Prior to February 2022, many experts held the view that the conflict between Russia and Ukraine would remain in a state of "smoldering" in the gray zone, where cyberspace would be extensively utilized for hostile activities that would be "on the verge of war." Cyber operations were considered a convenient alternative to the kinetic competition between technologically advanced nations. However, the Russian kinetic invasion of Ukraine has shown that when one of the parties believes that its vital interests are at stake, activities in the gray zone, including cyber operations, may not be sufficient. Russia's strategic objective was to physically conquer the territory of Ukraine, and activities in cyberspace proved inadequate to achieve this goal. As soon as the threshold of war was crossed, the role of offensive activities in cyberspace also shifted.
Regarding this matter, two potential scenarios were envisioned by analysts before February 2022, with regard to how cyber attacks could be employed during an armed conflict in the 21st century. Some experts believed that cyber offensive activities would be used either as complementary to kinetic actions or as their local substitutes. On the other hand, some other experts emphasized the synchronization of activities in cyberspace with kinetic actions to enhance the effectiveness of the latter. However, an analysis of the revealed cyber attack campaigns targeting Ukraine and their co-occurrence with kinetic actions suggests that neither of these hypotheses holds true. Apart from the attack on the satellite internet provider Viasat, no significant cyber attack aimed at destroying physical infrastructure was reported. Furthermore, the coordination of kinetic and cyber attacks in the same area was infrequent and had no significant impact on the progress of the conflict. The possible coexistence of both forms of attacks could be attributed to the mass nature of cyberattacks, which appeared to be correlated with activities in other domains due to their scale.
Materials published by analytical and government centers from countries belonging to the "Five Eyes" alliance (USA, UK, Canada, Australia, and New Zealand), which have close cooperation agreements between their intelligence institutions, represent a valuable source of knowledge on the present and future role of cyberspace in warfare. The joint statement issued by the cybersecurity institutions of these countries at the end of April 2022, warning against the actions of criminal groups supporting Russia in the war with Ukraine, adds to the significance of this source. Based on this, four main observations can be made.
Firstly, the Russians failed to sustain the initial rapid pace and large scale of cyberattacks, as indicated by the use of six to nine malware families. After three months, the intensity of activities employing wipers - computer worms that damage data - and other types of malware, had clearly declined.
In practice, maintaining an offensive in cyberspace is highly challenging. Developing effective cyber weapons and keeping them up-to-date is much harder than with conventional weapons. This is due to the "life cycle" of cyber weapons, which takes longer to detect a new vulnerability and use it to launch an attack. When Russian troops physically crossed the border, the advantages of using cyber weapons were greatly diminished, including difficult attribution, non-territoriality, and the avoidance of human casualties to prevent an escalation of the conflict. In such situations, artillery, rockets, and UAVs become more effective tools than cyber attacks. Therefore, the use of the cyber domain is not only specific to Russian capabilities but also to any entity that must engage in long-term offensive activities in cyberspace. A well-planned strategy for the use of cyber weapons is necessary, and their massive use in the future will be primarily the domain of the US and, possibly, China - entities with the greatest potential to maintain the pace and restore capabilities.
The second observation is that the assistance of Western allies, including private companies, played a significant role in limiting the effectiveness of Russian cyberattacks. Experts from the US Cyber Command, who visited Ukraine just before the invasion, may have contributed to Ukraine's successful cyber defense. This assistance was likely part of the Defend Forward and Persistent Engagement strategies in cyberspace. Additionally, Ukraine's decision to migrate critical data to the cloud and protect it with the help of Snowball devices provided by Amazon Web Services, as well as support for communications from companies like Starlink and data from satellite imaging, all played a crucial role in aiding Ukraine's defense efforts. As a result, much of Ukraine's sensitive data was transferred and protected by Western entities, including Microsoft.
It can be inferred that providing assistance to allies in cyberspace is comparatively simpler than in other domains such as land. Notably, leading technology companies from the West have provided significant support to Ukraine, largely driven by noble motives. It is important to note that these companies do not owe allegiance to national authorities, and the US government cannot compel them to support American allies. However, this raises the question of whether these companies will extend the same level of commitment and determination to support other US allies. Furthermore, American companies find it easier to assist Ukraine because Russia was not a crucial economic partner before the war. Additionally, the experience gained from Ukraine has enabled cybersecurity companies to better protect all their clients.
Thirdly, before the invasion, Russian activities in cyberspace were not advanced and mainly focused on influencing through disinformation. It is likely that this approach will continue to be the primary use of cyberspace in the gray economy. This aligns with the Doctrine of Cognitive Effect introduced by Great Britain, which aims to manipulate data accessible to an adversary in such a way as to create and maintain a false perception of reality, which can then be exploited for one's own benefit. This strategy was used by Western intelligence agencies against the Islamic State and is likely to become a crucial element in the fight against Russia and China, as information warfare not only directly supports military action, but also plays a crucial role in strategic communication.
Fourthly, Ukraine's defense activities included the formation of the "IT Army of Ukraine," comprising volunteers from around the world. The effectiveness of their actions is still subject to further analysis. One outcome of this effort was the incorporation of a feature into the Diia government app for reporting damage caused by Russian actions and the location of enemy troops. With financial support from the US, this system may gain popularity in other countries. The importance of ICT solutions for national defense, accessible to all citizens via smartphones, will increase. However, integrating these capabilities into the decision-making process during warfare will be a significant challenge. It will be crucial to integrate such capabilities with the information systems of the state and armed forces, which will prove challenging for NATO countries. The problem is not only the level of cybersecurity and data analysis but also ensuring that communication meets the required standards to sustain it during wartime.
The constantly evolving use of cyberspace in warfare is being validated by the Russia-Ukraine conflict, shedding light on expert assumptions regarding cyber operations. The offensive nature of activities in this domain necessitates significant resources, which only a few international actors, including private companies, can access. Cyberspace is expected to remain significant until the conflict's hot phase begins, as it is best suited for activities on the brink of war and less effective in military operations.
Authors: Dominika Dziwisz (PhD) and Błażej Sajduk (PhD)