Cyber and information operations during Russia’s war on Ukraine highlight essential lessons for possible future conflict. These include the critical need for whole-of-society resilience, the role of private industry in cyber defence, and the importance of understanding Russia’s distinctive information confrontation doctrine.
In theory, the study of information operations in Ukraine should provide valuable operational lessons for Ukraine’s Western backers in the same way that analysis of conventional operations does, whether or not the lessons are then acted on. The experience of open conflict involving a near-peer cyber power ought to validate or disprove a great deal of prior theorizing about the nature of cyber conflict, as well as the value of cyber and information power overall. In practice, the lessons observed from Ukraine are not universal: specific features of the war mean that not every lesson from it will transfer seamlessly to consideration of future clashes between Russia and other nations, including NATO allies. This chapter therefore draws together observations from the conflict broken down by key themes, and assesses whether they may be relevant for guiding preparations by NATO allies and partners for both current and future defence against Russia.
Resilience and opposition
Russia’s conventional military performance in Ukraine has fallen far short of expectations. But in the cyber and information domains, Russia’s failure to achieve many of its objectives appears to have as much to do with the presence of active and dynamic opposition as with Russia’s own shortcomings in planning, foresight or allocation of resources.
In the wider world, this presents a striking difference from previous information operations in which Russia often achieved success through shooting at open goals because the target had little interest in defending itself. Russia’s performance in the cyber and information domains also fits a broader pattern of geopolitical interaction, where Russia fails in its ambitions if it encounters determined opposition. As described by Sir Jeremy Fleming, outgoing chief of the UK’s GCHQ signals intelligence agency, ‘Ukraine has shown that the defender has agency’ – this has been a key determinant in the country’s continued survival.
However, Ukraine has also maximized its benefits from a set of unique advantages in the conflict. Legislative agility has enabled the rapid adaptation of the legal framework to meet novel requirements that have arisen as a result of the war, such as legalizing the evacuation of state data and beginning to regularize the status of the ‘IT Army’ of volunteer cyber activists. Necessity has also led to technical invention, allowing Ukraine to shortcut design and procurement processes to introduce new capabilities that many Western countries would have taken years to approve, adopt and roll out.
Ukraine also has not only the benefit of understanding the language, doctrine and mental construct of its aggressor, but also the experience of almost a decade of watching Russia wage war. Specifically, Ukraine learned much from being in effect a live firing range for Russian cyber capabilities over a period of years. This provided Ukraine and its backers with the opportunity both to acquire a deep understanding of Russian operations and to harden systems and infrastructure against them. As the February 2022 invasion loomed, this preparedness facilitated measures to disperse and evacuate crucial services and data to make them harder targets for kinetic attacks, and – to an extent that is debated – provide resilience in communications so that anticipated attacks on systems such as Viasat did not trigger catastrophic failures.
Ukraine also benefited from foreign support in opposing Russian information measures directed at other audiences around the world. This was decisive in the Euro-Atlantic area in countering Russia’s strategic information campaign to prepare for war. Intelligence disclosures by Western powers ensured not only that Russia’s justifications for the war were pre-emptively countered and false flag operations neutralized in advance, but also that the invasion did not take most Western governments – with the exception of sceptical disbelievers such as France and Germany – by surprise. However, the evolution of patterns of support for Ukraine, along with ambivalence to the war around the world, indicates that even greater efforts are needed to win the information confrontation with Russia in the Global South.
Support from private enterprise
Russia continues to benefit from the success of its long-term information campaigns around the world, but in the cyber domain it is Ukraine, not Russia, that has friends in the fight. Ukraine has backing not only from friendly states, but also – perhaps even more crucially – from private enterprise. Major information technology corporations have concluded not only that they have a vested interest in ensuring security against attacks, but also that they can make a clear choice
on values.
In contrast to any other domain of warfighting, in cyber and to some extent information operations, the entire domain is owned and controlled by private companies. The aspect of this in Ukraine that was not anticipated was that these private companies chose a side; and unlike in jungle or arctic warfare, where operating conditions are neutral and affect the performance of each combatant equally, the nature of the domain as a whole can be influenced to favour one party to the conflict or the other. This meant that in Ukrainian cyber operations, the entire domain became a hostile environment for the aggressor. In addition, the nature of the conflict has meant that commercial actors have entered the battlefield directly and independently, rather than the more common model of being contracted by a state party to the conflict to provide support services.
