Special Editions 3.3.23
Ep 50 | 3.3.23

CyberWire commentary: Ukraine one year on.


Dave Bittner: Welcome to this CyberWire "Special Edition" marking the one-year anniversary of Russia's war against Ukraine and its effect on cybersecurity. As the war has raged on, it's had major impacts on cybersecurity, both in Ukraine and around the world. Joining me is our CyberWire editor and senior writer, John Petrik. Stay with us.

Dave Bittner: It is my pleasure to welcome to the show John Petrik. He is the CyberWire's editor and senior writer. John, welcome back. 

John Petrik: It's good to be here, Dave. Thanks. 

Dave Bittner: So as we are recording this, it is just past the one-year anniversary of Russia's invasion of Ukraine. And I wanted to take this opportunity to kind of take stock with you - what happened, where we stand, what we expected to happen versus the reality, all those sorts of things. Can we start off with just the big picture? Where do things stand today, particularly looking at the cyber angle of this war against Ukraine? 

John Petrik: Sure. The big surprise that I think has taken everybody by surprise has been the Russian failure to end this war quickly, that it was widely believed when they crossed the border a year ago that the war would be over in a matter of days or at most weeks, that the Russian advantages in preparation and in manpower and in equipment were regarded as being so dominant that Ukraine would have little chance. Some of that's a matter of mistaken perspective, that Ukraine is not a tiny country. Ukraine is about the size of Texas in area. It's got a sizable population. So this is not a small place. This is not like Russia invading Luxembourg, OK? So Ukraine itself is big and while not nearly as big as Russia, still disposes of a fair number of resources. 

John Petrik: So the Ukrainians had more capability than they were generally given credit for. But the big surprise and the big picture has been abysmal Russian combat performance. And I think there's no other way to describe it than that way. Their equipment hasn't functioned as designed. They haven't been able to maneuver effectively. They haven't been able to combine their arms. Combined arms means integrating tanks, infantry, artillery, air, cyber, other forms of electronic warfare into a single operation where they support each other. They haven't been able to do that. They haven't shown an ability to maneuver, in particular. The army is pretty clearly road-bound, from the video you see. They have a tough time moving off the road, probably because they have difficulty not getting lost because they're not accustomed to moving off the roads. And with that kind of force, you're not going to be able to take and hold ground. And in fact, they've lost a great deal of the ground they took in those initial days, and the Ukrainians have continued to apply pressure to them, pushing them back throughout. So that's been the big surprise. 

Dave Bittner: Almost on a daily basis, we're talking about on our podcast how the cyber aspects have not lived up to the expectations. What do you make of that? 

John Petrik: I think that there was a lot of inflated hype about cyberactivity. How many times have you heard people talk about the possibility of a cyber Pearl Harbor - there's a bolt from a blue that's going to suddenly turn the lights off across an entire continent? And we've seen smaller destructive attacks work. We've seen it twice in Ukraine. In 2015, 2016, there were Russian attacks that did, in fact, take down for a period of several hours, a number of hours, sections of the Ukrainian power grid. So the idea was, well, if this is just staging, if this is just training, if this just preparation, how much worse would it get when they actually went to war? In fact, it's harder to do that than one might expect. And it's easy to misread things, to think that there are capabilities that, in fact, don't exist because offensive cyber is just more difficult than it appears to be. Do you remember the appearance of the Mirai botnet? 

Dave Bittner: Sure. 

John Petrik: That came out during a week when the NATO cyber Centre of Excellence was having meetings down in Washington - was holding a conference in Washington, D.C., and there were well-informed, intelligent, high-ranking people there talking about Mirai. And the consensus among them was that this thing that's just come out over the last couple of days is obviously a Russian proof of concept. This is clearly an attempt by the Russian intelligence services to test what they can do and show us what they can do. Eventually, the FBI determined what was behind Mirai about a week or two later - who was behind Mirai. It was a knucklehead undergraduate at Rutgers who was trying to gain an advantage in selling things to Minecraft players. 

Dave Bittner: Right. 

John Petrik: So it wasn't that nefarious bolt from the blue that we'd been expecting. So they haven't done that. Have they had some successes? Sure. There were successful wiper attacks in the early days and weeks of the war that destroyed some information on Ukrainian networks. But those in and of themselves weren't the kinds of things that those networks couldn't recover from. They didn't have a significant operational impact. Did they take out the Viasat ground station terminals with cyberattack? Yeah, they did. They were able to deny a lot of Viasat connectivity, but the Viasat connectivity was quickly restored and replaced by Starlink connectivity. So that hasn't been a factor since then. Since that time, what we've seen have been continued attempts by Russian intelligence services - some with some success - to attack Ukrainian networks in cyber-espionage operations. CERT Ukraine just yesterday, for example, announced that they had detected a backdoor that the Russians had installed back - actually quite a while ago, in December of 2021. And that backdoor has since been used to stage various forms of malware for collection purposes in certain Ukrainian networks. Now, CERT-UA thinks that they've got it contained, that they didn't have any serious - they didn't sustain any serious harm from that, but the point is that there's still a capability there. They're trying to do these things. But that seems to be cyber-espionage. 

