There Is No Cyber ‘Shock and Awe’: Plausible Threats in the Ukrainian Conflict
The specter of cyber war is back. Not only does Russia’s massive military buildup along Ukraine’s borders bring a growing risk of the largest-scale military clash since World War II, but many analysts stress the potential for destabilizing and devastating cyber-attacks in its wake. Jason Healey predicts that if Russia invades, “the opening salvo is likely to be with offensive cyber capabilities.” William Courtney and Peter A. Wilson from RAND warn of the “massive employment” of cyber warfare tools to create “shock and awe causing Ukraine’s defenses or will to fight to collapse.” Accordingly, the United States and the United Kingdom have deployed cyber warfare teams to help Ukraine defend against an impending strategic cyber strike against critical infrastructure. Some go further, suggesting that Russia may not need to use military force at all, because cyber strikes can “achieve much the same effect from across the border.” This assessment is apparently shared by policymakers working on countering the Russian threat to Ukraine, with an (anonymous) senior Biden administration official recently stating as much.
These predictions suggest that cyber operations will provide significant strategic advantages to Russia either as complements to military force, or as standalone instruments — or at least that policymakers and commentators think that they will. Current warnings of escalating cyber warfare conjure deep-seated fears of cyber doom and the recurring specter of a “cyber Pearl Harbor” strategic surprise attack. In practice, however, cyber warfare has been a failure. Our research shows that cyber operations have remained irrelevant on the battlefield, while standalone operations to weaken Ukraine through election interference, critical infrastructure sabotage, and economic disruption largely failed to contribute to Russia’s strategic goals of making Ukraine abandon its pro-European Union and pro-NATO foreign policy. Consequently, current fears of cyber warfare defy not only Russia’s track record in Ukraine, but also strategic logic. Given that Russia’s cyber operations have failed to produce significant strategic value to date, why would we expect this to suddenly change now? Or, to put it more pointedly: If cyber operations offer such effective and potent instruments, why did Russia go through the trouble (and costs) to mobilize its troops? Current predictions of cyber onslaught do not offer a persuasive answer.
Giving in to these fears risks fighting phantom threats, playing into Russia’s hands by distracting from the need to counter its military threat and sowing fear and confusion — at least among Western audiences. A level-headed analysis of the threat that distinguishes what is theoretically possible from what is practically feasible is urgently needed. Our research suggests that, contrary to hysteria, cyber operations will remain of secondary importance and at best provide marginal gains to Russia.
Expectations Versus Evidence: Cyber Operations and Their Limits
There are three distinct perspectives on the strategic role and value of cyber operations in conflict. Early scholarship on cyber conflict expected cyber operations to be primarily important in conventional military conflict, enabling crippling strategic strikes analogous to the surprise attack on Pearl Harbor during World War II. If successful, cyber operations could thus be substituted for the use of force. Yet research throughout the 2010s made the limitations of cyber operations as a means of force projection increasingly clear.
Subsequent scholarship thus sees cyber operations primarily as complements to force. Possible effects include disrupting command and control and communications systems, sabotaging equipment and infrastructure, spreading disinformation, and conducting psychological warfare to undermine morale among enemy troops.
The third and increasingly influential perspective instead suggests cyber operations are primarily relevant in “gray zone” conflict short of war. In this view, cyber operations offer standalone instruments of power that can influence and weaken an adversary through critical infrastructure sabotage, economic disruption, and influence operations. Hence, as in cyber Pearl Harbor scenarios, it also suggests that cyber operations could substitute for the use of force — achieving similar goals without going to war. However, rather than through a massive surprise strike, this third school of thought expects the effects to be gradual and cumulative, eroding adversary strength over multiple operations.
The empirical record of cyber conflict, however, suggests that what is feasible in practice is far more limited. Ukraine has been a “giant test lab” where Russia, one of the world’s foremost cyber powers, has experimented with cyber operations for eight years. Yet these operations have failed to produce significant strategic value either as force complements or standalone tools.
