In hybrid warfare, the lines between the commercial and military domains are often blurred, particularly when it comes to cyberspace. This can be seen in the Russia-Ukraine war, which has brought with it a range of cyber-related demands for both government and private sector actors.
Infosecurity spoke to defense and cybersecurity analysts about the current cyber landscape in Ukraine, the impact of digital connectivity and whether cyber-Armageddon is still a possibility.
The war in cyberspace began long before Russian troops staged their all-out invasion of Ukraine in February 2022, noted Dr Josef Schroefl, deputy director for Strategy and Defense at the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) in Helsinki, Finland, an organization that works closely with NATO and the EU on countering hybrid threats. Schroefl said that as of January 2023, Ukraine has registered more than 5000 cyber-attacks on state institutions and critical infrastructure since 2014.
By mid-2021, Schroefl said hackers had begun to target digital service providers, logistics providers and supply chains in Ukraine and abroad, aiming to gain access to both Ukrainian systems and those of NATO member states. These attacks rapidly intensified during the Russian troop build-up in early 2022, with the hackers increasingly using wiper malware against Ukrainian institutions.
After the invasion, websites of banks and government departments were attacked in a new wave of attacks, Schroefl said, also pointing to the attack on satellite operator Viasat. “The common goal of all these attacks was to shut down the command-and-control systems of the Ukrainian officials and especially from the military,” he added.
Ukraine has expanded and improved its defensive capabilities in recent years, Schroefl said, with support from Western nations, as well as private hacker groups and others. “Nothing has hurt Ukraine so much right now that it couldn’t stay online,” he said.
Commander Jacob Galbreath, head of the strategy branch at the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), said that while it is premature to provide a holistic overview of the use of cyberspace in the war, there has been a convergence between information operations and cyber operations, forming what could be seen as a new norm in cyber warfare.
CCDCOE is a Tallinn, Estonia-based organization that supports the alliance but is not an operational part of its command structure.
Information operations cover a range of activities focused on information, such as strategic communications, public affairs and psychological operations, Cmdr Galbreath said. It is not necessarily offensive or defensive, but is focused on anything related to information and how it is relayed, including disinformation or misinformation.
Cyber operations, on the other hand, focus on the protection, verification and integrity of that information, maintaining its security in the defensive role and attempting to gain access to information in the offensive role. In the Russia-Ukraine war, there has been a convergence between the two, at least on the Russian side, Cmdr Galbreath said.
"It is not the first cyber war, but it is probably the first one where most average global citizens can see the ramifications"
“When there's a cyber effect, it seems that there's sort of information operation tied to it – the goal is to influence, the goal is to change or provide misinformation or disinformation or divert attention away from or to things as a means to the end,” he said.
Secondly, Cmdr Galbreath added, there has been an increased reliance on industry and private companies in different aspects of the war, notably in cyberspace and in operations involving a mixture of cyberspace with different domains, known as multi-domain operations.
“It is not the first cyber war, but it is probably the first one where most average global citizens can see the ramifications of cyber being used in warfare in the field,” Cmdr Galbreath told Infosecurity.
The question, then, is what happens if relevant organizations decide they do not want to provide a necessary service during a time of conflict?
“If a company decides that it just doesn't want to provide a service, even though it may be under contract, what is the fallout of that, especially if you are the nation state that is losing that service?” Cmdr Galbreath asked.
Civilians and Combatants on the Same Network
James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic & International Studies (CSIS), a US think-tank, said the war has demonstrated the ubiquity of digital connectivity.
“Civilians are as much involved as combatants. It changes how you collect intelligence; everyone with a cell phone is an intelligence collector,” Lewis said. “The biggest surprise for me was that we're all part of the same network now. And it's a much different war than the wars of the past where there was a harder line between combatants and civilians.’
Lewis also pointed to the convergence of influence, cyberspace and electronic operations with more traditional kinetic operations. He highlighted the changing attitudes towards data localization, with data now being stored beyond national borders to protect it. Third, he said the war had highlighted the importance for a “whole of society effort” in building protection against cyber-attacks.
"Done the right way, cyber defense is better than cyber offense"
A “cyber apocalypse” stemming from overwhelming Russian cyber-attacks has not yet been realized, despite 12 months of conflict. Lewis said Ukraine has almost a decade of experience of defending itself from attacks, and with the help of an international community of supporters, has been highly resilient. “That’s one of the biggest lessons, too – done the right way, cyber defense is better than cyber offense,” Lewis noted.
Schroefl said Hybrid CoE experts see three possible explanations for the lack of a “cyber-Armageddon.” First, that Russia’s focus on other domains (land, sea and air) meant it lacked time to prepare virtual bombs. Second, that Ukraine was sufficiently prepared to defend itself, particularly given the support of western nations and non-state actors.
The third hypothesis – uncertainty – is "the most unpleasant and dangerous," he said. Essentially, this posits that a massive attack is not missing, but simply has not yet been triggered.
“No matter which hypothesis might be the correct one, the lessons from Ukraine call for a coordinated and comprehensive strategy from the EU and NATO to strengthen defenses against the full range of cyber destructive, espionage and influence operations,” he concluded.
The cybersecurity community at large has felt the affects of the war on the threat landscape and this is likely to continue as the conflict drags on into 2023 with no clear end in sight.