The dog that didn’t bark? – Cranfield cyber experts reflect on the war in Ukraine

Dr Danny Steed, Lecturer in Cyber Security and Robert Black, Lecturer in Information Activities at Cranfield University, comment on the role that cyber warfare has played in the Ukraine conflict so far:

On the lead up to the 2022 invasion

Dr Steed said: “As outlined in my comments when the invasion last year first took place, that Russia has long been experimenting with offensive cyber means. We saw it in Estonia in 2007, Georgia in 2008, and have seen it in Ukraine since 2014.

“The first big sign for cyberattacks was the BlackEnergy attack on Ukrainian power stations in December 2015. From that point, Ukraine became Russia’s experiment lab for cyber warfare. The clearest affirmation of this was the NotPetya ransomware attack in 2017, which cost more than $10 billion to corporations worldwide but was above all an attack on Ukraine.”

Rob Black added: “This also shows another lesson for cyber war. Cyberattacks cause collateral that is not likely to be bounded by the physical and geographical dimensions of a traditional conflict. NotPetya had a global impact; Maersk shipping had its global IT system completely destroyed. The Viasat attack at the start of the Russian military invasion of Ukraine in 2022 also disrupted other organisations with no direct link to the conflict area, such as a wind turbine operator in Germany.”

On the one-year milestone

“With the one-year milestone of Russia’s outright invasion, what we have seen is a tempering, or a deflating, of the hyperbole that has hung around all talk of cyber warfare since the 1990s,” says Dr Danny Steed. “When the invasion happened last February, discussion immediately focused on the kind of cyberattacks we might see. There was lots of speculation, even anticipation, but the great cyber campaign never came.

“Instead, we have seen a great deal of warfare that many thought was consigned to the past. Tanks, long supply lines, artillery bombardments, missile strikes, hasty supplies of anti-armour weaponry. While cyberattacks have taken place, they have been far from significant, or even consequential in the direction of the war so far.

“The calculation is really quite simple: why gamble that a few lines of code can take down an electrical grid, when you can simply bomb it? The latter gives a greater certainty of success, without exposing one’s cyber capability.”

Rob Black: “There has been limited strategic impact from Russian cyber operations but we have gained some useful lessons about cyber warfare for current and future conflicts.

“It has also shown us that fighting cyber war is actually harder than you think. It is difficult, mid-way through a conflict, to suddenly spin up a range of amazing zero-day exploits (those vulnerabilities in the code of software or operating systems, for example, that are not known by anyone else, so can’t be immediately detected or mitigated by things like anti-virus and can lead to an attacker gaining access and compromising the system without detection) to crack operating systems and compromise computer networks.

“The hard work for a cyber campaign must be put in for months if not years in advance, but at the same time can be negated or disrupted by an effective cyber defence effort. With Ukraine, we saw friendly nations such as the US, and cyber security companies such as Microsoft, ‘forward deploy’ inside Ukrainian networks in advance of the kinetic campaign to disrupt Russian cyber pre-positioning and mitigate many of the likely Russian intended cyber effects. Thus, the only option the Russians might have had by the time of the conflict was to bomb critical national infrastructure as many of the intended cyberattacks were no longer viable due to strong Ukrainian (and allied) cyber defence efforts.

“The conflict has also shown us the challenge of sustaining a cyber offensive at the scale required to match full scale and enduring kinetic warfare.

“Cyber needs a significant amount of capabilities and resources but this is very different to the traditional capability based planning approach where you can research and develop new tanks and weapons systems and have them ready to be deployed whenever needed. For cyber, the ability to stockpile weapons is much more difficult and sustaining a cyber fighting force is very different to the military force element generation process, where troops can be put on standby, mobilised and deployed to front line to replace depleted resources. In cyber not only is the front line everywhere, but we do not have the teams of cyber operators at a scale similar to our armed forces.”

On cyber’s place in modern war

Dr Danny Steed: “In some scholarly circles, cyber has been referred to as “the dog that didn’t bark”, but even this fails to capture the truth of the struggle to make sense of cybers’ place in modern war. Really, what we need to take is a longer perspective on the impact of cyber on warfare as a whole, as reflected by the Ukrainian experience. We know it has not been, nor will it be, decisive in the outcome of the war in Ukraine, yet it has played a part.

“The Ukrainians have openly called for cyberattacks on civilian infrastructure – energy supplies, hospitals, utilities, etc. – to be included in the list of war crimes for investigation and prosecution. This is salient, because even if cyberattacks are not decisive, including them as a new category of war crime would be a major evolution in our legal understanding of what we will not accept from cyberattacks. Any such prosecution will be fascinating precisely because it has never happened before.

“Yet we do know that cyber is an effective peacetime tool: it’s a tool of harassment, of provocation below the thresholds of violence. Cyber criminals with links to Russia continue to attack Western economies undeterred; the recent ransomware attack on Royal Mail by the LockBit gang is testament to this. This is the pattern we should grow accustomed to. Cyber will play a small and inconsequential role in a war in Ukraine that rages on traditional battlefields. Yet it plays a constant strategic role away from Ukraine, with attacks permitted, perhaps even encouraged, by a Russian state who must revel in seeing Western businesses disrupted with regularity, even if such attacks pose no real threat to Western economies beyond a nuisance factor.

“The war in Ukraine has affirmed two key things: since the 2022 invasion, the place and importance of “heavy metal” in warfare has returned with a vengeance. Yet, when it comes to cyber, the Ukrainian conflict since 2014 has affirmed that cyber is a potent and persistent tool, albeit one with limits. Even if cyber fails as a tool of warfare in its own right, the experience in Ukraine has shown us that cyber is a permanent geopolitical tool; its place of best use lies away from the battlefield.”

Rob Black commented: “Cyber has been effectively employed to cause confusion and disrupt decision making during critical stages of the military campaign. The cyberattack against Viasat, for example, was an effective means of disrupting Ukrainian command and control and increasing confusion and uncertainty at a time when the Ukrainian military and government most needed to understand what was happening.

“At best, cyber in the Ukraine conflict will be most effective when integrated with other military activities to maximise the advantage gained or to undermine the Ukrainian coherence, decision-making and unity.”