The substitutability argument — that states can or do substitute cyber operations for the use of force — has little empirical support since Russia levied no major cyber operations against Ukraine in the runup to the military escalation of the conflict in 2014. While it is possible that we do not know about such operations given their veil of secrecy, it is clear that any attempted but undetected cyber surprise strike failed to produce any measurable effects.
Evidence supporting the complementarity perspective is similarly sobering. One of us has examined the role of low-level disruptive cyber operations in the military conflict and their relevance for battlefield events (and outcomes). Disruptive attacks can directly affect military operations as they seek to sabotage an opponent’s ability to fight. For example, the Russia-backed separatists in the Donbas and Luhansk regions used malware to retrieve data from mobile devices on the locations of Ukrainian artillery troops, facilitating better reconnaissance against these troops. Pro-Ukrainian hackers hijacked CCTV cameras behind enemy lines to obtain intelligence on the movement of Russian artillery in the separatist-controlled territories.
Focusing on the period of the most intense fighting, between 2014 and 2016 — the time when, if cyber tools are an effective complement to armed force, Russia would have been most likely to use them — we applied a series of statistical tests to thousands of cyber and military operations. The findings showed a strong, escalatory dynamic between military operations by both sides but no significant correlation in either direction between military and cyber operations, and no reciprocity between cyber operations. This evidence demonstrates that in one of the first armed conflicts where both sides used low-level cyber operations extensively, digital operations unfolded independently from the events on the ground and had no discernible effect on them. Hence, in stark contrast to expectations about the force-multiplying advantages of cyber operations, these findings suggest hacking groups faced considerable difficulties in responding to battlefield events, much less shaping them.
Finally, the track record of cyber operations as standalone instruments in gray zone conflict in Ukraine also falls far short of expectations. One of us has examined the operational mechanisms, effects, and strategic value of five major Russia-sponsored cyber operations, including election interference, critical infrastructure sabotage, and economic disruption. Contrary to prevailing expectations, the majority made no measurable contribution towards Russia’s strategic goals. The NotPetya operation, whose large-scale disruption of businesses wiped off half a percentage point of Ukraine’s gross domestic product in 2017, is the exception. Yet this operation underlined a key shortcoming of cyber operations: the risk of losing control over the spread of effects, producing unintended consequences, added costs, and correspondingly lowering strategic value. Forensic analysis by internet security company ESET revealed that the Sandworm hacking group underestimated how far NotPetya’s data-destroying malware would spread. It “went out of control” and spread far beyond Ukraine, even disrupting targets in Russia — including the state-controlled oil giant Rosneft. These disruptions within Russia will have caused additional costs, as did the sanctions that Western countries imposed on Russia in response to NotPetya’s international disruption.
Evidence from Ukraine thus supports neither the force substitute nor the force complement argument. Instead, cyber operations have been most relevant as standalone, lower-intensity alternatives to the use of force — more in line with the third school of thought. Yet by and large they fell short of providing measurable strategic value. Indeed, all available evidence indicates that Russia’s cyber warfare efforts against Ukraine — combined with its larger gray zone campaign — have failed to make Ukraine abandon its rapprochement with the West. That is why Russia has mobilized its army, attempting to prevent Ukraine from joining the Western alliance through threat of invasion.
Plausible Threats in the Conflict Ahead
Considering the underwhelming track record of cyber warfare in Ukraine to date, there is little reason to expect cyber doom of the kind that some now predict. For these warnings of a Russian cyber onslaught to become reality, cyber operations would need to produce effects at a scope and scale that they have previously failed to attain. Importantly, current warnings fail to make a persuasive case on why we should expect such a transformation.
