Ukraine conflict alters the role of cyberspace in war

Analysis

Most major cyberattacks during the last decade or so have occurred outside conventional war scenarios. One important exception is the Russia-Georgia war of 2008, where Russian distributed denial of service (DDoS) attacks interrupted government communications and the Georgian national bank.

Consequently, there are few empirically tested models of the strategic and tactical consequences of cyber campaigns undertaken in tandem with military campaigns -- especially one involving a large and technologically aggressive actor such as Russia, with a highly capable offensive cyber capacity and a proven willingness to use it abroad.

Limits of historical lessons

Policymakers will not be able to rely strongly on past experience of maintaining geopolitical stability amid rising tensions between nuclear-armed states. The experience of the nuclear weapons era shows that preserving stability and preventing escalation under the conditions of a technological revolution has three main conditions:

• a small number of relevant actors;
• shared objectives among them -- particularly in preventing a spiralling conflict; and
• the opportunity to build stable expectations of behaviour through iterated interactions.

None of these conditions holds strongly true in cyberspace, which is an inherently unstable domain of security competition even while it offers states non-violent options to pursue foreign policy or financial goals.

Unique characteristics of cyberspace

As long as cyber actors ensure their actions do not cause loss of life or significant destruction of physical property or civilian infrastructure, they escape the severe retaliation that the use of physical force among nations ordinarily elicits.

Yet 'weaponisation' of cyberspace is increasingly a force for instability in international affairs:

• For example, the Stuxnet malware -- probably spread by US and Israeli governments in 2009 -- destroyed elements of Iran's suspected nuclear weapons programme.
• The Shamoon wiper virus spread by Iran in 2012 incapacitated tens of thousands of workstations at Saudi Aramco -- the oil giant of Saudi Arabia, Iran's main regional adversary and a regional ally of the United States.
• Russian state-linked cyberattacks against US political infrastructure in 2016 profoundly destablised US politics and undermined US electoral integrity, and had the effect of undercutting US power projection abroad.

Although cyber activity can sometimes replace conventional military force -- the Stuxnet operation possibly averted an Israeli airstrike against Iranian nuclear facilities -- it also invites its own risks.

If Russia-linked actors attack major Ukrainian or Western targets in the coming weeks, geopolitical instability will increase sharply. Moreover, the avenues for restoring stability or de-escalation would be complicated due to the distinct characteristics of cyberspace as a unique security domain.

Three of cyberspace's characteristics are especially important.

Diversity of actors

Unlike the military domain, cyber space is populated by a large number of relevant threat actors.

States operating in cyberspace must contend not only with other states, but also with private actors. These actors include politically motivated 'hactivists' such as the Anonymous community, members of transnational terrorist networks, and even 'lone wolves'.

Consequently, the potential for misattribution of the location of threat actors and for misinterpretation of their motives and objectives is higher in the cyber domain than in other security realms.

At times, private actors operate as proxies under the direction of, or with the consent of, their home government, though not always. In January 2022, an independent US hacker switched off many North Korean websites (internet access is available mainly to the country's small elite) through unsophisticated DDoS attacks.

The attack was politically motivated: the man promised to exploit other North Korean vulnerabilities in an effort to deter hacking against Western targets.

The effects of this incident on international stability was limited because it was a standalone incident. However, amid a diplomatic or a military crisis, a similar action could destabilise the dealings of states if it prompted a government to respond offensively.

Diversity of motives

Cyber actors operate with multiple motivations, not all of them geostrategic.

Some actors -- both governmental and private -- use cyberspace for subversive ends. Their actions could intensify rather than de-escalate a conflict.

North Korean hacking activity illustrates the problem. Leading cyber powers such as the United States and the United Kingdom have exercised self-restraint in the use of offensive capacity in order to establish norms of responsible state behaviour.

By contrast, hackers tied to Pyongyang have defied them. In particular, the 'Lazarus Group' -- the North Korean military's chief hacking unit -- has destroyed the computer assets of multinational companies such as Sony Pictures Entertainment, stolen large funds from the Bangladeshi Central Bank and hacked into cryptoasset exchanges in South Korea. The motivations of these actions have been both geopolitical leverage and financial gain.

Among non-state actors, operatives of terrorist groups such as Islamic State have hacked into US military databases and top-secret UK government email systems. They sought to acquire destructive capabilities to attack Western public infrastructure (so far without notable success). Their aim is the instigation of conflict, not its avoidance.

More recently, members of the Anonymous collective took the Kremlin's website offline to protest against the invasion of Ukraine. While not damaging, such an incident could prompt Russian retaliation against computers and servers located abroad, thereby instigating a spiral of responses and counter-responses.

Asymmetric learning

Difficulties of attributing the identity and location of threat actors muddle the pool of cyberspace actors, making strategic learning for policymakers even more difficult.

Actors often deny authorship of an operation, such as when Russian hackers breached Democratic Party emails during the 2016 US presidential election -- a denial that former US President Donald Trump subsequently repeated.

