Maybe it was when a Russian officer, lacking an encrypted line, inadvertently blurted out to the world that the country’s highest ranking uniformed officer had been killed that Russia’s mastery of cyber warfare first came into question.
That was in the first week of March. Russian cyber attacks on Ukraine and its allies since then “simply have not had the intended impact,” Lindy Cameron, chief executive at the UK’s National Cyber Security Centre said on Wednesday. Why?
This lack of Russian success could be considered unexpected. However, the reasons for it can be attributed to three elements: impressive Ukrainian cyber defences, incredible support from industry partners and impressive collaboration between the UK, US, EU, NATO and others.
Cameron does not downplay the threat Russia still poses. Moscow has landed a few punches, after all. A European Parliament briefing from June lists some examples:
On 14 March, the CaddyWiper malware infiltrated the systems of several Ukrainian organisations reportedly in both the government and the financial sectors.
Two days later, a false message was aired on a Ukrainian TV channel, claiming that the Ukrainian President, Volodymyr Zelenskyy, had called on the population to surrender. A complementary deepfake video of Zelenskyy was shared on a Telegram channel.
Cyber-assaults targeting Ukrtelecom and WordPress sites caused a connectivity collapse and restricted access to financial and government websites (28 March). On 30 March, the MarsStealer information stealer accessed the user credentials of Ukrainian citizens and organisations.
None of these attacks altered the course of the war, Cameron says:
While these attacks may not have been apocalyptic in nature, this was not necessarily their purpose. Their actions suggest a clear rationale to reduce the Ukrainian Government’s ability to communicate with its population, impact the Ukrainian financial system at a time of heightened concern and divert Ukrainian cyber security resources from their other priorities.
But Russia doesn’t seem to have had much success interfering with communications, either. Although a “wiper” malware called AcidRain was deployed on the eve of the invasion to attack and render useless an American satellite company used by the Ukrainian military, Elon Musk’s Starlink network soon filled the void.
Christopher Bronk, Gabriel Collins and Dan Wallach at Rice University’s Baker Institute for Public Policy write that another “related surprise was the absence of a massive set of cyber attacks aimed at Ukraine’s critical infrastructure”.
In 2015 and again in 2016, Russia conducted against Ukraine some of the cleverest hacks of electricity infrastructure seen anywhere thus far (Assante 2016). A year later, Russia launched Petya/NotPetya, a massively destructive set of false ransomware attacks against Ukrainian government and commercial targets.
Petya had a far-reaching impact on firms beyond Ukraine as well, not least the well-documented destructive attack against international cargo carrier Maersk (Greenberg 2018). We have not seen the same sort of enormously destructive cyber attack launched against Ukraine this year, although it is possible that such attacks may have been launched and were either unsuccessful or were rapidly repaired.
Perhaps Russia made Ukraine “match fit over the last ten years by consistently attacking them,” as Cameron suggests? Bronk, Collins and Wallach appear to agree, arguing that Russia “went for broke” with its earlier campaigns in Ukraine and Syria and that “lessons learned” have been applied since February, “blunting the impact of the cyber attacks now”.
There’s also a chance that cyber attacks are more effective in “cold” wars, when they’re used to sow “confusion and inflame existing discontent,” as in the US ahead of the 2016 election, writes James Lewis at the Center for Strategic and International Studies. In a hot war, and “used in an ad hoc manner, or when uncoordinated with air and ground actions,” even the most sophisticated lines of code can prove relatively ineffective.
But triumphalism would be a mistake, and Cameron warns that Putin is likely to act in “unpredictable” ways as his offensive loses steam. She nonetheless ends her speech somewhat optimistically:
If the Ukrainian cyber defence teaches us a wider lesson — for military theory and beyond — it is that in cyber security, the defender has significant agency. In many ways you can choose how vulnerable you can be to attacks.
This activity has provided us with the clearest demonstration that a strong and effective cyber defence can be mounted, even against an adversary as well prepared and resourced as the Russian Federation.
All of which reminded us of a conversation Alphaville had with a cyber security expert earlier this month:
Cyber attacks can do huge amounts of damage, of course they can. But if you wanted to hit a water company, for example, it would be way easier to bribe an official or jump over a fence and dump stuff in a reservoir than it would be to hack into the company’s network.
Is the world on fire? Always. Is everyone constantly under attack from everyone else? Always. But should Joe Bloggs on the street lose too much sleep about cyber attacks? I don’t think so.