Rather, they rest on the implicit assumption that with the change in strategic context, the role of cyber operations will change as well. This comes out clearest in Maggie Miller’s recent commentary suggesting that military escalation in Ukraine would finally herald “a true cyberwar” where Russia could “take down the power grid” or launch a disinformation campaign to undermine the government in Kyiv. Dmitri Alperovitch offers a more level-headed analysis, underlining that cyber operations alone will fall short of achieving Russia’s goals. However, he also suggests that they can complement force as an “extension of warfare itself,” disrupting command and control to provide battlefield advantages, sabotaging critical infrastructure, and undermining public trust in the government to “send a powerful signal that resistance is futile.” Yet, as we have seen, Russia has attempted most of these objectives in the past and has failed. Even in a full-scale invasion, we have the same aggressor, with the same hacking groups, with the same skill level going after the same sets of possible targets. Why would we expect different results?
Changing the strategic context of deployment does not change the mechanism of action that cyber operations rely upon to produce outcomes — and its intrinsic constraints. Cyber operations rely on a mechanism of subversion that exploits vulnerabilities in adversary systems to use them against the adversary. This mechanism holds great strategic promise but poses significant operational challenges. It requires creativity and cunning to remotely manipulating complex systems that others designed and operate without alerting the victim to one’s presence. These challenges produce an operational trilemma between the speed, intensity of effects, and level of control that actors have over these effects. This trilemma limits strategic value, since in most circumstances cyber operations will be too slow, too weak, and too volatile to contribute measurably to strategic goals. The constraining role of this trilemma is evident across all five of Russia’s disruptive cyber operations against Ukraine thus far, underlining their relevance. Importantly, all available evidence indicates that these intrinsic constraints limit the strategic value of cyber operations regardless of strategic contexts.
|Election Interference (2014)||Attempted to disrupt systems of Ukrainian Central Elections Commission, but missed backups that allowed swift restoration of systems.||Temporary disruption of Central Election Commission systems, no effect on election or vote counting.||Negligible|
|Power Grid Sabotage (2015)||Disrupted the power supply in eastern Ukraine. Victims could switch to manual control and neutralize it.||Temporary power outage (6 hours), no measurable economic or psychological impact.||Negligible|
|Power Grid Sabotage (2016)||Disrupted the power supply, but victims swiftly switched to manual control. Also attempted physical damage to power substation, but failed due to basic error.||Temporary power outage (75mins), no measurable economic or psychological impact.||Negligible|
|NotPetya Economic Disruption (2017)||Self-proliferating malware that disabled systems by encrypting data, affected economic and critical infrastructure disruption. Spread out of control.||Temporary disruption of public infrastructure and business, lasting destruction of data, significant economic damage across 65 countries (including Russia itself).||Uncertain|
|BadRabbit Economic Disruption (2017)||Manually installed malware that disabled systems by encrypting data. Designed to control spread, affected small number of targets.||Minimal and temporary disruptive impact on small number of targets, data restorable.||Negligible|
Source: Maschmeyer, Lennart. “The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations.” International Security 46, no. 2 (2021): 51-90.
Considering these constraints, we argue that, counterintuitively, the main cyber threats in a future conflict will likely arise from the failings rather than successes of cyber operations. Hence, strategic cyber strikes capable of substituting for the use of force will almost certainly remain doomsday scenarios. While there is always a possibility of an actor being both extremely lucky and extremely skilled, the probability of compromising victim systems at a scope and scale capable of achieving a fait accompli of this kind is vanishingly small.
The successful use of cyber operations to complement and increase the efficacy of military offensive is more probable, but likely to provide mainly tactical advantages. Not only are there considerable coordination challenges, as our previous research has shown, but it is important to remember that cyber operations cannot bypass exploitation through force. Hence, they depend on the same subversive mechanism of exploitation as cyber operations during peacetime. Accordingly, cyber operations deployed against military targets that are integrated in a military offensive will suffer from the same limitations as operations deployed during peacetime. Moreover, because of the urgency of such situations and the need for close coordination, the slow speed and volatility of cyber operations likely further reduce strategic value in such contexts. The most likely use is exploiting vulnerabilities in specific military hardware in order to disrupt communications or facilitate targeting — the operation by APT28 against Ukrainian artillery groups illustrates the possibility, although its actual contribution to lethality likely fell far short of initial estimates.