In such cases, even when authorship can be technically ascertained with high confidence, the failure to acknowledge it by the relevant parties hinders the mechanism of strategic learning and adopting norms of appropriate state behaviour in future.

Scenario 1: Russian attacks against Ukraine

The ongoing Ukraine war has increased the risk of cyberattacks -- against Ukraine and NATO-linked targets.

Some have already materialised:

• As a prelude to the invasion, Kremlin-linked hackers infiltrated the Ukrainian interior ministry and activated data-wiping malware that destroyed information relevant to domestic intelligence and police activities.
• When Russian forces moved into Ukraine on February 24, serious interruptions to civilian internet access were reported in the country. For example, a severe disruption in the city of Kharkiv occurred almost simultaneously with a series of explosions on the ground.
• A few days into the invasion, internet service degradation became evident more widely, including in Kyiv.

Thus far, Russia has not launched catastrophic cyberattacks against Ukraine or NATO targets (see INT: Cyberactivity in Ukraine signals Russian limits - March 4, 2022). No major destruction of civilian infrastructure has been reported on the same scale as previous attacks (such as the interruption of energy provision in the Kyiv region in 2015).

It is unlikely that serious disruptions of infrastructure have occurred but not been reported in the public domain. The effects of cyber disruption -- especially in vital infrastructure such as power grids -- are difficult to hide.

Yet complacency would be ill-advised. It is impossible to rule out attacks such as:

• a repeat of the power grid disruptions -- an important risk to public health especially during colder months; or
• another attack with cascading disruption within private industry -- especially in cities and areas of the country that are beyond the control of the Russian military.

It is likely that Russian hackers have penetrated Ukrainian communication systems, transport systems, power grids, financial institutions (such as the National Bank of Ukraine), and other essential infrastructure to lay the ground for future disruptions, depending on military developments. Disruption to such infrastructure could tactically benefit the invasion campaign, as was the case during Russia's invasion of Georgia in 2008.

Scenario 2: Russian threat to NATO targets

The Ukraine war also increases significantly the risks of cyberattacks by the Kremlin and its proxies against Western targets. The United States, the United Kingdom, the EU and other actors have imposed stringent economic and financial sanctions on Russian interests.

These penalties include sanctions against the Russian central bank (which impede its access to foreign currency reserves) and the exclusion of several Russian banks from the SWIFT interbank payments system. Western measures are not only punitive; they also involve the arming of Ukraine's resistance to the invasion. For example, on February 27, European Commission President Ursula von der Leyen announced that the EU -- for the first time ever -- would finance and facilitate the delivery of weapons to a country under attack.

Despite the harsh rhetoric from President Vladimir Putin, who has heightened the level of nuclear readiness, all foreign parties in the crisis want to avoid a direct military clash. Cyberspace offers Russia retaliatory options that avert fatal consequences:

• There is a risk that Russian state-linked hackers will attempt to disable the operations of North American and European banks or stock trading platforms to mirror some of the effects of economic and financial sanctions against Russia (see UNITED STATES: Corporate cybersecurity is improving - March 9, 2022 and see EUROPE: Hacking of energy firms cements new dynamic - February 8, 2022).
• The conflict might also prompt pro-Russian 'patriotic' hackers to launch a broad spectrum of cyberattacks, such as DDoS attacks, against the online services of Western governments and businesses.

The risk of these actions taking place increases in direct proportion to Russia's military and political setbacks on the battlefield.

Scenario 3: Western counter offensives

Rising Russian-Western tensions over the Ukraine war also elevate the prospect of counter cyber offensives by US, UK and other Western state-linked hackers against Russian targets.

One goal of such activity could be denial -- helping Ukraine defend of its governmental, military and civil society functions. Another could involve curtailing Russian social media information campaigns. There are precedents for such actions: for example, during the 2018 mid-term elections in the United States, US Cyber Command disabled the servers of the Russia-based Internet Research Agency.

Cyberspace also gives Western partners of Ukrainian President Volodymyr Zelensky's government non-military options for imposing further costs on Moscow for its invasion.

Punitive activity could go beyond the denial of Russian attacks and might include, for instance, the disruption of Russian banks to compound the effects of economic sanctions or interruption of the servers of Kremlin-backed news services.

Outlook

If major cyber incidents were to materialise during the war in Ukraine, cyber risk modelling of Western and other cyber-capable actors would evolve dramatically.

Over the medium term, important lessons will centre around two key issues:

• the tactical effect that disabling the financial institutions of a targeted country has on its ability to procure military equipment from foreign powers or internally; and
• the effects of disrupting communications systems -- including access to social media channels -- on the targeted country's ability to coordinate its war response and counter disinformation operations.

However, the lack of sufficient models means that in the immediate future, policymakers would struggle to mount an effective and proportionate response to a major Russian cyberattack against civilian infrastructure in Ukraine or NATO countries.

The response will be especially difficult if non-state actors are involved on either side, or if malware targeting Ukraine accidentally triggers cascading failures beyond the country's borders.