Assess Russia’s Cyber Performance Without Repeating Its Past Mistakes
Many observers saw Russia’s February invasion of Ukraine as the first case in modern history of a great power with near-peer cyber capability waging a major conventional war. Moscow’s cyber operations to disable Ukrainian satellite communications, wipe data from several of its state and civic organizations, and peddle disinformation to its public provide ample data to consider. Analysts are already trying to measure Russia’s cyber performance against prior expectations. Were they merely concurrent with kinetic strikes, or in coordination? Which operations were failures, and which were successfully executed?
A Russia-focused examination, however, must factor in the uniquely expansive way Moscow views “information warfare,” a blanket concept entailing not only cyber operations against technical infrastructure, but also adversary hearts and minds, and public perception more broadly. Moscow has long cultivated a view of information and technology that is informed in part by its own assessments of U.S. military operations. Their takeaways have historically assigned intentionality and orchestration to events far beyond the remit of U.S. capability, resulting in grand but unrealistic expectations about how information can be weaponized — both against and on behalf of the state.
Against this historical backdrop, U.S. strategists should measure Russia’s cyber performance in Ukraine by its own yardstick. Moreover, they should take lessons from Moscow’s experience, ensuring U.S. threat perceptions of, and ambitions within, the information domain are guided as much by the practical limitations therein as by the theoretical possibilities Moscow has conjured.
Prominent Russian theorists have long surmised that the scales of conflict would tilt in favor of technology and information over physical violence in the Information Age. In 1999, NATO air operations against Serbian targets were an opportunity to test these theories. Operation Allied Force, in their view, not only followed the model of “net-centric warfare” — technological connectivity enabling superior intelligence and targeting — but likely entailed the use of new, non-kinetic weapons wielded from a computer. Meanwhile, leaks to journalists in Washington about unused yet ominous NATO cyber capacity, which putatively might have neutralized Belgrade’s air defenses with but a few keystrokes, likely further fueled such suspicions. At the same time, Western narratives about the atrocities being committed by Serbian leader Slobodan Milošević and his forces dominated cable news coverage.
By the end of that year, Russia’s defense minister Igor Sergeyev warned that the conflict in Kosovo signaled that the United States had achieved new degrees of proficiency in “contactless … and virtual” information support of combat operations, a proficiency which needed to be countered. Russia’s military minds concluded that technical and psychological weapons — two sides of the same coin under its own information warfare concept — would take center stage in the new Western way of war. They concluded that the potential of these weapons — plainly speaking, cyberattacks and digital propaganda — to shape not only the battlefield but also decision-making and popular will, would soon rival bombs and bullets. Russian doctrine needed to reflect as much.
In fact, U.S. and allied information operations — which largely centered around public messaging and media outreach — appear to have fallen far short of both Russian assessments and the Pentagon’s own hopes. U.S. military after-action reviews concluded that it was “perhaps the greatest failure of the war,” not planned or coordinated, but “implemented ad hoc as the situation arose” and stymied by organizational dysfunction.
U.S. military doctrine defines information superiority as “the capability to collect, process, and disseminate an uninterrupted flow of information while exploiting or denying an adversary’s ability to do the same.” However, experts at the U.S. Foreign Military Studies Office went so far as to characterize the notion of allied information superiority against Serbian forces as a myth, detailing a string of intelligence, targeting, and messaging failures in the Kosovo operation that left enemy comms channels open, NATO comms compromised, and the Milošević regime’s propaganda unimpeded. Meanwhile, nascent U.S. military cyber units at that time had freshly sprung from parochial turf wars over mission space and bureaucratic debate within the Pentagon, and could barely contribute to any operational impact — much less against Serbian air defenses.
This disparity in assessments would only gather more momentum over subsequent years and geopolitical developments. Moscow began compensating for Russia’s relative military, technological, and soft-power weaknesses by infusing its approach to espionage, diplomacy, and propaganda with ever-more paranoia and accusations of U.S. machination. This mindset would come to stymie the search for common ground on cyber norms, fuel an explosion in state-backed propaganda abroad, a domestic crackdown on digital media freedoms, and a host of belligerent behaviors in cyberspace.
Adversaries often respond to their flawed conceptions of — and project their own intent and insecurity onto — each other. Robert Jervis wrote that “actors tend to see the behavior of others as more centralized, disciplined, and coordinated than it is.” This tendency is certainly evident in Russian thinking about U.S. capabilities over the past two decades.
For example, in 2005 the Russian Academy of Military Sciences touted information warfare’s capacity to alter the entire societal consciousness, affecting a nation’s very capacity to wage or sustain combat. After a string of popular revolutions in former Soviet states, as well as the Arab Spring — in which social media played a crucial role — Moscow began to rule out the idea that any organic wellspring of public discontent was possible absent high-level orchestration from abroad. Senior Russian military officials began to hold forth on how information tools were key ingredients of a new type of undeclared war, one in which violence would play a smaller role, with civilizational implications well beyond the military realm. Most notably, in a 2013 essay Chief of the Russian General Staff Valery Gerasimov alluded to the West’s apparent capacity to unleash rapid and cataclysmic geopolitical unrest using “technologies … and information networks.”
