Cyber lessons in the wake of Russia’s invasion of Ukraine

The way cyber actions have played out in the Russian invasion of Ukraine hasn’t followed the anticipated script. The attacks on Ukrainian government agencies and banks in early and mid-February were not unexpected, given Russian rhetoric. But the ‘cyber Pearl Harbor’ that some had anticipated hasn’t occurred.

Russia may well have drawn different conclusions to others from its experience in Georgia in 2008 and its 2014 invasion of Ukraine. Both were notable for their use of cyber—attacking infrastructure and government agencies, destabilising decision-making and sowing confusion regarding purpose, responsibility and the on-the-ground situation. The integration of cyber, political and psychological activities with conventional operations, progressively escalating effort from influence operations to full kinetic warfare, became known as hybrid warfare or the Gerasimov doctrine, after the Russian chief of the general staff.

Practice proved less smooth than theory. Russia’s effort in Georgia arguably was more successful than the more ambitious activity in 2014 in the more advanced Ukraine. Georgian government decision-making was disrupted, the Russians confused the issue and effectively defanged an international response, and Ossetian secessionists, with some support, proved good enough against the Georgian military.

In Ukraine in 2014, Vladimir Putin was progressively forced to show his hand and commit conventional forces as cyber, disinformation and his ‘little green men’ proved of limited value. Still, Putin succeeded in annexing Crimea and supporting limited secessionist effort in Donbas—enough to encourage his invasion this year.

Since then, cyber has proved useful to Moscow in other ways. Russia continued to improve its cyber capabilities, extending into active disinformation operations in the West, including the 2016 US and 2017 French presidential elections (and possibly the 2016 Brexit referendum in the UK). In 2017, the Russian group Sandworm launched the NotPetya malware. Though the targets were Ukrainian companies and the country’s government, NotPetya spread quickly, demonstrating the indiscriminate damage such tactics can cause.

Later Russian activity was both better targeted and more sophisticated and may reflect caution over possible consequences to its own systems and interests resulting from malware spreading unchecked in the wild. And as the 2019 SolarWinds attack showed, attacks ‘deep in the stack’ and supply chain can offer considerable breadth and scope for exploitation, including for intelligence purposes.

The limited cyber activity in the current Russian invasion of Ukraine may be a recognition of its constraints in warfare. In the heat of conventional battle, the use of cyber will be highly tactical—classic signals intelligence—aimed at disrupting enemy digital systems. Because of the dependence of all modern states on digital systems for their military capabilities, protagonists won’t want to suffer blowback from malware loose in the wild.

Still, we would expect continued efforts to place malware, prepare the ground for a Russian takeover and shape the information environment outside the immediate sphere of operations. There is, after all, the broader information war to prosecute.

In hindsight, Putin has been set on this course for some time. However, the unanticipated use of US and UK intelligence to expose Russian mustering and intent shouldn’t be underestimated in terms of garnering global support. And the Ukrainians—government, community and supporters—have used social media to great effect.

These factors have cast doubt on Russia’s superiority in maskirovka, the use of disinformation, intimidation and deception, which has been employed since the country’s tsarist days and was refined during Soviet repression. The Russian government’s previous actions in Georgia and Ukraine, as well as cyber operations during the 2016 US presidential campaign, all echo those of the Soviet Union. Antecedents to Putin’s ‘little green men’ can be found in Stalin’s tactics in Ukraine in the 1920s and 1930s.

A central focus of maskirovka is domestic audiences and bolstering internal legitimacy—typical of repressive regimes everywhere. Putin’s crackdown on internal dissent—arresting protesters, silencing the few remaining independent broadcasters, pressuring tech platforms, possibly with more to come—is likely to harden as the Russian campaign in Ukraine regroups. We should expect use of ‘fellow travellers’ outside Russia, of which there remain many, including in the Trump wing of the Republican Party, and of nations from which it can call in favours or leverage concessions. And we should expect use of cyber to block, intimidate and disrupt dissenters and simply to sow confusion.

It’s early days in this conflict. Russian pressure on Ukraine will increase, even as its military resorts to tried and true tactics of destruction. In the meantime, there are some conclusions that may be drawn for Australia.

First, cyber is a classic ‘grey zone’ tool: it is ambiguous and potentially valuable for intelligence, developing influence, seeding uncertainty and shaping the information environment for the first few days of a conflict. We should be as sceptical of reliance on cyber for substantive outcomes as we are of claims of a cyber Pearl Harbor.

Second, nation-states don’t have a monopoly over the use of cyber. Some hacktivist and criminal groups are taking sides in the current conflict. Others—including nation-states—will seek to exploit both the distraction of agencies and the disruption of conflict. Cyber defence is getting harder and commercial companies and researchers often take point. All this activity is muddying the information environment, making signalling harder and increasing the prospect of miscalculation.

Third, the role of technology companies is increasingly important. Governments no longer have such assets under their direct control and yet are critically dependent on them. It’s not simply content. The withdrawal of major tech companies will give Russia increased impetus to develop sovereign capability. We can expect China and other authoritarian states to increase their control over tech companies, and even Western governments will give pause to consider their dependence.

Fourth, the importance of communities outside formal institutions. As Peter Singer has noted, the Ukrainians have provided something of masterclass in strategic communications and activities, from formally applying for EU membership to videos of grandmothers offering sunflower seeds to Russian soldiers. Normal government approaches aren’t well suited to the irreverence and spontaneity of a fast-moving social media environment.

Fifth, Australia’s formal institutions need to show coordination, imagination, active engagement and transparency—much as the UK and US governments demonstrated with the release of intelligence analysis. In a competition with closed, authoritarian states, transparency, adherence to democratic values and support of human rights and liberties offer the best counter.

Despite the tragedy unfolding in Ukraine, we should not forget that the main game remains China; the one clear beneficiary of the invasion is the Chinese Communist Party. We should take care to understand the nature of cyber and information warfare in this conflict, not least to better prepare ourselves for increased pressure in the grey zone.