In contrast to any other domain of warfighting, in cyber and to some extent information operations, the entire domain is owned and controlled by private companies.
In Ukraine, private sector corporations are providing capabilities and capacity that the government cannot. However, this presents a key advantage to Ukraine that may not be available to other states defending themselves against aggression in the future. If corporations decided to charge the full cost of their services to the victim – or indeed, not to offer their services at all – this would present a radically different set of choices to the current situation, where Ukraine benefits from many services offered on a pro bono basis or subsidized by friendly states.
In short, ‘unlike in classical models of shooting wars where armed forces compete against each other to control territory, conflicts that have a cyber dimension involve operating in computer networks that are controlled by private companies – and these companies have a significant ability to shape the outcome of those operations’. Ukraine’s interaction with Starlink drives home the message that it is critical to consider the extent to which any country can or should rely on a corporate entity, which is subject to an entirely different set of constraints and motivations, in matters of war and national survival.
Perceptions and the bigger picture
Just as the offensive by Ukraine’s armed forces in the autumn of 2022 gave rise to false confidence that territorial and military gains would continue and the end of the war might be close, so successes in information and cyber confrontation can give rise to misplaced optimism and even complacency, both among the general public of Western nations and among their elected leaders who are sensitive to the same information flows.
Russia has suffered tactical and operational reverses in technical terms, and local defeats in information confrontation, but at a strategic level it has not to date lost the information war. This presents a risk for the coalition of Western powers backing Ukraine, as a focus on local success has appeared to obscure the progress and importance of the broader, global conflict. This conflict requires Western planners to consider a longer temporal scale as well as broader conceptual and geographical horizons. Russia can and does use information warfare over decades-long timespans to achieve its objectives, through the slow erosion and corruption of resistance. Challenges to support for Ukraine based on misconceptions and false narratives fostered over the long term by Russia provide a clear example. This is not limited to fear of ‘escalation’ constraining weapons supplies, but also false ideas about Ukraine as a country, which prejudice the equally vital economic and political support for Kyiv. For future conflict, Western nations need to think as Russia does about strategic effects that are long-term, not immediate.
Part of combating this challenge is a public awareness function. Compared to attacks by missiles or tanks, cyber operations can be as imperceptible to ordinary citizens as a potentially lethal but odourless gas. The result is that they only reach public awareness if they succeed and something breaks or someone is unable to communicate – even then, it takes reporting by mass media, which is itself sometimes unable fully to comprehend what has occurred, to explain to the public what has happened. Consequently, success in cyber defence remains doomed to invisibility. The archetype illustrating this challenge is the Y2K bug, where enormous effort in solving the problem, with vast expenditure of time and resources, was rewarded with the public largely believing that because there were next to no adverse consequences, there must have been no problem to begin with.
Greater effort should be applied to deliver the message to Western publics that success in defence – of the kind seen in Ukraine – takes preparation, resources and constant effort. But this awareness is also challenged by both secrecy and obscurity surrounding cyber activities. Secrecy because the nature of many targeted institutions – military and government agencies but also banks and financial institutions – leads them to be discreet about their areas of strength and vulnerability. Obscurity because the nature of cyber operations renders them largely incomprehensible and inexplicable to most of the population. The challenge of raising awareness among the general public, or decision-makers without technical knowledge, was illustrated by a Microsoft report cited repeatedly in this paper. Aimed at raising understanding among non-specialists, the report was then criticized by specialists for not including supporting evidence or ‘professional estimative language’. This demonstrates the continuing challenge of reconciling very different and perhaps incompatible communication needs for different audiences: technically oriented reporting for professionals; and simple, generic explanations for the public and, to some extent, decision-makers.
Cyber operations in war
For most of Russia’s conventional forces, the full-scale invasion of Ukraine in February 2022 marked a new phase of the conflict – but not in cyberspace. Measures that would be expected from Russia during what it defines as the ‘initial period of war’ had either already been undertaken long before, or – as noted earlier – were not taken at all, because of a misplaced assumption that no real war would be fought.
