Preventing Cyber Escalation in Ukraine and After
Editor’s note: Don’t miss our comprehensive guide to Russia’s war against Ukraine.
With the world worried about the risk of nuclear escalation between Russia and the West, now might also be a good time to worry about the risk of cyber conflict escalating to war as well.
In recent years, a number of scholars and practitioners have argued that cyber conflict should be seen as an intelligence battle or pressure-release valve rather than something that could escalate into actual conflict or war. Indeed, to date, no state has responded to a rival’s cyber attack with a kinetic reprisal. But that does not mean it will not happen now. As geopolitical circumstances change, the escalatory potential of cyber capabilities is likely to change as well.
Moscow, for example, might respond to Western sanctions with intensified cyber attacks. Or Western leaders, recognizing that no-fly zones are too risky, might approve cyber interventions to prevent civilian massacres instead. In either case, they could well assume this escalation would not meet with a direct military response. And in either case, they could be wrong.
Minimizing this risk requires both recognizing and respecting the latent but strong escalatory potential of cyber attacks. It also involves delving deeper into the psychology of the situation, as escalation will be driven as much by the perceptions and misperceptions of the participants as any technical aspects of cyber warfare.
The Great News
So far, cyber attacks have not proven particularly escalatory or effective on the battlefield. Even the most provocative incidents that came closest to resembling kinetic attacks, such as Stuxnet or the ransomware attack on Colonial Pipeline, have not led to particularly menacing crises, much less war. If anything, over the past decade cyber capabilities have helped de-escalate crises, acting as a “non-kinetic option for leaders who feel pressure to act in a crisis, but who are wary of using force.”
The U.S. conflict with Iran offers a clear example. After Iran attacked several oil tankers and downed a U.S. drone in June 2019, President Donald Trump canceled punitive U.S. airstrikes at the last minute out of concern that the casualties could prompt further escalation. However, he allowed nonlethal cyber disruption of Iranian computer systems, anticipating Iran would not respond violently. Indeed, Iran’s supreme leader “blocked any large, direct retaliation,” limiting the country’s response to the cyber realm.
Scholars have offered different explanations for the non-escalatory nature of these attacks. Cyber effects are “uncertain and often relatively limited” and “offer great powers escalatory offramps [and] signaling mechanisms” to de-escalate. In the “cyber strategic competitive space short of armed conflict,” states have “tacitly agreed on lower and upper bounds” and accordingly “have mutual interests in avoiding escalation to violent conflict.” Cyber conflict also has characteristics of an intelligence, not military, contest.
The Bad News
Cyber conflicts have flourished during a relatively peaceful time when major powers generally did not invade one another. Perhaps cyber capabilities acted as a pressure release simply because in the post-Cold War period states usually wanted to de-escalate and the geopolitical stakes were not that high anyway? What happens now when Moscow feels that the stakes are much higher?
Already there have been warnings that if Russian forces face further setbacks, Putin may lash out in desperate and ultimately self-harming ways. A major cyber power has never faced such a crisis before, so past performance may be a limited indicator of future potential. In fact, the very perception that cyber attacks are non-escalatory might itself increase the risk of unintended escalation.
There are multiple ways cyber conflict around the Ukrainian invasion might escalate into a direct conflict between Russia and NATO, possibly as a result of either side’s offensives.
First, Russian offensive cyber operations might spark a wider war. President Vladimir Putin has declared sanctions “are akin to a declaration of war” and may see aggressive cyber attacks as the perfect response, particularly since they are reversible and non-lethal. Russia has been entangled with Western economies for decades, especially in the realms of energy and finance. But now, as ties are being severed quickly and viciously, Russia no longer has to fear the backlash if its cyber forces were to disrupt Western banks or liquified natural gas terminals. If you are dealt out of the game, why not just flip the table?
Russia’s cyber generals may be just as enthusiastic as their Army counterparts. They may assure Putin their forces are ready for battle and can quickly and bloodlessly get the West to back down. Putin could be convinced disruptive attacks against the West are no big deal, a low-cost signal that the West should de-escalate or just the next natural move in a non-escalatory intelligence contest. After all, U.S. research found that in response to cyber attacks, “Americans are less likely to support retaliation with force” compared to a more traditional strike.
This can lead to escalation in two ways. The United States — along with countries like the United Kingdom, France, and the Netherlands — might well decide to defend forward against such attacks. Gen. Paul Nakasone, the commander of U.S. Cyber Command, has insisted his forces “must take this fight to the enemy, just as we do in other aspects of conflict.” His then-deputy has also argued that the United States “cannot cede any territory” to adversaries as the “Russians will keep pushing until we push back on them.”
Worse, Dmitri Alperovitch recently warned that if Russia launches cyber attacks after “[h]aving already exhausted the power of economic sanctions, America and its European allies would have few choices other than to respond to these attacks with offensive cyber-strikes of their own.” Such dynamics can feed a spiraling escalation in cyberspace that might take on a life outside of the control of policymakers.
