The Limited Role of Cyber Operations So Far

In the build-up to Russia's invasion, experts raised concerns about Russian cyberattacks on Ukraine and potential spillover into other countries. There is precedent for both. In 2015 and 2016, Russia launched cyber operations that knocked out power in Ukraine, and in 2017, Russia used Ukrainian accounting software to launch destructive malware known as NotPetya that although disguised as ransomware, actually “irreversibly encrypted” files, rendering ransom payments “futile.”Footnote ¹ NotPetya spread worldwide, causing $10 billion in damage.Footnote ²

Given this history and years of speculation about what war by a cyber power would look like, expectations were high that cyber operations would play a major role in the initial invasion. Instead, their role appears to have been relatively limited, prompting surprise among many who follow Russia's cyber operations. Senate Intelligence Committee Chairman Mark Warner, for example, declared that he was “‘amazed that [the Russians] have not really launched the level of maliciousness that their cyber arsenal includes.’”Footnote ³

The known cybersecurity incidents in the lead up to and weeks immediately following the invasion have been relatively modest in effect.Footnote ⁴ For example, in mid-February, a distributed denial of service (DDOS) attack by the Russian military briefly disrupted access to the websites of several government departments and the two largest Ukrainian banks,Footnote ⁵ and cyber operations have intermittently disrupted some internet services.Footnote ⁶ Researchers have also discovered several types of wiper malware, which destroys or corrupts data, on Ukrainian systems both before and after the invasion, though the malware appears to have caused limited damage to date.Footnote ⁷

The most significant cybersecurity incident disclosed so far is also the one most like the sort of cyberattacks expected to accompany the invasion. As the invasion commenced on February 24, 2022, the Russian government launched a cyberattack targeting broadband internet services provided by Viasat, a company that is a U.S. defense contractor and that has contracts with Ukraine's military and police.Footnote ⁸ A Ukrainian official later told reporters that the incident “resulted in a ‘huge loss in communications in the very beginning of the war.’”Footnote ⁹ The intrusion disrupted satellite internet access across Europe, including in Poland and France, and in Germany, thousands of wind turbines remained offline a month after the incident.Footnote ¹⁰ Disruptive as this incident has been, it is notable as apparently the only major successful cyberattack of the kind that many expected to blanket Ukraine at the outset of the invasion.

Why Haven't Cyberattacks Played a Bigger Role?

In the fog of war, cyber operations may be the foggiest component of all—at least to those outside governments and sophisticated companies. But uncertainty has not stopped speculation. The Washington Post recently catalogued no fewer than eleven possible explanations for the limited successful cyber operations accompanying Russia's invasion.Footnote ¹¹ In time, what actually happened (or did not) on the cyber front will become clearer, and Ukraine seems destined to become a watershed case study for whichever explanations turn out to be correct. In the meantime, the remainder of this essay attempts to systematize some of the theories about muted cyber operations in order to shed light on what international lawyers and policy makers might ultimately learn from the role of cyber operations in the Russian invasion.

At the broadest level of generality, there are two categories of possible explanations for the limited cyber effects in the early weeks of the conflict: (1) attempted or planned cyberattacks failed; or (2) Russia chose not to launch widespread cyberattacks. Both options challenge conventional wisdom and suggest lessons going forward.

Turning to the first option, if Russia planned or attempted cyberattacks, but failed to achieve significant destruction or disruption, that might suggest that cyber defenses succeeded. A story in which Russian cyber operations proved less effective than expected would fit with the broader picture of the invasion, where Russia failed to achieve its initial objectives with conventional military forces, apparently due to poor planning and underestimating Ukrainian defenses.Footnote ¹²

Although cyber operations are highly secretive, some hints about defenses have spilled into public view. U.S. officials have noted “extensive work done to harden Ukraine's networks after Russian attacks on its electric grid in 2015 and 2016,”Footnote ¹³ and consistent with the announced U.S. “defend forward” policy,Footnote ¹⁴ media reports indicate that “[h]idden away on bases around Eastern Europe,” U.S. Cyber Command “‘cybermission teams’ are in place to interfere with Russia's digital attacks and communications.”Footnote ¹⁵ National Security Agency Director and Commander of U.S. Cyber Command Gen. Paul Nakasone recently told Congress, “We've worked very, very hard with Ukraine over the past several years,” including having “‘hunt forward’ teams from US Cyber Command in Kyiv.”Footnote ¹⁶ Defensive experience appears to be paying dividends, allowing authorities to prevent intrusions from causing damage. In April, the U.S. Department of Justice announced the disruption of a Russian government-controlled botnet before it was used,Footnote ¹⁷ and Ukrainian authorities successfully stopped an in-progress cyberattack by Russia's military intelligence agency before it could cause a blackout.Footnote ¹⁸

Defenses are coming not just from governments, but also from companies.Footnote ¹⁹ For example, when Microsoft discovered wiper malware targeting Ukraine's government, within hours it not only updated its own systems to block the malware, but at the White House's request, shared the code with European governments.Footnote ²⁰ Media reports suggest that “much of the actionable intelligence is being found by companies like Microsoft and Google, who can see what is flowing across their vast networks.”Footnote ²¹

In addition to blocking attacks, a different kind of defense comes from resilience. Even in the face of attempted and, in some cases, successful disruptions, Ukrainian government and civilian systems and networks have proven resilient, enabling fierce resistance to Russia. For example, civilians and officials in areas that have lost conventional internet have reportedly turned to Starlink satellite internet services, provided by Elon Musk, as has “a Ukrainian unit [that] is using Starlink to connect its drones attacking Russian forces.”Footnote ²²

