The Reason Russia's Ukraine Cyberattacks Have Had Less Impact Than Expected

It may be that cyberwarfare is not as instaneous, adaptive and all-intrusive as Hollywood has led the world to believe. 

It may have taken Russian hackers a year to prepare the initial attacks and they had to be careful about blowback against Russian interests due to uncontrolled spread. Once the war started, as many as 100,000 IT experts fled Russia to avoid the war, limiting the supply of skilled techies. And cyberdefenses are more robust than initially thought. JL 

Lawrence Freedman reports in Comment Is Freed:

Compared with pre-war expectations cyber has had a limited impact. This is not because of lack of Russian effort. UK’s National Cyber Security Centre described the Russian cyber campaign to be ‘the most sustained and intensive on record.’ On 24 February, Russia ‘deployed more destructive malware than the rest of the world’s cyberpowers combined use in a given year.’ Russia have used a significant number of all the destructive malware variants known to exist. Cyberattacks' role was less impressive (because) it took a year to prepare initial attacks, it's not easy to switch cyberweapons from one target to another, there were Russian concerns about malware spreading, 10% of IT specialists left Russia in 2022 - and Ukraine was both prepared and had NATO help.

In discussions of contemporary war, including the current one between Russia and Ukraine, one can find many references to ‘kinetic warfare’. This is a term that entered the military lexicon quite recently. A kinetic war is normally described as one involving the use of lethal force, though that might be thought to be a natural feature of all wars and not just a special sort. This raises the interesting question of what might constitute a ‘non-kinetic war’. In this post I consider how this kinetic/non-kinetic dichotomy, and other developments in the language used to describe contemporary conflict reflect an attempt to find a place for activities which can be hostile and hurtful but not necessarily lethal alongside those which are unambiguously lethal. As the most prominent of these is cyberattacks I conclude with an assessment of their limited impact in the Russo-Ukraine war.

Military Language and Concepts

The language military professionals use to talk about war reflects their need to manage its inherent complexity and chaos, often cloaking naturally brutish and vicious activities in technical terminology, a role ‘kinetic’ performs. In this they are perhaps not different from other professions, for example medicine, where ways must also be found to discuss deeply unpleasant subjects dispassionately, without constantly dwelling on their full human meaning. The tranquilising effect of the language is not helped by the military propensity for acronyms, especially when referring to weapons systems, which can make conversations bewildering, especially for those who don’t know their ATACMS from their HIMARS (Army Tactical Missile System which can be fired from the High Mobility Artillery Rocket System).

By and large it has been possible to talk about the Russo-Ukraine war without resorting to the more arcane military terminology. While the detail of specific encounters may be hard to grasp the core challenges faced by both sides are not. The range and detail of the combat images available on social media has shown fighting resembling that of the world wars, including soldiers hiding in trenches as the shells come in or tanks trying to avoid mines as they cross fields, and often failing to do so.  Generals of earlier times viewing all of this would soon recognise what was going on and readily engage on such matters as the relative strength of the defence over the offence, the possibilities for manoeuvre and encirclement against the hard slog of attrition, and the vulnerability of supply lines to interdiction. They might note how the influence of the Prussian theorist Carl von Clausewitz (1780-1831) can still be felt in the discussion of decisive battles (the scale of the defeat necessary to persuade the enemy to give up), friction (why military operations rarely proceed as planned), centres of gravity (the point at which if you hit the enemy hard it is most likely to collapse), and the culminating point (when an army on the offensive becomes exhausted and can advance no further).

Where lasting innovation has come in military language it tends to be because of the impact of new types of weapons or modes of warfare. The most obvious example of this came with the arrival of nuclear weapons in 1945. This was a transformational moment as the focus shifted from fighting wars to deterring them, leading to the generation of a whole set of new concepts – such as ‘first and second strikes’ and ‘assured destruction.’ The language of deterrence and escalation is present as we try to work out where Putin has his red lines and how far he is prepared to go if he thinks they are being crossed.

The Digital Age

The same conceptual clarity has been lacking when discussing all those developments associated with the digital age. This has also been transformational but has yet to generate an accompanying and generally agreed framework for describing and evaluating its impact. This is in part because the changes have been incremental, not sudden and stark as with the atomic bombing of Hiroshima and Nagasaki in August 1945. The microchip was invented in the 1950s and the circuits printed upon them have become progressively more complex since. Computers have moved from performing basic calculations faster than humans to outthinking humans in a whole range of areas with the promise of more to come with the advance of artificial intelligence.