Second, Western offensive cyber operations might spark war. U.S. cyber espionage and operations against Putin, his cronies, or Russia’s military forces will appear far more ominous to Putin if he believes they are aimed at regime change. Could Putin turn the other cheek if the United States were to electronically raid the cryptocurrency wallets of Russia’s sanctions-avoiding kleptocrats? He might feel the need to escalate his own cyber operations as part of his own version of defending forward.
Escalation could happen on the battlefield as well. According to the New York Times, teams from U.S. Cyber Command are “in place to interfere with Russia’s digital attacks and communications.” Other teams are almost certainly collecting digital intelligence on the location and intent of Russian combat forces. The United States is sharing such intelligence with the Ukrainians but apparently not yet providing any real-time targeting. That may change soon, as the United States seeks to alleviate intensifying attacks on civilians. And with his KGB-bred paranoia, Putin might already see the presence of U.S. defensive and intelligence teams operating on or against Russian military networks as evidence of direct U.S. involvement in the war. Confirming his apparent belief that Ukraine is just a NATO puppet, this might force a response, either inside or outside of cyberspace.
Further, if Western governments have infiltrated Russia’s operational military networks, they may feel pressure to disrupt those networks to prevent civilian massacres. Because cyber capabilities are billed as non-lethal, reversible, and non-escalatory, tub-thumping newspapers may push decision-makers to take shots they might not otherwise: “We can’t create a no-fly zone but can use cyber capabilities to prevent civilian harm.” Some well-meaning national leaders may succumb to this pressure, potentially causing a larger conflict.
Even if Russia and the West avoid direct conflict this time, they might not be so lucky the next. As relations worsen, future disruption of critical Western infrastructure by Russian intelligence, such as the NotPetya and Olympic Destroyer attacks, are less likely to be viewed as mere crimes. Repeated crises bordering on war may further erode the tacit agreements and relative restraint of quieter times. After repeated iterations of intensifying cyber operations, both Russia and the West may feel their backs to the wall with few options left other than military force when the next crisis — physical or cyber — emerges. Under extreme conditions, some of the same characteristics that lead cyber capabilities to be a pressure release might have the opposite effect, a mechanism that Bob Jervis and I have described as the Escalation Inversion.
If Putin believes a direct conflict with NATO is likely and expects its adversaries to take measures to reduce vulnerabilities, he could conclude that the best possibility for success is to launch a massive preemptive cyber attack. Since the U.S. military may seem otherwise unbeatable, this may lead Russia to “compensate with audacity in order to redress the balance.” The more the United States brags about its overwhelming offensive cyber advantage, but frets over weak defenses, the more any adversary might feel the need to target the United States as early and as hard as possible.
If Russia fears war with the United States may happen on Saturday, it might feel the need to get in its cyber punches on Friday. If the United States thinks the same, it may need to start on Thursday. Cyber capabilities may be to World War III as mobilization timelines were to World War I.
Since a cyber sucker punch may also seem less escalatory, adversaries could be tempted to take risks they would not otherwise. In this situation, the sense that cyber is a pressure-release valve becomes positively dangerous: If the system is seen to be stable, then there is less reason to act with restraint, thereby making it less stable. Fortunately, the good news is leading U.S. policymakers appear attuned to this risk.
How can Washington reduce the risk of cyber attacks escalating into a direct conflict with Russia? First, by recognizing it. Cyber conflict may be an intelligence contest or a pressure release in peacetime and something quite different during or after a major war in Europe. Cyber war may be far easier to stumble into when states fear the wolf at their door.
Second, escalation control requires a better understanding of political psychology — specifically the mindset and desperation of one inscrutable, increasingly isolated, and blood-covered tyrant. There were more than enough expert commentators who believed that Putin would never invade Ukraine because it objectively seemed so irrational. Assessments of cyber escalation must also cover seeming irrationality, including the misperceptions, mistakes, and miscalculations that can lead even the most rational leaders to get caught up in an escalatory spiral that is no longer under their control.
Third, preventing escalation requires military and intelligence leaders to understand and respect cyber capabilities. Cyber capabilities are not “magic invisible weapons” but rather real weapons with massive, cascading consequences. They have a range of advantages and restrictions that sober-minded national leaders should approach as they would any other weapon.
Finally, even if we dodge a bullet this time, we should not become complacent. Personally, I would put the chances of cyber conflict escalating into a Russia–NATO war at less than 10 percent. With luck, escalation will not happen, and I will be written off as a “cyber catastrophist.” “Cyber doesn’t work like that,” we will tell ourselves. “Remember the lessons of the Ukrainian cyber non-war. Cyber doesn’t escalate. It isn’t useful on the battlefield or for coercing other states.”
This will hopefully continue to be true for weeks or even years. But the world is in the first few decades of an information age that will continue for a long time. The existential stakes of cyber conflict rise as more countries become more digitized and more reliant on vulnerable information technology.
Jason Healey is a senior research scholar at Columbia University’s School for International and Public Affairs. He is the editor of the first history of conflict in cyberspace, A Fierce Domain: Conflict in Cyberspace, 1986 to 2012. He helped to create the world’s first cyber command in 1998, the Joint Task Force for Computer Network Defense, where he was one of the pioneers of cyber threat intelligence. He was formerly a director for cyber policy at the White House and created Goldman Sachs’ first cyber incident response capability.