If successful defenses are at least part of the explanation for the absence of severe effects from cyber operations, then the Ukraine case study may serve as a counterpoint to the frequent mantra in cybersecurity that offense dominates defense. This is not to say that cyber defense will always prevail. It still frequently fails. Case-in-point: just last year the United States blamed Russia for successfully breaching numerous private sector and government agencies in the SolarWinds incident.Footnote ²³ Nonetheless, perhaps Ukraine will show that experienced defenders engaging in focused defense of discrete known targets in a particular timeframe can succeed. Having a clear example of successful cyber defenses in such circumstances might spur the U.S. and allied governments to supercharge defensive assistance internationally (to say nothing of domestically). The North Atlantic Treaty Organization (NATO) has pledged continuing cybersecurity assistance to Ukraine,Footnote ²⁴ and its Cooperative Cyber Defence Center of Excellence (CCDCOE) admitted Ukraine as a “contributing participant.”Footnote ²⁵

The second broad explanation for the lack of significant cyberattacks is that Russia chose not to deploy them for any of several possible reasons. Perhaps expecting a quick victory with conventional forces, Russia chose not to engage in the detailed planning required for successful cyber operations.Footnote ²⁶ Or perhaps Russia was deterred from attempting cyberattacks due to fears of cross-border spillover that could escalate into direct conflict with NATO.Footnote ²⁷ Such spillover happened with NotPetya and the Viasat hack. If true, this explanation would be surprising because deterrence is generally thought to be weak with respect to cyber operations, and it might prompt a rethinking and retheorizing of how deterrence operates in cyberspace.Footnote ²⁸ On the other hand, Russia seems largely undeterred by much else that the international community has mustered to date, so deterrence alone seems an unlikely explanation.

Another version of the story in which Russia chose not to attempt significant cyberattacks goes to the optimal role for cyber operations. Cyber operations have a significant comparative advantage over conventional force where they can enable espionage or stealthy intrusions, intended to be deniable or non-escalatory. But in a hot conflict, “[i]t's far easier to target the enemy with artillery, mortars and bombers than with exquisite and ephemeral cyber power.”Footnote ²⁹ The Ukraine invasion may drive this point home by showing that even when a major cyber power launches a war, major cyber-related disruption may not follow or not follow immediately. Of course, another country or conflict might proceed differently, using significant strategic cyberattacks and/or precisely targeted and timed cyber operations in support of battlefield troops. Russia's tactics may still change with respect to cyberattacks on Ukraine or abroad, as the United States continues to warn.Footnote ³⁰ But future significant attempted and even successful Russian cyberattacks would not change the fact that the initial invasion played out differently than many expected.

Where Do We Go from Here?

The Ukraine conflict will undoubtedly offer lessons for technical experts and network defenders, but perhaps also for international lawyers and policy makers. In recent years, hypothetical major, destructive cyberattacks have attracted significant attention. But out-of-the-blue cyber Pearl Harbors or cyber 9/11s have not materialized,Footnote ³¹ and as Russia's invasion illustrates, even in an international armed conflict, “there is no cyber ‘shock and awe’”—or at least not necessarily.Footnote ³²

What we do see, however, are lower-level cyber operations that are more consistent and consistently destabilizing. These operations are typical of the gray zone—the ambiguous strategic space between peace and open armed conflict. Examples include brief disruptions to critical infrastructure, DDOS attacks rendering websites inaccessible, ransomware, and intrusions into election infrastructure.Footnote ³³ Such operations play to cyberattacks’ strengths: fostering confusion about what has happened and who is responsible, allowing deniability for states to limit escalation, and causing insidious long-term loss of trust in digital systems and loss of competitiveness due to intellectual property theft. These kinds of operations keep relations simmering without boiling over. A crucial piece of such a strategy also involves masking state involvement, often by involving hackers with murky relations with states and thereby posing attribution challenges.

Part of what is significant about the Ukraine conflict is not just the absence of high-end mass destructive or disruptive cyberattacks, but also the presence of the DDOS and other operations typical of the gray zone—albeit at an apparently heightened rate.Footnote ³⁴ The Ukraine conflict has also provided fresh examples of blurring of lines between state and non-state actors. Hackers have aligned themselves with both sides.Footnote ³⁵ Ukraine's minister of digital transformation tweeted that the country was “creating an I.T. army,” reportedly drawing thousands of participants who have taken Russian entities offline at times,Footnote ³⁶ and on the opposite side, at least one ransomware group aligned itself with Russia, promising to retaliate against the West.Footnote ³⁷ Such groups raise legal questions about state responsibility both during and outside of armed conflict.

From the perspective of international lawyers, the cyber aspects of the Russia-Ukraine conflict suggest the increased urgency of efforts by states, academics, and civil society to clarify legal rules applicable to both high-end and gray-zone-like cyber operations.Footnote ³⁸ In some ways the legal frameworks for the high-end, major destructive cyberattacks are easier and further along. Many states appear to be coalescing around treating cyberattacks that produce consequences similar in scale and effects to conventional uses of force as equivalent to the conventional uses of force that they resemble.Footnote ³⁹ But much more work remains to be done on the gray zone-like questions arising both outside and inside armed conflict. For some issues that means setting a rule—which cyber operations below the use of force threshold violate international law? Or what kinds of effects serve to qualify cyber operations as “attacks” for purposes of international humanitarian law?Footnote ⁴⁰ For other issues, work remains on how to make existing rules—like the responsibility of states for non-state actors—effective in the cyber domain.

Developing more international rules after Russia's flagrant violations of the most sacrosanct of international law provisions on the use of force and territorial integrity may seem an ironic recommendation. But it is not. The Ukraine invasion has not (yet) escalated into a direct conflict between superpowers, and for this conflict and other operations outside international armed conflicts, greater clarity about the rules for cyber operations can help to avoid or at least manage escalation.Footnote ⁴¹