Why Russian Cyber Dogs Have Mostly Failed to Bark
Editor’s note: Don’t miss our comprehensive guide to Russia’s war against Ukraine.
Nearly three weeks ago, U.S. President Joe Biden was purportedly presented with a range of cyber options to counter the Russian invasion of Ukraine. So far, not much is known about the administration’s cyber calculus as the Western response remains focused on imposing punishing rounds of economic sanctions (which include travel bans, asset freezes, and the removal of specific Russian banks from SWIFT) against Russian President Vladimir Putin and the top cadre of military officials and oligarchs in Russia. Though it is possibly the strongest economic sanctions package imposed to date — and has been joined by the imposition of limitations to online services and advanced technology access by tech’s Big Five — it still remains unclear if the sanctions will actually compel Putin to change course and stop the invasion.
Is there then a case to be made for the use of cyber operations to compound the pressure on Russia by increasing costs? And would U.S. cyber action against Russia in the light of invasion of Ukraine expand the conflict — including to the use of conventional or nuclear weapons?
Given the limited achievements of the Russian military to date, Putin faces increasing pressure to show concrete results on the ground. The broad use of cyber capabilities could thus propel the West further up the escalation ladder without clear de-escalatory crisis off-ramps. This may suggest a more limited role for cyber in this conflict.
The notable absence of cyber options employed so far has puzzled cyber security experts. While Ukraine has certainly been on the receiving end of Russian cyber assault, cybergeddon-scale attacks are missing. Scholars suggest that cyber operations employed by Russia against Ukraine prior to the invasion have been a failure in that the Kremlin has not successfully forced Ukraine to shift eastwards and reorient towards Moscow. However, policymakers and experts remain concerned about the cyber escalation potential and speculate about several explanations for the lack of large-scale cyber events launched by Russia to date. First, as media reports suggest, the United States took on some of the early work to prepare Ukraine for cyber onslaught in the aftermath of the invasion of Crimea. For example, in 2018 the United States made gestures to encourage cooperation in Ukrainian cyber defense including passing the Ukraine Cybersecurity Cooperation Act of 2017 (though the bill only passed the House and not the Senate). Since then, the United States has deepened strategic defense cooperation with Ukraine, including intelligence sharing. In addition, NATO has worked with Ukraine to boost its cyber defense in and counter “Russian aggression in cyberspace.” These defenses may have worked well, causing Russian attempts to fail. Second, Russia may be holding some of its cyber assets in reserve, and waiting for the right moment to strike — ostensibly using cyber as a force multiplier as they push deeper into Ukraine might best aid the invasion. Security researchers also speculate that as sanctions continue to wear Russia down, governments, financial, and other institutions may become targets of reprisals both in Ukraine and the West.
For the West, employing cyber capabilities could be an attractive option that is higher on the escalation ladder than sanctions. The use of cyber operations alongside economic sanctions has been tested in the past and there is circumstantial evidence to suggest their success. Both presidents George W. Bush and Barack Obama chose to employ the Stuxnet virus against Iran, once economic sanctions started to fail in preventing the development of the Iranian nuclear program. According to Fred Kaplan, Bush had considered cyber operations against Iran “something in-between air strikes and doing nothing.”
Ukraine has been described as Russia’s cyber lab. In the past, Russia has used a multitude of cyber options targeting its neighbor (with limited success). Here, cyber operations can be divided into two broad categories — operations targeting networked systems and operations targeting human minds (including cyber-enabled morale targeting). We have already seen both Ukrainian and non-state actors begin to flex cyber capabilities’ disruptive muscle to counter Russia through the targeting of networked systems by building an “IT Army.” But these operations are likely to have a limited role in the ongoing conflict — mostly because their maximum utility is usually during peacetime competition. We still do not know what the effects are likely to be in the midst of a full-scale war especially when the potential for miscalculation or cross-domain escalation is high. Whether the utility of cyber operations changes under conditions of militarized crisis and war versus conditions of competition is a critical question.
Avoiding Escalation to the Use of Military Force
For the rest of the world, escalation is a significant concern: Engaging Russia in cyberspace might drag the West into a conflict it has said it does not want to fight. Biden has stated several times that the United States will not go to war for Ukraine. This is especially important in light of President Vladimir Putin’s decision to change the alert levels of Russia’s nuclear forces, a move that the Biden administration has not yet reciprocated. As Biden’s Press Secretary Jen Psaki said, “At this time we see no reason to change our own alert levels. We think provocative rhetoric regarding nuclear weapons is dangerous, adds to the risk of miscalculation, should be avoided, and we will not indulge in it.” Indeed, while pondering options to support Ukraine, Western policymakers now grapple with the thought, “Tell me how we don’t get sucked into a superpower conflict,” at the front of their minds.
