Shaping the future of cyber operations: lessons learned from Ukraine [update]
Dernière mise à jour : 14 févr.
In his 2013 book, “Cyber War Will Not Take Place” Thomas Rid argues, “cyber-operations in wartime are not as useful as bombs and missiles when it comes to inflicting the maximum amount of physical and psychological damage on the enemy.”
From day one of the Russian offensive, cyber experts and advocates have been looking for the « cyber » smoking gun in Ukraine. Russia is unarguably a “first class” country in cyberspace and probably one of the few countries skillful enough to launch destructive cyber-attacks to achieve its strategic goals in support of kinetic operations. Thus, as the crisis escalated before 24 February 2022, fear of a « cyber shock and awe » grew. However, so far, the Russo-Ukrainian war reminds us that war is still "flesh and steel" . Mud and geography still impose their rules, and logistics are critical to both sides. Does it mean that cyber operations are ineffective, too weak, and unable to produce any strategic value?
To answer this, one must first explore how Russia is shifting from the use of cyber operations in hybrid conflict to wartime. This is worth a look as Russia has a strong military background in information operations (IO) and electronic warfare (EW). Russia has also a strong reputation in clandestine cyber operation. "SolarWinds" is undoubtedly a masterpiece we have to keep in mind while assessing Russian capabilities. Understanding how to integrate cyber operations into a large scale, mainly air-land, campaign can inform our own processes. It must also contribute to shape our own military model especially when the French Strategic Vision is highlighting the need to « win the war before the war » and emphasizing the critical role of information dominance. On the other side the way Ukraine, with no military command dedicated to cyberspace, is fighting in the “fifth domain” is equally instructive to understand the very changing nature of cyberwarfare.
As western armed forces are building up their Cyberforce and developing Multi dimensional Warfare doctrine, the war in Ukraine is a wakeup call to speed up the process. Russia failed to integrate cyber offensive capacities in its shift from low to high intensity. This shift is not only a matter of force structure, logistic and fire power; it may broadly have an impact on how the entire chain of command integrates new fighting domains. What Russo-Ukrainian war tells us about the nature of cyberwarfare is that shifting from a covert proxy war to a high intensity campaign requires specific capabilities, human resources, and task organization.
What have we seen?
For a wider view than that of the most recent weeks of the conflict, we may analyze Russian cyber operations starting in 2014. What are Russia’s cyber offensive capabilities; How it integrates cyberattacks alongside conventional or special operations is key to understand the shift from low to high intensity conflicts.
Clandestine actions and Hybrid Warfare phase.
Cyber conflict between Russia and Ukraine has its roots in the lasting strategic confrontation between the two countries. Looking back to the early 2000’s, Ukraine was repeatedly targeted by Russian special operations whether in cyberspace or in the physical domain. In this early stage, cyber operations mostly gathered intelligence without being detected or supported political destabilization. From 2014, and the first hybrid operation, to the 2022 conventional invasion, Russian cyber activity mostly consisted of major Advanced Persistent Threats (APT) such as Turla, Sandworm, APT 28 or APT 29.
Records of disruptive cyberattacks between 2014 to 2017 show attempts to target the power grid (2015 and 2016) leading to few hours of local disruption for around 230,000 customers in western Ukraine. Then, election interference (2014) targeted computer systems of the Central Election Commission. These also contributed to fears of Russian interference in the democratic process.
All put together, none of these attacks had a real strategic value apart from signaling effect. However, during this “hybrid war” phase, one cyberattack had a significant impact on Ukraine and caused collateral damage far beyond what was initially expected. In 2017, a self-spreading malware sneaked into the Ukrainian private sector IT system and irreversibly encrypted data. Pretending to be a ransomware, NotPetya’s purpose was to cause maximum damage. The tactic used to deploy the malware led cybersecurity experts, UK officials, and the US to blame Russian responsibility. This widely publicized example of a large clandestine disruptive operation is almost the only documented example to be analyzed by western staff officers for lessons learned.
Still during this first phase of conflict, Russian intelligence agencies conducted most of the offensive activities. Hence, their unique advantage was to proceed in secret and provide “plausible deniability” to Russian authorities. A primary aim of a cyber operation is to collect intelligence through Computer Network Exploitation (CNE) and provide materials for subversion (leaks). Offensive capabilities are then subject to a set of challenges including, avoiding detection, assessing effects, reducing collateral damage, protecting specific tools and infrastructure, targeted intelligence to tailor the malware, etc. Consequently, cyber operations during a hybrid war phase rely on a specific momentum, a high level of secrecy and are hardly integrated with other military activities included Special Forces. Years of cyberattacks in hybrid operations in Ukraine apparently produced poor strategic value and failed to achieve Russian dominance over Ukraine. It also sowed the idea that cyber operations are always covert or clandestine, thus being less attractive for the conventional Russian military apparatus.
Unleash hell ! or not...
Since February 2022, as the conflict shifted from low-intensity / hybrid to a high intensity / conventional war, disruptive cyber operations in support of the Russian air-land campaign are yet to be documented. One could argue that we missed the point here: cyberattacks may have occurred but Ukrainian cyberdefense, and its allies simply prevented them. If true, excepted the ViaSat cyberattack, none of the Russian attempts to degrade, disrupt or deny Ukrainian freedom of maneuver in cyberspace was a success. Nevertheless, Microsoft observed close to 40 “destructive attacks … targeting hundreds of systems”; more than 40% of these “were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the Ukrainian government, military, economy and civilians.” The important word here is “could”. Cybersecurity experts are raising questions about some key points of the Microsoft report, namely the claims about a combined physical and cyber-attack on a nuclear power plant.