These assertions again contrast strikingly with those from U.S. counterparts during the same period. Lt. Gen. Michael Hayden, former head of the National Security Agency, characterized U.S. offensive cyber capabilities in 2005 soberly as “virtual graffiti on digital subway cars.” Several years later, a post-mortem assessment of U.S. Cyber Command’s Operation Glowing Symphony — which had been intended to disrupt the self-proclaimed Islamic State’s finances, recruiting, and propaganda — revealed how interagency turmoil and technical insufficiency largely hamstrung a great power’s digital advances on a much weaker adversary. While Moscow may have believed that the U.S. military had pioneered a “new generation” of information warfare, then-Defense Secretary Ash Carter described Cyber Command’s performance as “largely disappoint[ing].
More recently, a former senior Cyber Command official recently lamented,
we haven’t decided yet what is or isn’t information operations, information warfare, cyberspace operations, operations in cyberspace that enable information operations … Is it about spectrum, is it about IP [internet protocol] space, OT [operational technology] space, is it about cognitive operations, beliefs and understanding and motivations for operations? … We just haven’t yet decided.
Readers will rightly point out that Moscow takes a far more expansive view of information warfare than the United States. The real question is whether that has proven to be an asset or a liability, particularly in Ukraine, where information operations appear to have failed, even where conventional forces have gained ground.
These are mere snapshots in history, of course. Much about previous U.S. and Russian operations in the information space remains unknown and unknowable. It is safe to conclude, however, that rather than acknowledging uncertainties about correlation and causation in that environment, Moscow has combined its certitude of Western intent and its distrust of uncontrolled technologies into an overinflated concept of information warfare. Analysts should be cautious, however, not to conflate the self-reinforcing logic of that concept with operational coherence, much less strategic impact.
The notion that the complex web of technical and sociological networks underpinning an adversary’s will and ability to fight could be exhaustively catalogued and conclusively subverted indeed requires a certain hubris. Even more so to synchronize that effort with artillery and troop advances. Russian theorists appear to have spent the Information Age overindulging that hubris — superimposing a linear logic to conflict and attributing far more control and intentionality to the United States than was ever truly warranted.
The information environment is chaotic and lends itself poorly to mechanistic designs, a heuristic which ought to guide expectations, irrespective of Moscow’s vaunted aspirations. The broader a state’s approach to information warfare, the more numerous the contingencies and variables it must account for, and by extension, the more omnipotent its command and control must be. This feeds a monolithic view of decision-making on one side of a conflict, and a conspiratorial view on the other, neither of which are likely to match reality. As Martin van Creveld wrote, “no success is possible — or even conceivable — which is not grounded in an ability to tolerate uncertainty, cope with it, and make use of it … nothing is as inconducive to victory in war than to wage it on technological principles.” Like so many elements of strategy, the reach of abstraction usually exceeds the grasp of experience.
The United States is not immune to these conceptual traps. Despite the fact that Gerasimov’s analysis was less a prescription than a warning — and that political subversion is neither new nor exclusively Russian — Western commentators notoriously mischaracterized it as Russian “doctrine.” This flawed conception was only further reinforced by Russia’s digital onslaught against the 2016 U.S. presidential elections. Entire government bureaucracies, lines of academic study, and civil society initiatives cropped up in response, but researchers and officials struggled to empirically quantify its impact, including on election outcomes. Nevertheless, by 2018, a St. Petersburg office park full of online mercenaries had so seized the U.S. national security establishment’s attention that Cyber Command reportedly disrupted the Kremlin-linked troll farm — albeit temporarily — on the day of the Congressional mid-terms.
The prospect of Russian online actors covertly conspiring en masse to conclusively manipulate the American democratic process became something of a “hypersecuritized” threat — not exaggerated, per se, merely untested, easier to conceive of than to validate. Combined with the glut of incentives for threat inflation in modern-day political and media discourse, it is all too easy to draw inflated caricatures of opponents, prompting policies and resource expenditures that risk bringing about the very outcomes they were designed to avoid.
In short, while attempting to gauge Russia’s cyber successes or failures in Ukraine or any other theater, U.S. strategists must recognize Moscow’s vast ambitions and deep suspicions in the information environment without automatically assuming success nor adopting this conspiratorial mindset as their own.
Impactful, In Theory
None of this is to discount Moscow’s disruptive and costly affronts in the information domain. Russian actors remain among the most sophisticated and threatening in cyberspace: Ukrainian and Western critical infrastructure, elections, and societal cohesion are all likely to fall into their crosshairs. However, in the context of conventional armed conflict — with all the urgency, destruction, and violence it entails — the fog of war is perhaps thickest in the information space. Conventional military analysts apply a similar theme to Russian conventional forces’ performance, noting that political assumptions are a precursor to war, but structural choices are key to success or failure within it. The same rubric applies when assessing Moscow’s information warfare, including the natural impediments to its fiercest conceivable expression. An abundance of observed, disruptive cyber activity does not necessarily translate into evidence of strategy on the adversary’s side, nor strategic impact on our own.
The issue is less that Western observers might have overestimated Russia’s cyber potential in its war on Ukraine, more that they almost certainly underestimate the complexities and frictions which separate intent from execution, intensity from effect. Particularly in the still murky arena of information warfare, the chasm between theory and practice remains wide. Moreover, in an era of apparently robust intelligence insights into the Kremlin’s designs, it may prove far easier to slip into erroneous assumptions based thereon, the foremost being that intention necessarily equals capability.
Gavin Wilde is a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace. He previously served on the U.S. National Security Council as director for Russia, Baltic, and Caucasus affairs, where his focus areas included foreign malign influence, election security, and cyber policies. He is also a 15-year veteran of the U.S. intelligence community and a distinguished graduate of the National War College, where his studies focused on information warfare. The views expressed here are his own.