Is Ukraine the Cyberwar That Wasn’t?
Although there has not been a “cyber Pearl Harbor,” there are many disruptive actions consistent with “grey zone” tactics.
Is the Russian-Ukraine conflict “the first cyber world war”? Researchers, scholars and government officials appear divided on the question. Nadiya Kostyuk and Erik Gartzke argue that given the absence of a (known) major or crippling attack, “cyber dogs have yet to bark.” Others, such as Thomas Rid, contend that cyber has been and continues to be a major part of the conflict, but that covert operations remain cloaked in secrecy, away from public view.
With warnings issued by the American, British and Canadian governments of threats to critical infrastructure (from either a direct cyberattack or spillover from Russia’s indiscriminate use of its cyber weapons) in the lead-up to the conflict, as well as Russia’s history of using malicious cyber activity against Ukraine, the absence of visible cyber activity raises important questions about what “cyberwar” actually is, and how we can know if one is taking place.
Despite the apparent disagreement over whether there is a cyberwar in Ukraine or not, a deeper dive into recent commentary on the topic reveals that both sides of the debate are actually arguing very similar things.
For example, no one is denying that cyber is playing an important role in the conflict. In April, Microsoft identified several different strains of malware being used, and reported that known Russian cyberthreat actors were positioning themselves in Ukraine as early as March 2021. And coinciding with their invasion on February 24 this year, Russia targeted Viasat, a communications company, disrupting broadband in Ukraine, with spillover effects in other European countries.
However, given that Russia has not performed well militarily in its invasion of Ukraine, it is not surprising that its cyber performance is also underwhelming — or, at least, lacking in the frequency, intensity and effectiveness that had been predicted. Successful cyber operations are intricate, expensive, and hard to plan and execute. If Russian planning was poor overall, it is likely it extends to cyber elements as well.
Additionally, given its own expectations that it would quickly conquer Ukraine, Russia may not have planned to use cyber in its campaign. As many authors point out, when it comes to capturing and holding territory, cyber is not as effective as bombs: only a few military objectives can be achieved with cyber, which is why the conflict in Ukraine is driven more by steel than silicon. It makes sense for militaries to focus on the most efficient and effective weapons.
Where there are differences of opinion, they surround the analysis of unknowns, such as the extent to which Russia is attempting to coordinate its military and cyber operations.
Moreover, although there has not been a “cyber Pearl Harbor,” there are many disruptive cyber actions consistent with “grey zone” tactics — especially espionage, information operations and low-level attacks. It is possible, although by no means certain, that for Russia to achieve its aims in these spaces, it needs to maintain Ukraine’s infrastructure rather than take it out.
Interestingly, most arguments also downplay the role of deterrence, as traditionally conceived, when it comes to explaining Russia’s behaviour. Although Russia may be looking to avoid direct confrontation with North Atlantic Treaty Organization (NATO) countries, it is not at all clear that cyber would set the threshold whereby NATO would actually intervene in the conflict. Many writers acknowledge that Ukraine’s cyber-defensive strengths, especially after almost a decade of Russian cyberattacks on its infrastructure, give it considerable deterrence-by-denial capability. However, given the complexity of cyber defence, it is unlikely that this capability can alone explain a lack of major attacks.
Where there are differences of opinion, they surround the analysis of unknowns, such as the extent to which Russia is attempting to coordinate its military and cyber operations. For example, while some accounts emphasize the use of cyber as a tool used mostly by states for informational objectives rather than “war,” other reports suggest that there is a link between the use of cyber tools and Russia’s kinetic operations.
Ultimately, one’s interpretation of the role of cyber in this conflict likely depends on a prior understanding of what a cyberwar might look like. Those expecting debilitating attacks and the destruction of infrastructure as key signifiers will view their absence as a lack of cyberwar. Those who see cyber as a tool, particularly as a covert one, are more likely to argue that cyberwar is indeed taking place.
But perhaps the best takeaway from this discussion is that it is important not to overgeneralize the role of cyber when it comes to armed conflict. While cyber weapons may have played a limited or restrained role in Ukraine, they may make sense for and be employed in future conflicts. As with any military weapon, the use of cyber will depend more on what objectives or outcomes states are trying to achieve rather than be an automatic given. A rationale for using more devastating cyber weapons may emerge, for example, where states may wish to strike from a distance, rather than occupy territory.
In other words, while the use of cyber in Ukraine does not provide a definitive model of cyberwar, it helps to show how the goals, capabilities and interests of states dictate how such tools will be used in future conflicts.
This piece is co-published with Newsweek.
The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.
ABOUT THE AUTHOR
Stephanie Carvin is an associate professor of international relations at the Norman Paterson School of International Affairs, Carleton University. From 2012 to 2015, she was a national security analyst with the Government of Canada.