Surprisingly, most of the tactics and tools such as DDoS attacks or data wiping are not new and barely at the state of the art. Disruptive operations in support of regular military action seem then to mobilize less sophisticated capabilities than large-scale intelligence gathering operations, network exploitation and advanced persistent threat (APT). Are we then facing the same teams?
Attempts to disrupt Ukrainian command and control, communications or power grid failed whereas at the tactical level traditional electronic warfare activities support troops on the frontline. Shifting from clandestine hybrid operations to disruptive actions in support of an uncovered face conventional offensive seems to be quite challenging. When avoiding attribution is no more a concern one could easily ask why those operations are still led by the intel community.
Information warfare is not a myth in the digital age and....it works !
Years of hybrid approach of conflict shaped new capabilities for information operations (IO) in the Russian course of action. Combined use of electronic warfare, SIGINT and message delivery in support of the targeting process seems quite effective, at least since 2014, and one would expect Russian forces to deliver such effects during the initial assault phase.
Sending text messages to Ukrainian troops or family to degrade morale and encourage them to surrender or to break operational security procedures is a masterpiece of information operation. From late 2014 to 2016, a Russian malware was able to retrieve communications and locational data from devices used by the Ukrainian artillery, at the tactical level it enabled Russian artillery strikes in support of pro-Russian separatists in eastern Ukraine.
Eight years later, Ukrainian troops learned from their mistakes and very few examples of such successful deliberate targeting are reported. Instead, massive use of jamming capabilities and large scale artillery shelling are replacing targeted hybrid tactics.
Information warfare is not limited to tactical support; the changing nature of IO is much more tangible in support of political objectives, or to directly strike strategic targets and international audience. Understanding the impact of social media on how people and leaders address a situation is what differentiates the most between the 2014 hybrid and the 2022 conventional phases.
As disruptive cyberattacks had a questionable effect, one cannot forget the impact on the population and the growing feeling of fear and frustration generated during the pre-invasion phase. This point should be considered when assessing low-intensity or low-impact cyberattacks. One official website offline for a couple of hours, large scale defacements or a multiple services disruption may not have a strategic impact comparable to a missile strike but generate a feeling among the population and the defenders hardly assessed. Those are tactics directly inherited from guerilla type warfare. Small bites lower the morale and the fighting spirit but can hardly be decisive by themselves.
Digital information operations in this war are a critical part of the conflict both to gain international support for Ukraine and to spread misinformation and disinformation on the Russian side.
What have we learned and is it relevant?
Ukraine was probably a cyber-sandbox for Russia during the hybrid phase between 2014 and 2017. The World-class actor conducted massive cyber espionage and was probably deeply enrooted in most of Ukrainian critical infrastructure. What Russo-Ukrainian war tells us about the nature of cyberwarfare is that shifting from a covert proxy war to a high intensity campaign requires specific capabilities and task organization. It also requires a strategy to operate both with the latest technology and at the same time old-fashioned methods to avoid enemy jamming or cell phone trapping capabilities. Ukrainian troops use methods like runners and dispatch riders, or wired networks.
Russian relative use of cyber disruptive operations is far from a sign of weakness and inefficiency but more likely a proof of mis-integration and failure to adapt its cyber force to this type of confrontation. Years of covert operations conducted by the Russian intelligence community proved their ability and technical skills, the missing point is how to coordinate or integrate those capabilities within a conventional military operation. The Russian military apparatus seems to experience the lack of trained and educated cyber operations planners. The lack of understanding of how to integrate effects from cyberspace operations into plans combined with the misunderstanding of military planning by those in charge of offensive military operations (hackers group or intelligence officers) lead to a dead end.
Therefore, at the tactical level, electronic warfare is still a major tool to disrupt and degrade adversary freedom of maneuver in cyberspace and at the strategic level; intelligence agencies play their own game targeting political and military high value targets.
To assess and analyze Russian cyber operations in Ukraine we also have to change the way we think of it. As Lauren Zabierek says, “Just because certain expectations of the use of cyber have not matched what we have thus far observed does not mean that Russia is not using cyber to achieve intended effects against Ukraine.” Thus as one expected the “big one” or a Cyber-gedon, we’ve learned in this conflict that Cyber and military operations serve different objectives and “Cyber operations are most effective in pursuing informational goals, such as gathering intelligence, stealing technology or winning public opinion or diplomatic debates.”
The changing nature of cyberwar puts the stress on information dominance. The first large-scale conflict of the social media era, the war is followed world-wide on Twitter, Telegram, Tik Tok and others platforms. Lack of trusted sources and implication of the private sector turned social media to a tactical asset. Open-source intelligence and commercial satellite imagery now provide tactical data for both sides this quickly contribute to replace defaulting regular military systems
This may probably be the most relevant lesson form this war. Smartphones and publicly available technology could be enablers in every soldier’s pocket. The ability to report enemy positions and movement, document with videos and picture, access to satellite imagery or high-speed internet connection is a game changer for the population and for the armed forces. Therefore, to shape our future cyberforce we may not only consider lessons learned from Russia because they have a full range of capability, but we may also take into account how a country without a dedicated cyber military organization is fighting.
Protecting targeted audience from massive online disinformation appear to be a collective line of effort. From service members to civilians, from military leaders to political decision makers, understanding the strength and weakness of our information processing system seems to be the core of a in depth defense. Integration of cyber capabilities into more conventional military operations appers to be quite challenging and requires educated and trained staff officers.
Russia proves today that Cyber is a tool among others for the force commander, and it is not a magic bullet.