June 10, 2022
IntelBrief: Could Confrontation in Cyberspace Escalate the War in Ukraine?
Experts believe that Ukraine (and its Western backers) and Russia have been consistently engaged in a cyber faceoff since well before the February invasion; the nature of this cyber engagement and the parties to it have been the subject of much speculation. Prior to last week, government comments had primarily focused on observed Russian aggression and warnings of retaliatory attacks in response to Western sanctions. This changed on June 1, when the Director of the U.S. National Security Agency (NSA) and Commander of U.S. Cyber Command, General Paul Nakasone, confirmed that the U.S. had engaged in offensive cyber operations in support of Ukraine. The content of the announcement, however, is not necessarily surprising. The NSA had “hunt-forward” teams deployed to Ukraine as recently as December, and as the target of these operations, the Russian state was likely, at least in part, already aware of their existence. Furthermore, this revelation is consistent with the U.S.’s persistent engagement doctrine which calls for implementation of offensive and defensive capabilities in partnership with allies to disrupt hostile cyber actors before they can threaten U.S. and allied networks. This policy, which is often described as “defend forward,” provides U.S. cyber teams significant latitude to operate on hostile networks and disrupt threat actors in their own digital staging areas.
General Nakasone’s public confirmation could, however, be considered an escalatory move, especially in the context of the recent U.S. decision to supply Ukraine with sophisticated rocket artillery known as M142 High Mobility Artillery Rocket Systems (HIMARS), a mobile unit which enables the launching of multiple, precision-guided rockets. However, without additional details on the types of offensive operations the U.S. executed, it is difficult to evaluate the statement’s true escalatory impact, and the statement may not be as provocative as it initially appears. Offensive cyber operations encompass a wide range of activities, some of which imply damaging or disrupting adversaries’ networks or physical infrastructure, but it also extends to exploitation of those networks for espionage purposes. The U.S. has already acknowledged providing intelligence support to the Ukrainian government, so it is entirely feasible that General Nakasone was referring strictly to intelligence collection operations. That being said, escalation is subjective by its very nature, and in times of crisis, tolerance levels for provocation can shift unexpectedly.
Although Russian cyber operations have posed a persistent threat to Ukraine in recent years, thus far the conflict has been characterized by narrowly focused applications of cyber capabilities, and the civilian population has largely been unaffected by their use. On May 10, E.U. officials publicly attributed a February cyberattack, targeting commercial satellite communications company Viasat, to the Russian government. In what was likely a coordinated move, the U.S. and U.K. released similar statements hours later. According to the British Foreign Office, the attack was launched an hour before Russia’s full-scale invasion of Ukraine and was intended to degrade Ukrainian national command and control network. The attack seems to have temporarily achieved this objective; however, it also triggered internet outages across several European countries, disconnecting thousands of private and commercial users for up to two weeks. Despite its limited operational effects, this attack remains the highest profile cyber operation conducted so far in the war. This does not imply significant clandestine cyber operations have not been carried out. In all likelihood they have, as the recent U.S. statement suggests. Therefore, it is important to acknowledge the resilience demonstrated by Ukraine’s cyber defenses. Years of experience fending off Russian cyberattacks and support from western allies seems to have prepared them well for the conflict.
The absence of an effective Russian cyber offensive came as a surprise to many experts and governments. However, the general unpreparedness demonstrated by the Russian military in the early days of the campaign may help to explain the lack of coordination between Russia’s cyber and conventional military components. It may also be indicative of Putin’s initial aim to quickly replace Ukrainian leadership with a new regime, in which case it would have made sense to focus the effects of a cyber offensive to isolate Ukraine’s leadership, while limiting collateral damage across the country. This is not to say that Russian government and Russia aligned cyber groups have not played a role in the fight. Cyber threat actors continue to target the Ukrainian government, military, infrastructure, and private citizens with lower-profile attacks. These attacks have largely focused on data collection and espionage, disruption of Ukrainian government and key industry activities, and the spreading of disinformation to confuse Ukrainian civilians and muddle the war narrative. Tactics reminiscent of Russia’s interference in U.S. domestic politics. To date, cyber has not played a publicly escalatory role in Russia’s renewed invasion of Ukraine, but as the war drags on and war fatigue sets in, both sides will seek new advantages to tip the scales in their favor.