The use of cyber operations to undermine Russia amidst the ongoing invasion of Ukraine would not be an example of a “business as usual” operation envisioned by U.S. Cyber Command’s strategy of “Defending Forward” and “Persistent Engagement.” The U.S. cyber strategy mostly contemplates the use of cyber capabilities as tools of international peacetime competition. In fact, for the United States, the use of cyber tools during peak crisis-time is without a historical precedent. To date, current scholarship has primarily examined the effect of cyber operations in peacetime and gray zone conflict.
Moreover, much of the scholarship, including our own research, suggests that states do not use cyber capabilities gratuitously. In other words, for states to employ cyber in war-time, there needs to be a motive, and the tool selected must be the optimal one available to reach the desired goal. For example, recently, Russia chose to drop a bomb on a TV tower in Kyiv instead of perhaps conducting a distributed denial-of-service (DDoS) attack against Ukrainian TV stations.
What is considered a valuable target of cyber operations during crisis and war? Potential options vary typically from targeting infrastructure, to cutting off the internet and undermining GPS. For example, the target list published by the Ukrainian IT Army is long, and it includes both state and non-state targets, such as large businesses and banks. Because of the high degree of interconnectedness in the contemporary world, concerns remain about the unintended consequences of such cyber attacks, the risks of which were illustrated by the 2017 NotPetya attack by Russian hackers. Ukraine was the intended target, but the damage spread around the world.
For the West, the benefits of cyber operations targeting networked systems may be similarly mixed. Employing cyber capabilities could be used as a sign of American resolve, although research suggests that using cyber operations for signaling resolve might not be effective. Engaging in crisis control, the United States might choose to start going after critical Russian targets. We have already seen some of this: The United States has used pre-emptive (potentially cyber) operations to help assist the Ukrainians in their own cyber defense and to collect intelligence leading to the release of the information about potential Russian ploys or pretexts for invasion.
The Limitations of Cyber Capabilities in the Midst of a Crisis
Yet, the broader use of cyber in this conflict poses several challenges. Scholars argue that the battlefield relevance of cyber operations is limited, and that Russia turned to more costly conventional means because it could not get what it wanted on the cheap through cyberspace.
Research shows that cyber has limited signaling effectiveness. If the United States was to use cyber capabilities as a signal of its resolve, it would have to find a way to achieve one important goal — Russia would have to know whodunit. This might be easier to achieve during a crisis given that attribution becomes less challenging (that is, it becomes easier to point fingers during conflict). There is risk involved because cyber operations are most useful when carried out under the veil of secrecy and deception, for several reasons, including the transitory nature of cyber capabilities. Therefore, the goal of secrecy and deception is at odds with the goal of using cyber operations as a signal. To use cyber weapons as a signal, the United States might need to be willing to declare its operation, making it public. This in turn could have several important implications for international law, Russian domestic public opinion, and the West’s role in the war. Alternatively, the United States might need to let Russia know whodunit in a behind-the-scenes fashion, leading to a form of cyber backstage competition while banking on the hope that Russia would perceive its action as a sign of resolve.
Finally, building highly sophisticated cyber options (such as Stuxnet for example) is a challenging and lengthy process, that might not be as cheap as it seems, despite the overall global proliferation of cyber weapons. Amidst a military crisis, it might be more expedient for a state to employ traditional means of warfare to achieve its goals, rather than resort to hacking.
Public attribution of any cyber incidents between Russia and the United States could have adverse impacts for conflict management. If Russia were to become the target of attacks publicly attributed to the United States, domestic public opinion might shift to support Putin’s military aims. On the other hand, despite many possible pathways towards escalation, targeting the United States and its citizens via cyber means does not make much strategic sense for Russia. Let us recall that the United States did not formally enter World War II before it was attacked in Pearl Harbor and other U.S.-held territory in the Pacific. Any attacks on the United States by Russia would be likely to push domestic audiences to seek retribution and shift public opinion toward active engagement in the conflict.
Further, in light of Putin’s order to raise the nuclear alertness levels, it is worth considering the effect of cyber tools on nuclear stability. For example, cyber exploitation might be an attractive tool for affecting nuclear command and control, which relies on computer networks. Yet attacking an adversary’s nuclear systems necessarily increases the risk of miscalculation. Wargaming research offers a similar conclusion, suggesting that the risk of using such capabilities lies in underestimating the danger of inadvertent escalation.
