjust. Western sanctions and lethal aid support to Ukraine may prompt Russian hackers to lash out against the west, sending a clear message: “knock it off, we can make this much worse for you”. Russian ransomware actors may also take advantage of the situation, possibly resorting to cyber crime as one of the few means of revenue generation.
Let’s not forget that in the last decade, Putin’s henchmen have poisoned dissidents both at home and abroad, interfered in dozens of democratic elections, created havoc with offensive cyber attacks such as NotPetya and undermined the very concept of truth and trust. A wounded bear can still lash out, inflicting great harm for as long as it draws breath.
Mitigating this risk means we need decisive action. Government offensive cyber teams must continue to disrupt Russian attacks, while rapidly sharing information with industry on Moscow’s intent and capabilities. We must accept, however, that stopping all attacks is not realistic. Industry executives should recognise they have an obligation to make themselves harder targets so the government can focus on supporting Ukraine, rather than putting out fires back home.