Maybe we shouldn't be so surprised that major, devastating Russian cyberattacks haven't yet appeared in Russia's war against Ukraine.
Ukraine: Russia will not waste offensive cyber weapons.
Across the political landscape and in the media, both in North America and Europe, there is a recently established assumption that Russia may unleash its full range of cyberattacks in the Russian-Ukrainian war as retribution for Western support of Ukraine. According to the general commentaries, a digitalized Russian fury could easily spill over to Western countries and provide us with a hint of a cyber crescendo. But the prediction of a Russian cyber doomsday wave does not add up.
Cyberattacks, in this war, are a last resort, not an opening gambit.
The lingering threat of offensive cyber operations is Putin’s last card – together with nukes. There is no rational reason that Putin’s Russia would play the offensive cyber card without some reasonable prospect of geopolitical gain.
Russia has achieved an operational stalemate with limited progress in its invasion of Ukraine, but unleashing its advanced cyber capabilities at this stage against Western targets will not solve the war. Such attacks will only increase the support for Ukraine without bringing Russia any appreciable battlefield advantage
Western commentaries predicting a Russian cyber onslaught rests upon a general assumption that sees advanced offensive cyber capabilities as being replaceable once used. . In reality, this assumption is illogical: there is no hidden cyber armory from which new weapons can be fetched and reloaded for continued cyber bombardment. Exploits, once used, are often parried quickly, and they can’t then be expected to have the same effect they had when first unleashed.
Therefore, Russia is unlikely to waste its advanced offensive cyber arsenal on a conflict where there is no value to a cyberattack that couldn’t already be accomplished by kinetic attack: air strikes, Kalibr cruise missiles, and indirect fire. Each advanced and sophisticated offensive cyber weapon represents an investment that, in some cases, is a one-shot ability to exploit a vulnerability. Striking targets in America and within NATO utilizing advanced offensive cyber weapons, without any other goal than to degrade and disrupt, is wasting offensive cyber power.
When Russia’s strategic calculus would dictate major cyber attacks.
Russia will use advanced strategic cyber at well-defined critical junctures. For example, as a conflict in Europe unfolded and dragged in NATO, Russian forces would seek to delay the entry of major US forces through cyber attacks against railways, ports, and electric facilities along the route to the port of embarkation. If US forces can be delayed by one week, that is one week of a prolonged time window in Europe before the main US force arrived, and would enable the submarines of the Northern Fleet to be positioned in the Atlantic. Strategic cyber supports strategic intent and actions.
All cyber-attacks are not the same, and just because an attack originates from Russia doesn't mean it is directed by strategic intent. Naturally, the Russian regime would allow cyber vandalism and cybercrime against the West to run rampant, because these are ways of striking the adversary. But these low-end activities do not represent the Russian military complex’s cyber capabilities, nor do they reflect the Russian leadership’s strategic intent.
The recent cyberattacks in Ukraine have been unsophisticated and have had close to no strategic impact. The distributed denial-of-service (DDoS) cyber-attacks are low-end efforts, a nuisance that most corporations already have systems to mitigate. Such DDoS attacks will not bring down a country or force it to submit to foreign will. Such low-end attacks don’t represent advanced offensive cyber weapons: the DDoS attacks are limited impact cyber vandalism. Advanced offensive cyber weapons destroy, degrade, and disrupt systems, eradicate trust and pollute data integrity. DDoS and website defacements are not even close to this in their effects. By making DDoS attacks, whether it’s the state that carried them out or a group of college students in support of Kremlin policy, Russia has not shown the extent of its offensive cyber capability.
The invasion of Ukraine is not the major peer-to-peer conflict that is the central Russian concern. The Russians have tailored their advanced cyber capabilities to directly impact a more significant geopolitical conflict, one with NATO or China. Creating a national offensive cyber force is a decades-long investment in training, toolmaking, reconnaissance of possible avenues of approach, and detection of vulnerabilities. If Russia showcased its full range of advanced offensive cyber capabilities against Ukraine, the Russian tactics, techniques, and procedures (TTP) would be compromised. NATO and other neighboring nations, including China and Iran, would know the extent of Russian capabilities and have effective insight into Russia’s modus operandi.
From a Russian point of view, if a potential adversary understood Russian offensive cyber operations’ tactics, techniques, and procedures, strategic surprise would evaporate, and the Russian cyber force would lose the initiative in a more strategically significant future conflict.
Understanding the Russian point of view is essential, because it is the Russians who conduct their offensive actions. This might sound like stating the obvious, but currently, the prevailing conventional wisdom is a Western think-tank-driven context, which in my opinion, is inaccurate. There is nothing for the Russians to strategically gain by unleashing their full advanced cyber arsenal against Ukraine or NATO at this juncture. In an open conflict between Russia and NATO the Russian calculation would be different and justify use of advanced cyber capabilities.
Like calls out to like: targeting common Soviet-legacy equipment.
Let us consider some of the likelier cyberattacks Russia might consider in its war against Ukraine.
Russia can focus on Ukrainian systems with technological similarities to the Russian systems. These systems originate from a Soviet/Russian engineering tradition and still make up a significant part of the Ukrainian critical infrastructure. Such attacks would be similar to the attack on the Ukrainian power grid on the 23rd of December 2015, exploiting the Soviet/Russian designed electricity infrastructure, which the Russians knew well because it is of identical design to that used in the Russian power grid.
Any cyber attacks on Russian-manufactured infrastructure in Ukraine will safeguard the cyber tactics, techniques, and procedures (TTP) and cyber weapons aimed at North America and EU/NATO Europe as these cyber weapons target equipment manufactured by Western manufacturers. A tool designed to knock out a Soviet-designed power station will not necessarily work on ABB, Siemens, or General Electric equipment – so using these tools will not compromise the ability to attack NATO. These cyber-attacks will not be a significant threat to Western countries.
Absence of evidence isn’t evidence of absence: the risk of subsequent Western underestimation of Russian capabilities.
None of this is to suggest that Russian capabilities don’t pose a threat to the West. Russian restraint in cyberspace is probably the result of strategic calculation, not incapacity. We may soon see a cyber anti-climax, similar to that which followed the Y2K fear in the year 2000. Should, as seems increasingly likely, the expected tsunami of Russian cyberattacks on the NATO countries including the United States never happens, we shouldn’t make the mistake of assuming that this is because the Russians couldn’t pull them off. In the Russian invasion of Ukraine and the cyberattacks that mainly pursued nuisance-level effects, like DDoS, and the specialized targeting Soviet/Russian-engineered critical infrastructure, Western analysis might be misled into underestimating Russian cyber capabilities.
In reality, the absence of cyber attacks beyond Ukraine can indicate a rational Russian fear of disclosing and compromising unknown capabilities outside of the Russian cyber establishment. The absence does not automatically mean these capabilities do not exist.
A note on the author.
Jan Kallberg, Ph.D., LL.M., has been focused on cyber for several years. He is a faculty member at New York University and George Washington University. Professionally he holds the CISSP and CISM cybersecurity certifications. His works have appeared in publications such as Joint Forces Quarterly, Strategic Studies Quarterly, IEEE Security & Privacy, and IEEE Access. Follow him at cyberdefense.com and @Cyberdefensecom. The views are personal opinions and do not reflect any employer’s position.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.