The world holds its breath for Putin’s cyberwar
Moscow’s slowness to unleash its cyber might against Ukraine has scrambled long-held assumptions about the future of warfare — even as warnings grow that attacks are imminent.
The escalating warnings of a Russian cyberattack on the U.S. cut against one of the war’s most perplexing mysteries: Why has the Kremlin held back from unleashing its full hacking might against Ukraine?
Before Vladimir Putin launched his invasion a month ago, security experts warned that the coming conflict could redefine cyber warfare — both for Ukraine and for the United States. But so far, cyberattacks have been of limited importance in a war that Russia has waged using tanks, rockets, missiles and bombardments of civilians.
“I’m one of those people who over the years has been saying [the next war] would be so much cyber,” said Lt. Gen. Ben Hodges, the former commanding general of the U.S. Army Europe. “Instead it’s been almost medieval what we have seen, not just sort of a cyber juggernaut that I had expected.”
This could quickly change: President Joe Biden said Monday that cyberattacks from an increasingly desperate Russia are “coming,” while urging U.S. businesses to “harden your cyber defenses immediately.”
Dmitri Alperovitch, the co-founder of the cybersecurity firm CrowdStrike, said that despite the lack of major attacks so far, cyber warfare could still be on the horizon.
“I do believe that cyber retaliation will still come. I think right now they are still preoccupied with prosecuting this war in Ukraine that is not going well,” Alperovitch said of the Russians.
For now, though, “We’ve seen some cyber operations against Ukraine since the conflict started, but not nearly as many as we would have thought,” said Ciaran Martin, the former CEO of the U.K.’s National Cyber Security Centre.
“The idea that war was moving online primarily, which has been put around for a quarter of a century … certainly at this point in 2022 is not accurate,” Martin added. “Those who would be pushing that sort of line I think have been pushing a version of cyber that doesn’t exist.”
So far, hacking assaults on infrastructure in Ukraine have been far less than what everyone acknowledges Russia is capable of.
Shortly before the invasion began Feb. 24, a series of attacks temporarily disabled Ukrainian government websites, one of which was blamed on Russian intelligence services by the Biden administration and the United Kingdom. Ukraine’s government has also linked a Belarusian hacking group to malicious emails sent to Ukrainian military officials, and destructive malware wipers have been found in Ukrainian government and private sector organization websites.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, told reporters at the White House on Monday that Russia is continuing to conduct cyberattacks “to undermine, coerce and destabilize” Ukraine, pointing to the February website attacks.
But it is paradoxical that even as the Russian military has bombarded civilians across the country with bombs, missiles and artillery, blasting apartments, shopping malls and evacuation corridors, its cyberattacks have been limited in scope. President Volodymyr Zelenskyy has been able to hold video calls with the governments of several NATO countries detailing his nation’s needs. And even ordinary Ukrainians have been able to share videos of physical devastation by relying on functioning communications infrastructure. Ukrainian leaders have focused on requests for weapons and air power to fight back physically, rather than fighting Russia in cyberspace.
Both Senate Intelligence Vice Chair Marco Rubio (R-Fla.) and committee member Angus King (I-Maine) told POLITICO this month that they did not know the reason behind the lack of cyberattacks, with King adding that he “really wanted to get the answer.”
Without inside knowledge of Putin’s state of mind, it’s impossible to definitively figure out the relative importance of these factors. But here is the evidence for each of them:
Russia didn’t think it needed massive hacking
Russia has bombed wide swaths of Ukraine, and has cut off numerous areas, including the coastal city of Mariupol, from critical services. These efforts have effectively eliminated the need to use cyberattacks against critical infrastructure in the areas of Ukraine under bombardment.
Other experts agreed, noting that physical attacks can be even more disruptive than cyberattacks.