John Petrik: The more disruptive attacks that we've seen since then have tended to be nuisance-level attacks, defacements, distributed denial of service attacks run by people who are best regarded as cyber auxiliaries; that is, people who are quasi private sector actors, patriotic hacktivist who are acting in the Russian interest, and they are conducting DDoS attacks against, for example, German airports or who are defacing websites. That's going on. 

John Petrik: And then there's also the kind of privateering that we've seen for a long time. This is not new. This has been going on long before the war - that, notoriously, Russian cyber gangs have been tolerated and have operated with the protection and under the - and a certain degree of recognition by the state. You know, do what you want. Go steal whatever you can from the Americans, from the Germans, from the Japanese. Steal what you can. Just leave us alone, and leave friendly countries alone. If you keep your nose clean - you don't go after anybody who's working with a Cyrillic keyboard - you're OK. You're not going to get a knock on the door. 

John Petrik: So have we seen continued ransomware attacks by these groups? Yeah, we have, and those will continue to go on. Are those nuisances? Sure, they're nuisances, but they're not war winners, and they're not coordinated with other arms operations. They're not even as well-coordinated as conventional electronic warfare. They're not even as well-coordinated as jammers that might take down a radio network - tactical radio network. 

Dave Bittner: Stick around. There's more to our conversation after this. 

Dave Bittner: From the point of view of the global community, how does this experience inform the future of cyberwar? What are other nations watching taking away from this? 

John Petrik: I think they're learning that offense is difficult and defense is possible. I think that's the big lesson. I think that many of the lessons being learned are probably lessons that we're not going to be aware of. I'm sure there are things that are being learned and thought about that certainly haven't broken out into the open source intelligence world, that haven't broken out to the news. 

John Petrik: I think that the big lesson is a perennial lesson - that any effective military operation has to be a combined arms operation; that if you're simply blasting away with artillery; you've lined your guns up hub to hub; you're slamming away at poorly-identified area targets; your infantry is doing something else; your armor is off, breaking track, trying to fix itself; and your jammers are either not doing anything because nobody's tasked them or they're not hitting the right frequency - if your cyber ops are not going after the right targets, if they're not doing the right things, they're not going to have any desired effect. They're not going to have good effect. And I think that's a lesson that's being relearned all the time. 

Dave Bittner: Yeah. I think there was this notion that cyber could be a force multiplier. And it certainly seems in this instance, that has not been the case. 

John Petrik: Well, it can be. There's no reason it can't be, but a force multiplier is not in itself decisive. That - it's conventional to distinguish combat power from combat multipliers, that combat power is something you can count on. So what's combat power? Tanks are combat power. Infantry are combat power. Guns are combat power. A force multiplier is something that, when you have it available to you, it will help you win. It will help your operation, but you can't count on it for success, so plan your operation as if it may or may not show up. If the weather is bad enough, for example, the aircraft are not going to fly. So aviation is commonly regarded - and I apologize in advance to any aviators listening to this - aviation is commonly regarded as being a force multiplier, not as direct combat power. 

John Petrik: I think cyber is a combat multiplier. What do you use it for? You obviously use it for intelligence collection. That's obvious. You can use it for - if you move out of that shadowy world into the more overt world - if you view influence operations and information operations generally as cyber, which I think is not an unreasonable thing to do, there's an important role for it there. It's been interesting to watch the failure of Russian influence operations in this present war because they had been pretty good at that in the past. Remember all of the worries and uproar over the Russians are meddling with the election, and they're making people think this, think that and think the other thing? 

Dave Bittner: Sure. 

John Petrik: That wasn't crazy. You know, there was a degree of hysteria to that, but it was nuts to be worried about that. What were the Russians doing in that case? Were they trying to push a particular viewpoint on anyone? Not really. They were trying to darken counsel. They were trying to confuse. 

John Petrik: If you look at the theorist of war, Clausewitz - in his writings, he - Clausewitz argued that the thing that distinguished the idea of war in the abstract from real war on the ground was what he called friction. And friction, for Clausewitz, is the kind of thing that causes a deviation from the ideal. If you remember anything from your high school physics class, what kinds of things do they always do to teach you basic physics? They would give a bunch of simplifying assumptions. Assume a frictionless surface, they would say... 

