Often the most damaging cyberoperations are covert and deniable by design. In the heat of war, it’s hard to keep track of who is conducting what attack on whom, especially when it is advantageous to both victim and perpetrator to keep the details concealed
Cyberwar is coming!” For decades now, we have heard this refrain from the American defense establishment. We were warned that the next big state-on-state military confrontation could start with a flash-bang cyberattack: power outages in major cities, air traffic control going haywire, fighter jets bricked.
As Russia started amassing around 100,000 troops along its western and southern borders through 2021, Ukraine seemed to be the ideal battle space for such an apocalyptic scenario. The country has already seen some of the most brazen, shrewd and costly cyberattacks in history over the past eight years: hacks and election interference in 2014 as Russia annexed Crimea, remotely caused blackouts in 2015, devastating ransomware attacks in 2017.
In 2022 the war came but seemingly without the cyber apocalypse and waves of pummeling digital strikes we expected. “Cyberattacks on Ukraine Are Conspicuous by Their Absence,” headlined The Economist a week into the war. Such claims, however, are misleading. Cyberwar has come, is happening now and will most likely escalate. But the digital confrontation is playing out in the shadows, as inconspicuous as it is insidious. Several interlocking dynamics of cyberoperations in war stand out from what we have seen in Ukraine so far.
First, some cyberattacks are meant to be visible and, in effect, distract from the stealthier and more dangerous sabotage. On Feb. 15 and 16, Ukrainian banks suffered major denial-of-service attacks, meaning their websites were rendered inaccessible. Western authorities swiftly attributed the attacks to Russia’s intelligence service, and Google is now helping protect 150 websites in Ukraine from such attacks.
The Anonymous collective declared cyberwar against the Russian government soon after the attack and obtained a trove of data from a German subsidiary of Rosneft, a major Russian state-owned oil firm. Ukraine’s besieged government has embraced the idea of a crowd-sourced I.T. army. But these attacks and the decentralized volunteerism are simply a distraction. In fact, often the most damaging cyberoperations are covert and deniable by design. In the heat of war, it’s harder to keep track of who is conducting what attack on whom, especially when it is advantageous to both victim and perpetrator to keep the details concealed.
The day the Russian invasion started, ViaSat, a provider of high-speed satellite broadband services, suffered an outage. The services of Ka-Sat, one of its satellites, were seriously affected. The satellite covers 55 countries, predominantly in Europe, and provides fast internet connectivity. Among the affected Ka-Sat users: the Ukrainian armed forces, the Ukrainian police and Ukraine’s intelligence service.
ViaSat later revealed that the incident started in Ukraine and then spread, affecting 5,800 wind turbines in Germany and tens of thousands of modems across Europe as well. But details on the origin of this attack remain elusive, as does attribution. The Ukrainian security establishment, of course, has no interest in revealing the details of what might be a successful command-and-control attack in the middle of an existential war.
Victor Zhora, a senior Ukrainian cybersecurity official, only generally acknowledged that the ViaSat incident caused “a really huge loss in communications” at the beginning of the war. A week into the war, the Ukrainian newspaper Pravda published the names, registration numbers and unit affiliations of 120,000 Russian soldiers fighting in Ukraine. Such large leaks can have powerful psychological effects on the exposed entity, which feels vulnerable and exposed.
Once again, though, the origin of the leak remains unclear. The material could have been procured from a Russian whistle-blower or taken through a network breach. Leaked files — in contrast to hacked machines — rarely contain clues for attribution. Some of the most consequential computer network breaches may stay covert for years, even decades. Cyberwar is here, but we don’t always know who is launching the shots.
Second, cyberoperations in wartime are not as useful as bombs and missiles when it comes to inflicting the maximum amount of physical and psychological damage on the enemy. An explosive charge is more likely to create long-term harm than malicious software.
A similar logic applies to the coverage of hostilities and the psychological toll that media reporting can have on the public. There’s no bigger story than the violent effects of war: victims of missile attacks, families sheltering underground, residential buildings and bridges reduced to piles of smoking rubble. In comparison, the sensationalist appeal of cyberattacks is significantly lower. Largely invisible, they will struggle to break into the news cycle, their immediate effect greatly diminished.
We saw these dynamics play out in the Russian destructive malware “wiper” attacks of Feb. 23 and 24. Just hours before the invasion started, two cyberattacks hit Ukrainian targets: HermeticWizard, which affected several organisations, and IsaacWiper, which breached a Ukrainian government network. A third destructive malware attack was discovered on March 14, CaddyWiper, again targeting only some systems in a few unidentified Ukrainian organisations. It is unclear if these wiping attacks had any meaningful tactical effect against the victims, and the incidents never broke into the news cycle, especially when compared to the physical invasion of Ukraine by tanks and artillery.
Finally, without deeper integration within a broader military campaign, the tactical effects of cyberattacks remain rather limited. Thus far, we have no information on Russian computer network operators integrating and combining their efforts in direct support of traditional operations. Russia’s muted showing in the digital arena most likely reflects its subpar planning and performance on the ground and in the air.
Close observers have been baffled by the Russian Army’s insufficient preparation and training, its lack of effective combined arms operations, its poor logistics and maintenance and its failure to properly encrypt communications. Cyberwar has been playing a trick on us for decades — and especially in the past weeks. It keeps arriving for the first time, again and again, and simultaneously slipping away into the future. We’ve been stuck in a loop, doomed to repeat the same hackneyed debate, chasing sci-fi ghosts.
To harden our defences, we must first recognise cyberoperations for what they have been, are and will be: an integral part of 21st-century statecraft. The United States has a unique competitive advantage through its vibrant tech and cybersecurity industry.
No other country comes even close to matching the U.S. public-private partnership in attributing and countering adversarial intelligence operations. These collaborative efforts must continue. The contours of digital conflict are slowly emerging from the shadows, as digitally upgraded intelligence operations at the edge of war: espionage, sabotage, covert action and counter-intelligence, full of deception and disinformation.