Similarly, Russia is likely to continue an opportunistic use of cyber operations as standalone means to disrupt public life and cause economic dislocations, as it has done in the past. Yet like their predecessors these operations will continue to be too slow, too weak, and too volatile to produce significant strategic value. While it is possible that Russian-sponsored hacking groups could produce more intense effects in a more reliable way — provided that such operations were preceded by more long-term planning than those that we observed during the earlier stages of the conflict — the recently discovered intrusions do not support that assumption. Instead, they reflect opportunistic and short-term efforts that provide further support for the expected limitations of cyber operations. Specifically, a defacement campaign affecting 70 Ukrainian websites in January 2022 remained largely inconsequential and insignificant as most websites were quickly restored — no data was lost or completely destroyed. Initial analyses indicate this intrusion exploited the Log4J vulnerability, which had only become known a few weeks earlier — reflecting opportunistic and short-term planning. The second discovered intrusion, named WhisperGate — a “pseudo ransomware” that corrupts the content of the files without a way of restoring it — turned out to be less sophisticated than the NotPetya operation of 2017. Moreover, WhisperGate was discovered on the systems belonging to the Ukrainian government agencies before it could cause any damage.
As a result, rather than intentional disruption, the main cyber threat going ahead will be unintended disruption spreading beyond its intended target, as happened with NotPetya. Yet as with NotPetya, the greater the scope and scale of its detrimental effects, the greater the potential costs for Russia itself — and the smaller the resulting strategic value is likely to be. The clear efforts that the Sandworm group made to contain the spread of NotPetya’s successor “BadRabbit” suggests that the hackers and their superiors tried to minimize this risk. Hence, there is hope that rational leadership will reign in such impulses.
Staying Realistic About the Cyber Threat Helps to Build Effective Counterstrategies
While warnings of impending cyber doom make for great headlines and exciting reading sure to get policymakers’ attention, past and present evidence strongly suggests that this threat is overstated. Russia has tried for eight years to get Ukraine to abandon its pro-European Union and pro-NATO foreign policy through a mix of diplomacy, coercion, and subversion that included multiple cyber operations. These efforts failed. And it is because these efforts failed that Russia has now evidently shifted to a more costly and risky, but also more potent, instrument of power: military force.
Cyber operations are not strategically irrelevant, nor are surprise cyber strikes of strategic relevance impossible. Rather, in assessing their threat we should distinguish what is possible in theory from what is feasible, and thus probable, in practice. And here the evidence clearly indicates that cyber operations are neither likely to be capable of substituting for the use of force, nor of significantly enhancing military effectiveness. Hence, we predict that if escalation intensifies, military force will remain the primary instrument that Russia uses to attempt to compel Ukraine and, by extension, the Western alliance to comply with its demands. There is a risk of runaway proliferation of system disruptions spreading far beyond Ukraine as a result of botched cyber operations, but such uncontained spread is likely to hurt rather than support Russia’s strategic interests. After all, what does Russia have to gain from provoking a larger set of countries that may come to the aid of Ukraine?
Exaggerated fears of hypothetical cyber strikes — either used as substitutes or complements to military operations — distract from the clear and observable threat of invasion and, in doing so, may trigger misallocation of valuable resources needed to respond to it. Perpetuating such fears also risks playing into Russia’s hands by exaggerating its cyber capabilities and distracting from the need to prioritize efforts to counter its military threat.
Lennart Maschmeyer is a senior researcher at the Center for Security Studies at ETH Zurich. He holds a Ph.D. from the University of Toronto and co-chairs the FIRST Threat Intel Coalition as well as the European Cybersecurity Seminar. You can follow him @LenMaschmeyer.
Nadiya Kostyuk is an assistant professor at the School of Public Policy and the School of Cybersecurity and Privacy at the Georgia Institute of Technology. She directs the Cybersecurity Summer Institute and co-chairs the Digital Institute Discussion Group. She holds a Ph.D. from the University of Michigan. You can follow her @NadiyaKostyuk.
Image: Russian Ministry of Defence