It may be true that, in general, ‘the idea of cyber operations being a competitive alternative to kinetic measures to cause decisive, large-scale, long-lasting and destructive effects has been exaggerated’. But the experience of Ukraine may lead to the realization that once military operations are under way, the exercise of cyber power is just one tool among many, and the circumstances under which it will be the decisive one are far more limited. Cyber effects, potentially dramatic when considered in peacetime, recede in relative significance in the context of high-intensity warfare. The primary effects of cyber operations are instead integrated and cumulative: ‘The question is less how a single wiper has influenced the 2022 invasion of Ukraine, and more how the persistent use of disruptive cyber capabilities has provided strategic value to Russian war efforts.’ Despite Russia’s strategic failure, based on a fundamentally flawed appraisal of the situation in Ukraine in February 2022, this framing allows an appreciation of the distinctive benefits that cyber operations have brought to the Russian war effort, particularly in the fields of disinformation, deception, distraction and demoralization. Cyber capabilities are also a key element of Russia’s ambition to achieve information isolation for control and indoctrination of its own population, as described above (see Chapter 4).
Furthermore, the fact that attitudes to the escalatory nature of cyberattacks are still not fully determined in an international context means that they are potentially of greatest utility during notional peacetime, when more direct interventions such as firing a missile are not an option but when a cyberattack can be launched without necessarily going to war. However, the example of Ukraine illustrates that when cyber is integrated as part of a warfighting toolkit, it may not necessarily deliver the game-changing effect in purely military terms that has been widely ascribed to it, because simpler and more direct methods of achieving the same outcome are no longer off the table in unrestrained conflict. Based on observation of operations in Ukraine, this has led to the following conclusion in some analysis of active hostilities: ‘Probably, the most important wartime cyber-activity, on both sides, is that aimed at intelligence gathering or psychological warfare rather than destruction.’ This, too, highlights how considering cyber operations as a direct alternative for kinetic options is just one aspect – a very limited one – of the range of applications for cyber activities as conceptualized by Russia and as implemented on an ongoing basis against its Western adversaries.
Once conflict is under way, any notional role of cyber operations as a substitute for conventional attack falls away and the question is more of the extent to which cyber effects can be integrated in a combined-operations plan – including, as necessary, targeting centres of sustainment (like stores, depots or production facilities) for advantage in an extended attritional conflict. As noted above, the extent of direct coordination between information and kinetic operations by Russia remains open to question, but campaigning in Ukraine has confirmed in action the conceptually integrated nature of Russian information warfare, spanning the boundaries of espionage, destruction, and instrumentalization of information – an impression fully supported by the nature of the Vulkan contracts described above, encompassing all of these activities and more. According to Microsoft: ‘The lessons from Ukraine call for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations. As the war in Ukraine illustrates, while there are differences among these threats, the Russian Government does not pursue them as separate efforts and we should not put them in separate analytical silos.’ In particular, information aspects of the war on Ukraine argue strongly against treating social media as the centre of gravity of disinformation efforts while ignoring other elements, such as the human (like agents of influence) and the technical (like platform-wide censorship, information interdiction, or disruptive attacks on cyber-physical systems for cognitive effect).
The progress of operations in Ukraine not only highlights the interdependence of cyber and information activities. It also demonstrates the interdependence of both of these types of activity with physical events and infrastructure, and with the actions and decisions of human beings. A simple example is the dependence of telecommunications on the power grid. In circumstances where the adversary is deliberately targeting power generation and transmission – as Russia did in Ukraine in the autumn of 2022 – delivery and servicing of emergency generator or battery power to thousands of telecoms sites and data centres becomes an essential cybersecurity priority and a major and largely unanticipated logistical challenge.
None of the aspects of information confrontation described in this paper can be considered in isolation from its dependencies in the physical world – whether this means cyber operations relying on control of network infrastructure, or cognitive operations dependent on a willing or susceptible human audience. In this respect, the integration of both private industry and volunteer civilian efforts into both information and cyber activities during wartime raises serious questions of legal status and exposure to risk that should, as far as possible, be resolved. Legal stipulations – including the finding that ‘existing international legal rules and principles already provide a workable legal framework that significantly limits the deployment of information operations by states and non-state actors’ – will be as irrelevant to Russian decision-making in the information domain as in any other, but they are a vital component of ensuring that Ukraine, or any other future victim of Russian aggression, retains the moral high ground. As such, they represent a key enabler for maintaining international support.
