As Putin’s bombs fall on civilian targets, ancient cities, weapons depos, and a nuclear plant – another war is being waged, an invisible war, cyberattacks on Ukrainian targets. These attacks go beyond Ukraine.
At the front end of this conflict, now weeks, Russia deployed malware against Ukrainian targets, military institutions, and personnel. For reasons still not clear, they chose not to debilitate civilian institutions – perhaps thinking victory would be swift and rebuilding for a “puppet” government, hard and long.
That said, a few things are clear. Cyber-savvy American companies, such as Microsoft, Google, and Mandiant, have picked up (from the start) attempts by Russia to hit Ukrainian military targets. These attacks were – like Russia’s physical attacks – seemingly inept, yet in some cases successful.
Historically, Russia has been viewed as a cyberattack leader, seasoned and generally effective at disruption when that was the aim. Here, Russian hackers appear to have had minimal success shutting down Ukrainian systems, giving the country time to pivot and improve cyber defenses.
Moreover, with US companies sharing information and affirmatively coordinating defensive actions with the White House, Pentagon, National Security Agency, and US Cyber Command, what is happening in the cyber-battlespace is known more quickly.
These companies – unconstrained as governments are – have been coordinating with Ukrainian counterparts, offering warnings as possible. The ability to see into the murk of cyberwar – made possible by US technology – may also protect NATO countries, such as Poland and the Baltics.
Making things more complex, cyberwar does not just affect information access, accuracy, and use – all vital. It escapes the vacuum, affecting the physical world. Preparations – cyber-defenses – are being hardened across NATO, even as Russia hits Ukraine. Even so, the battlespace is confusing. See, e.g., Ukraine War Tests the Power of Tech Giants.
As one public account noted, “the intelligence is flowing in many directions.” In some ways, this “fast reaction force,” a combination of focused cyber-experts in corporate America, US Government, and NATO – is utterly new. The coordination appears led by private ingenuity, agility, and willingness to help governments.
If any good comes of this conflict, it could be a new private-public alliance to protect America, NATO, and innocent non-NATO countries from unprovoked cyber-aggression.
One official noted in the New York Times, “I’ve never seen it work quite this way, or nearly this fast …We are doing in hours now what, even a few years ago, would have taken weeks or months.” See, As Tanks Rolled Into Ukraine, So Did Malware. Then Microsoft Entered the War.
More immediately, Russia’s threat is growing, as this aggressor nation confronts unforeseen obstacles in cyber and physical battlespaces. To date, Russia’s Ukraine-focused cyberattacks – which faltered – are “more muted than expected.”
That may soon change. Russia could hit Europe hard with cyber-attacks, especially if sanctions are unified, aimed at Russian oil exports, and fully joined by Europe. If that happens, cyber-defenses must be strong, as these attacks could affect the physical world. That would certainly be the aim, to hobble Europe’s economy as NATO does Russia’s.
Damage could flow to the US, with Facebook, Twitter, and YouTube all acknowledging adverse Russian activity already. Other sectors could be hit.
Most sobering, private sources suggest that Russia may attempt to hit US defense contractors – nobbling their ability to perform – not so much to stage aggressive action but to demoralize, distract, deter, and disrupt.
The significance of all this is simple and not so. Russia has tools in “the invisible world,” including cyberspace. They have historically been good at deploying them and shown they can be a formidable cyber-adversary, intruder, disruptor, and nuisance.
Technically, NATO countries are only offering defensive weapons to Ukraine, but cyberwar is different. Some actions are clearly offensive, others clearly defensive, others ambiguous, dual-use, or subject to misinterpretation. Compounding the problem, a blur of state and non-state “patriotic” and obstructive actors is afoot. See, e.g., Volunteer Hackers Converge on Ukraine Conflict With No One in Charge.
The hope is that all efforts to contain Russia’s physical and cyber-attacks are successful and defensive only. But if Russia began hitting US defense contractors, potentially jeopardizing the US or NATO force structure or capabilities, stakes would rise.
So far, cyber limits are being respected. Cyberattacks with an impact on US defense contractors are not common; hopefully, they will not be. But Russia is using a highly flawed, obviously perilous war-fighting manual – and cyberwar manual. If they get too squirrelly, the West will need to be ready. The “invisible war” also matters.