A new book released the week of November 30 by the NATO cyber center reflects on several reasons why the Russia-Ukraine conflict has not seen large-scale or massive cyber attacks with destructive effects akin to a true cyber war.
Cyber War in Perspective: Russian Aggression against Ukraine, “serves as a benchmark in the early history of Internet-era warfare,” within a case study of the Ukraine crisis from 2013-2015, Kenneth Geers, ambassador of NATO’s Cooperative Cyber Defense Center of Excellence (CCDCOE), said in the introduction.
The test case “offers many lessons and sheds light on whether cyber war is still closer to science fiction than reality,” NATO said.
The CCDCOE, the book’s publisher, is a NATO- accredited knowledge hub based in in Tallinn, Estonia, that focuses on interdisciplinary applied research and development concerning cyber security. It includes consultations, training, and information-sharing among NATO members, allies, and partners in cyber defense.
The center highlighted that “apart from disruptions to internet connectivity between Crimea, Donbass, and the rest of Ukraine, there have been no known [cyber] attacks against civilian or military critical infrastructures.” The book examines if, and why, Russia may be showing restraint in cyber attacks and how such attacks could escalate.
Keir Giles of the Conflict Studies Research Centre, an author of the book, wrote while cyber actions are present in the conflict, they are less overt and more difficult to understand and defend against.
“This is due to Ukraine’s very different cyber terrain. Comparisons to Russia’s rudimentary cyber efforts at the time of the Georgian conflict in 2008 are of limited value,” Giles said. “Unlike Georgia, Ukraine’s more interconnected nature makes it impossible to restrict access to the internet overall, except in the very special case of the Crimean peninsula.”
Giles explained since Russia and Ukraine have such an integrated information space, there is no reason to take down Ukraine’s systems. “Since Russia already enjoyed domination of Ukrainian cyberspace, including telecommunications companies, infrastructure, and overlapping networks, there was little incentive to disrupt it. In short, Russia had no need to attack that which it already owned,” This includes the usage by Ukrainian government officials of Russian email services.
James Lewis, director and senior fellow of the strategic technologies program at the Center for Strategic and International Studies (CSIS) in Washington, said in the book that no Russian cyber attacks in Ukraine have risen to the level of qualification as a use of force equivalent to conventional weaponry.
“The current caution may reflect lessons learned in Georgia or a desire to preserve some degree of deniability, and maneuvering to avoid an overt violation of international law,” Lewis wrote.
Jen Weedon of FireEye agreed with Lewis’s thinking that Russia seems to either not need, or have not chosen, to engage in extensive overt cyber attacks.
“One reason for this could be that Moscow wants to avoid the international criticism that followed its alleged cyber operations in the 2008 war in Georgia, and in Estonia in 2007. Instead, Moscow seems to be using more narrowly focused, limited operations in support of strategic state objectives, primarily via sustained cyber espionage rather than widespread attacks,” Weedon wrote.
Martin Libicki, a RAND Corporation senior management scientist and professor, examined five separate reasons why the potential cyber war has not occurred in his chapter.
First, Libicki theorizes although Russia has many hackers who work for the state, crime syndicates, or personal national hacktivists, with Ukraine, “it is possible that a large percentage of the hacker talent is of Russian descent and may have divided loyalties in this conflict.” Conversely, he raised the counter examples of Estonia and Israel making large cyber contributions despite small populations.
It is also possible Russia nor Ukraine have many valid targets, Libicki said. While Russia has conducted modest recapitalization in terms of government electronics and software to upgrade legacy Soviet systems, there has been little of the same in Russia. However, this is not satisfactory because “no one is buying analogue telecommunications systems anymore, not even in the developing world. New equipment is digital and networked.” The digitization is still likely high enough to cause concerns for cyber vulnerabilities.
Libicki then echoed Giles’s point: much of Ukraine’s infrastructure and telecommunications structure dates from the Soviet era so the Russians have likely already wired the phone system for interception. Therefore Russia has no interest in taking it down. In this case cyber attacks would disrupt lucrative longer term espionage operations by alerting defenders who then focus on long term cyber defense missions.
Alternatively, neither country may want to escalate the conflict to a full cyber war. The Russian government insists the conflict is an insurgency separatist campaign in eastern Ukraine. If Russia attacked Ukraine’s nation infrastructure, that would be harder to ascribe to separatists. “The more important point here is that any such escalation could change the narrative of the conflict from an inter-ethnic squabble to an interstate war,” Libicki said.
He compared this dynamic to conflicting nuclear weapons states where both parties have an interest in tamping down escalation. Likewise any two parties in cyberwarfare “are likely riddled with exploitable vulnerabilities.”
Lastly, Libicki wrote cyber warfare may not be as easy as proponents claim it to be. A successful damaging cyber attack involves long timelines to penetrate systems without getting caught, requiring technical expertise, as well as intelligence gathering to create politically interesting effects against national or defense infrastructure. Even then an attack may not produce practical results. Moreover, “it is also possible that neither Russian nor Ukrainian systems are sufficiently wired to allow for easy access and manipulation,” Libicki said.
The book contains 18 chapters by various scholars and practitioners who identify tactical and strategic implications, discuss the significance for policy and law, and analyze ongoing information operations.