Dave Bittner: Right. 

John Petrik: ...Things like that. Forget about air resistance - that kind of thing. All that stuff is the complexity of the real world, and that's what Clausewitz was thinking of. So military friction is darkness. It's bad weather. It's mud. It's mud that the guns get mired in. It's a unit getting lost. It's an order being misinterpreted. It's somebody not understanding it. It's the guy who doesn't get the word. That's friction. If you want to look at general approaches to the art of war, some armies tend to work by trying to minimize their own friction. We want to minimize our own friction so that we can do what it is we want to do. That's what we want to do. Other armies try to maximize the enemy's friction. We want to gum it up for the enemy as much as possible. 

John Petrik: In general terms, the American way of war has tended to try to minimize its own friction. The Russian way of war has tended to seek to induce more friction in the adversary, and Russian influence operations, I think, were most effective when they were trying to induce friction, not when they were trying to persuade people of some particular line. There is - I think there are very, very few people who seriously think that the positive Russian line on the war in Ukraine is true. I don't think anybody seriously believes, whether they are sympathetic to Russia or not, that Ukraine is run by literal Nazis - OK? - literal, self-conscious, institutional successors of the German Nazi Party from the Second World War. Nobody thinks Ukraine is being run by Nazis who are systematically trying to exterminate Russians and that Ukraine was serving as a staging point for a Nazi-led NATO offensive against Russia. 

Dave Bittner: Right? 

John Petrik: That's the Russian line. It's implausible. It doesn't work. So perhaps they should have stuck to trying to confuse people. Now, much of that is for domestic consumption, OK? 

Dave Bittner: Yeah. There's an analogy that I've heard you use to sort of relate it to game theory - you know, the difference between poker and chess. Can you hash that out for us? I find it really fascinating. 

John Petrik: If you look at both poker and chess, they're both rational games. They require intelligence and thought to play. It's not like playing - I don't know, take your pick - war... 

Dave Bittner: Right. 

John Petrik: ...OK? - or Indian, to drop even lower. The - chess is a deterministic system. It's fully deterministic. Nothing happens by accident in a game of chess. You can make mistakes, but there's nothing that's a matter of chance. Every move that both sides... 

Dave Bittner: All the pieces are in the same place... 

John Petrik: All the pieces are... 

Dave Bittner: ...At the beginning of the game. 

John Petrik: The pieces are all in place. The piece have known capabilities and known potentials. 

Dave Bittner: Right. 

John Petrik: And you're responding to an adversary. You might be surprised by what the adversary does, but nothing happens by accident. It happens because somebody did it. Poker, on the other hand, is a game that involves a great deal of chance. It involves rational calculation of odds and probabilities. It involves the ability to bluff. It involves the ability to sense when your opponent is bluffing. If you listen to Russian media and listen to the Russian speeches, you will hear them commonly introduce their conclusions by saying things like - of course - or - it is no accident that. These are - this is a chess player's way of looking at conflict. In the Western view and in, particularly, the American view, there's, I think, a much more vivid, imaginative presence of the reality of chance - that there are things that happened that haven't happened because anybody has done them. They've just happened, and I think this is also manifested in the Russian willingness to look for a general to sack when something is not going well. 

Dave Bittner: Where do you suppose this is going to go? I mean, we're a year in now. Do we have another year in front of us? How do you think this is going to play out? 

John Petrik: It's hard to tell because so much depends upon things that are beyond our ability to predict. It would be unwise to think that there would be a popular uprising that would depose President Putin, for example. Is the war popular at home? It's got some degree of popularity. I mean, they have certainly been able to whip up enthusiasm at well-organized, spontaneous demonstrations. But on the other hand, when Putin announced partial mobilization last fall, about 300,000 men of military age got out of the country before they could be taken. That's about the amount that were targeted for mobilization, or the amount that they did take in in that partial mobilization, so there's clearly some dissatisfaction and some disease with thinking about the war. Will Ukraine continue to get supplied from the West? It probably will. They've been promised a lot of equipment. A lot of equipment has been delivered. That equipment has generally functioned pretty well. They've received a lot of cyber support, both from governments and from the private sector. So Ukraine is in a pretty good position to be able to continue to defend itself. Whether they'll be able to take the offensive effectively against Russia on a large scale remains to be seen, and I would watch for that as the weather improves a little bit over the next couple of months and as the new stocks of ammunition and equipment arrive. 

Dave Bittner: Thanks for joining us for this CyberWire "Special Edition," and special thanks to my colleague John Petrik for taking the time to lend his insights to the conversation.