Outlook
In public commentary, expectations periodically arise not only of a renewed intensity of cyber conflict within Ukraine itself but also of potential greater risk of spillover to its Western partners. It should be remembered that promises of escalation from Russia are constant. As ever, a real and genuine uptick in activity by Russia directed beyond Ukraine would have to be distinguished from the constant background noise of threats of action – including those made as a direct response to comments by General Nakasone on US operations in support of Ukraine. However, current public assessments do not allow us to arrive at a clear conclusion over the extent of new Russian cyber capabilities that could be brought to bear in the event of direct conflict between Russia and one or more NATO states.
Assessments vary as to whether Russia has kept substantial manpower, resources and capabilities in reserve for a conflict it considers to be more important – in the same way that it has kept reserves of specific naval, air and non-conventional military capability – or whether it has in fact demonstrated the extent of its cyber
power in Ukraine itself (and in operations already under way against Kyiv’s coalition of backers) and there is little more that would be evidenced in a future conflict. Public debate has seen a significant quantity of evidence-free analysis on both sides of the argument, at times with a strength of conviction on the subject matched only by the paucity of verifiable data on which that conviction is based.
Even apparently well-informed assessments can vary widely, however. One line of argument is that a minority group of Russian cyber units is carrying out sophisticated cyber operations in Ukraine: a ‘cyber militia’ is conducting the majority of attacks there, while the main body of Russia’s cyber power is held in reserve preparing for cyberwar against NATO. Some senior Western government cyber officials agree that ‘Russia is almost certainly capable of cyberattacks of greater scale and consequence than events in Ukraine would have one believe’, while the Netherlands’ intelligence and security services have stated that ‘the potential of cyber operations cannot be fully exploited by Russia’ – without explaining further.
More aggressive use of cyber capabilities against Ukraine’s Western backers is a potential route for escalation by Russia if it considers this will be helpful in deterring support for Kyiv.
More aggressive use of cyber capabilities against Ukraine’s Western backers is a potential route for escalation by Russia if it considers this will be helpful in deterring support for Kyiv. Microsoft noted in June 2022 that ‘Russia has been careful… to confine destructive “wiper software” to specific network domains inside Ukraine itself’. It is reasonable to assume that lifting that restraint would pose a significant cyber challenge to Western powers. It was noted above that the Viasat hack has been assessed as having required substantial planning and preparation, which supports the idea that Russia’s cyber forces were better prepared for the new invasion than its ground troops were. An alternative interpretation is that this was just one of a number of off-the-shelf attacks long prepared and kept in reserve – implying that other countries’ communications infrastructure might also be at risk from Russia pending an escalation of confrontation.
It may be true that Russia has achieved less success in the information domain than anticipated within Ukraine itself. However, in information as in other aspects, the conflict in Ukraine is just the front line of a much broader global contest. Seen from this perspective, outcomes in Ukraine are at most of operational significance. Strategically, the Western community of nations has far fewer grounds for optimism for the long term.
Ukraine may not be a good ‘test case’ for the development of cyber conflict theory for several reasons laid out in this paper: primarily, because cyber effects delivered by Russia may look different in the context of a war for which Russia has planned, targeting territory and populations it wishes to punish or damage rather than seize intact. However, the war has undoubtedly provided Russia with the opportunity to learn significant lessons on what is feasible and what is not in the cyber and information domain, against an adversary that has invested heavily in resilience and has friends both internationally and in industry. According to publicly released assessments by Mandiant, the GRU has learned, adapted and moved to a concept of operations ‘tailored for a fast-paced and highly contested operating environment’. The Mandiant authors add that ‘this operational approach may be mirrored in future crises and conflict scenarios where requirements to support high volumes of disruptive cyber operations are present’. With Russia’s land forces severely depleted, it is plausible that the reconstitution, reconfiguration and adaptation of tactics in information war will be significantly quicker than reconstitution of the army. It follows that continuing close attention must be paid to Russia’s discussion of information confrontation theory as well as implementation of information confrontation practice, in order to have as clear an understanding as possible of what to expect in the next iteration of Russia’s wars.
But the key universal lesson for any other country that may find itself the target of Russian aggression in the future is preparedness, including not only resilience at home but also building strong relationships with powerful allies and private industry. As the head of the UK’s NCSC put it in late September 2022, ‘you can choose how vulnerable you can be to attacks’. Ukraine’s resilience and continued survival have clearly demonstrated the immense value of making the right choice.