Escalating from One Theater to Another
There is also the risk of escalation to the use of military force. While much of the research to date shows that there is no real risk of cyber escalation — both in peacetime and during international crises — concerns remain of cross-domain escalation or moving between different “theaters” of warfighting. How will Russia view cyber ops (such as operational preparation of the environment) while it is fighting a war? Would American cyber operations effectively declare the United States or NATO’s direct involvement in the conflict, which thus far has been largely indirect through economic sanctions and military assistance?
Our own research suggests that there are serious concerns about the United States shifting between cyber and the physical theaters to defend itself and its allies and interests abroad. At the minimum, it raises the specter of miscalculation or accidental use. At worst, it could entrap the United States into a global war to defend itself or NATO allies. Gen. John E. Hyten, former vice chairman of the Joint Chiefs of Staff and former head of U.S. Strategic Command, warned about the possibility of the cross-domain response in a potential dispute, describing responding to an attack in space by using a broad set of options: “I will recommend a strategic response of some kind. But [it] may be conventional and may be in cyber, and it could be any number of things because it’s just war and war requires a response to an adversary.”
Thus, while the use of cyber weapons to target networked systems may seem appealing given the horrors of the conflict, the long-term implications of doing so are far from known and may actually catapult the United States into fighting a war it does not truly want to fight.
Alternatives: Cyber-Enabled Influence Operations
While cyber may have no direct effect in shaping battlefield outcomes as scholars suggest, cyber operations can take many forms. It would be a mistake to neglect the fact that modern conflict is a fight for human minds as well as for their technology. One route to (minimal) tactical gain that is least likely to create escalatory calculations, or miscalculation, is a focus on cyber-enabled targeting of Russian public and — perhaps most importantly over the course of an occupation — troop morale. Our research suggests that the effects of cyber capabilities for surveillance, sabotage, and cyber-enabled influence operations, targeting domestic audiences (including soldiers) in Russia and Ukraine may be significant. Indeed, the “Information War” in Ukraine and Russia is well underway. For example, Russia has been using influence operations to claim that the Ukrainian president Volodymyr Zelenskyy has fled the country, likely with the goal to affect morale in Ukraine. Russia also deployed influence operations in preparation for the invasion. Meanwhile, videos of Russian prisoners of war are going viral on social media. Western use of cyber-enabled morale targeting could be an important missing element. For example, our research shows that cyber-enabled influence operations can be used to micro-target individuals and present them with tailored messages that resonate with their prior beliefs. Cyber-enabled influence operations could be used to target the already low morale within the Russian military using truthful information, for example by emphasizing the shared history and moments of shared cultural pride, as well as to introduce doubt about Russian state media reports.
Lastly, our research suggests that social media, due to its micro-targeting functions, may also present an attractive tool for influence operations, which not only consist of disinformation and misinformation, but truthful information strategically employed to target audiences. Russia knows this as well as any international actor, having weaponized information to interfere with the 2016 U.S. presidential election, using it as part of its “active measures” that have also been studied as elements of information warfare. Limiting Russia’s access to social media platforms may stall its cyber-enabled influence campaigns to sway domestic and foreign audiences during the war in Ukraine. For example, in support of the broader sanctions package, tech’s Big Five have already chosen to impose their own sanctions on Russia, limiting their online services and access to advanced technology. Although the limitations on exports that include semiconductors may only have an impact in the medium and long term, actions such as removing access to RT and Sputnik on Facebook, could have immediate effects on the Russian capability to spread its message and carry on cyber-enabled influence operations.
The growing humanitarian crisis — as well as increasingly bellicose rhetoric from Moscow — highlights just how precarious the situation truly is. While cyber operations targeting networked systems, including infrastructure, might seem like attractive options, their impact is far from known and may lead to escalation and miscalculation during the times of war. As an alternative, low-level, targeted cyber-influence operations against the Russian military or general public could serve to counter to broader Russian information campaigns and compound pressure on Putin without risking escalation. Finding creative off-ramps and other means of deescalating across domains (including the promise of sanctions relief if Russia agrees to end its campaign of terror) may be the only way to stop the atrocities in Ukraine.
Jelena Vićić is a postdoctoral scholar with the Center for Peace and Security Studies (cPASS) at the University of California, San Diego (@JelenaVicic). Rupal N Mehta is an associate professor in the Department of Political Science at the University of Nebraska-Lincoln (@Rupal_N_Mehta).
Photo by Air Force Maj. Jason Rossi