“Physical invasion trumps cyber,” Christopher Painter, the former cybersecurity coordinator at the State Department under both the Obama and Trump administrations, said earlier this month during a virtual Center for Strategic and International Studies event. “You don’t need cyber as much when you have tanks and planes on the ground and men on the ground, so maybe cyber … maybe it isn’t the perfect weapon.”
It all happened so fast
Another potentially important element is Putin’s apparent expectation that his troops would take Ukraine in a matter of days, and that he may not have given his military commanders full warning of his plans for Ukraine. Sophisticated cyberattacks, such as those that took down Ukrainian power stations in recent years and the SolarWinds hack that compromised at least a dozen U.S. federal agencies, take months to plan and execute. Dropping bombs on cities arguably takes less advanced strategic planning.
“If, as seems to be the case, Putin withheld knowledge of his invasion plans from large sections of the Russian military and intelligence bureaucracy, then they wouldn’t have had time to prepare those attacks, and you can’t just conjure up a powerful cyberattack overnight,” Martin said.
Russia has been trying and failing to do more
One possibility that U.S. officials floated earlier this month was the idea that the United States’ efforts to strengthen Ukrainian systems against cyberattacks in recent years had blunted some of Russia’s cyber offense. The New York Times reported earlier this month that U.S. Cyber Command had placed teams in Eastern Europe to interfere with Russian communications and attacks.
“We’ve worked very, very hard with Ukraine over the past several years,” Gen. Paul Nakasone, head of both the National Security Agency and Cyber Command, testified to the Senate Intelligence Committee at a hearing last week. “We had ‘hunt forward’ teams from U.S. Cyber Command in Kyiv. We worked very, very closely with a series of partners at NSA and the private sector to be able to provide that information.”
But other experts disagree that U.S. and NATO efforts alone are responsible for the lack of major successful attacks. Alperovitch pointed to confirmed past Russian attacks on U.S. critical infrastructure — such as the SolarWinds espionage hack discovered in late 2020, and the extensive interference in the 2016 U.S. presidential election — as illustrating that Washington’s cyber tactics at home alone are not enough to defend U.S. systems.
“The reality is the Russian cyber forces carry quite a punch, they are highly capable, and whatever we may have done in Ukraine the last couple of months would not have stopped them,” Alperovitch said. “If we have some magical defensive capabilities, don’t you think we would have used them here to defend our own networks against Russian forces?
“Are you going to tell me that in two months we were able to achieve in Ukraine what we weren’t able to achieve in 30 years here?” he added. “That is just nonsense.”
Putin has something up his sleeve
Some officials argue that Putin might be relying on the cyber threat for its deterrent effect, seeking to intimidate the U.S. into avoiding actions such as allowing the transfer of fighter jets to Ukraine. But once a cyberattack takes place, its ability to deter the U.S. fades.
As Painter warned, Russia could be “holding those capabilities in reserve,” while Senate Intelligence Chair Mark Warner (D-Va.) told POLITICO last week that “we have not seen their A-game tools.”
“The conflict is still early and we don’t underestimate Russia’s willingness to use cyber to go after Ukraine and to go after us,” House Intelligence Chair Adam Schiff (D-Calif.) told reporters earlier this month.
Other nations are learning lessons from the conflict
It’s important not to infer that Russia’s invasion of Ukraine is now the new standard for the conduct of cyberwar. After all, the invasion has not gone as Putin had hoped it would, and Russia is not the only nation with advanced cyber capabilities.
China’s cyber capabilities likely exceed Russia’s, and China could look to lessons learned in Ukraine to inform its tactics for a potential invasion of Taiwan.
Arguably, imposing more of an information blackout on Ukraine would have served Russia’s interests better, both by making it harder for Zelenskyy to cultivate international support, and by disrupting communications within Ukraine. And successful cyberattacks that disrupted transportation and electricity in regions of Ukraine far from the front lines would have made it that much harder to resupply forces with weapons, ammunition, fuel and food.
“The Chinese of course are watching this, and they will draw lessons from what could have been done better or differently,” Hodges said.