Russia’s full-scale invasion of Ukraine in February 2022 confounded many expectations about Russian military capabilities and Ukrainian resilience – including in the cyber and information aspects of the war. This paper examines Russia’s deployment of cyber and information operations against Ukraine, assesses the effectiveness of Ukrainian responses, and outlines potential lessons for other states.
Many factors contributed to the failure of Russian cyber and information operations to achieve their intended effects. Ukraine had a long time to familiarize itself with its opponent’s methods in the eight years since Russia’s seizure of Crimea and parts of eastern Ukraine. Russia also badly misjudged Ukrainian resilience, failing to anticipate its adversary’s resourcefulness and whole-of-society approach to mobilizing formal and informal resistance. Crucially, too, Ukraine received – and continues to receive – substantial support from tech firms in the West.
Other states looking to learn from the Ukrainian experience should consider, among many factors, the need to be pre-emptive in detecting and monitoring threats, and to ensure that national defence strategies take full account of the interdependencies between different types of Russian operations. There is also a need to review closely the legal implications of wartime activities conducted by civilians and private sector companies, as such activities may blur the distinction between combatants and non-combatants.