An additional factor is that digitisation, with its fast networks and ease of communication, is ubiquitous, promising greater efficiency in all human affairs, and not just warfare. One consequence of this ubiquity is that it creates new dependencies and so new vulnerabilities, as bad actors, from criminals to hostile states, see opportunities to disrupt and manipulate. This has opened the possibility of conducting conflict away from the battlefield, mounting ‘cyberattacks’, attacking societies directly rather than first having to defeat their armed forces.

A third issue is that digital age systems do not replace all that has gone before. They must work with the systems of the ‘industrial age’ - the platforms for carrying weapons and moving them to places where they can be fired to the greatest effect, such as artillery and tanks, aircraft and warships. The digital age systems do not so much replace those of the industrial age as render them more effective so that they can offer greater precision over longer-range, facilitated by the speed with which information about the operating environment, including enemy positions, can be gathered, assessed, and disseminated.

These developments were thrown into stark relief during the 1991 Gulf War leading to talk of a ‘revolution in military affairs’ but this soon appeared hyperbolic and premature, especially after 9/11 when the big fight was not against a ‘peer competitor’ but against ruthless terrorists. The big counterinsurgency campaigns in Iraq and Afghanistan drew attention to challenges quite different to those faced in conventional warfare against regular armies, requiring a sophisticated understanding of local politics and culture.

Then in 2014 the first Russian moves against Ukraine involved such a wide range of capabilities – from regular forces to sponsored militias to cyberhackers to social media propagandists – that it was no longer claimed that there was one capability central to modern warfare but that instead it involved the coming together of lots of different types of capabilities. The most popular adjective to capture this feature was ‘hybrid’. When this term was first introduced in 2006, with Israel’s fight against Hezbollah in the Lebanon in mind, it was about the combination of regular and irregular forces that was highlighted. Then it seemed as if the Russian leadership had developed a whole new theory of conflict around mixing and matching different capabilities. Although this claim that was later judged to have been exaggerated, it was still the case that Russia was actively exploring the possibilities of attacks exploiting digital networks.

A variety of activities could be covered under this ‘cyber’ heading. They largely corresponded to familiar ‘behind the front lines’ activities - sabotage, propaganda, subversion, and espionage. As commonly discussed in the West, cyberattacks were closest to sabotage – interfering with administrative networks or power supplies – and propaganda – using social media to spread fake news and false narratives. From the Russian perspective subversion and espionage loomed large, both defensively and offensively, reflecting a view of the fragility of all socio-political systems including their own. Moscow was both convinced that Western governments were stirring up disaffected Russians and also that it could undermine these same governments by spreading alarm and despondency amongst their populations. These non-traditional forms of warfare seemed to appeal to Russia, because of their interest in finding ways of hurting others while still claiming innocence. Prior to 2022 it was often argued that it suited Russia better to work in this murky ‘grey zone’, avoiding both the risks of war and the rules of peace.

Hybrid and Multi-Domain

When this concern about a grey zone began to surface over the last decade, usually with reference to Iran and China as well as Russia, the point was not that the activities undertaken in this zone were non-violent, as in many cases they clearly were not. What was significant about them was that they could be undertaken covertly, or at least with some level of deniability, and, most importantly, that they could be sustained, possibly indefinitely, without spilling over into an open conflict that might escalate into all-out war. The UK’s 2021 Integrated Review stated that:

‘Technology will create new vulnerabilities to hostile activity and attack in domains such as cyberspace and space, notably including the spread of disinformation online. It will undermine social cohesion, community and national identity as individuals spend more time in a virtual world and as automation reshapes the labour market.’

In 2016 the European Union adopted its own definition of ‘hybrid threats’ (not quite war), which detached these various unconventional activities from standard military operations:

‘While definitions of hybrid threats vary and need to remain flexible to respond to their evolving nature, the concept aims to capture the mixture of coercive and subversive activity, conventional and unconventional methods (i.e. diplomatic, military, economic, technological), which can be used in a coordinated manner by state or non-state actors to achieve specific objectives while remaining below the threshold of formally declared warfare. There is usually an emphasis on exploiting the vulnerabilities of the target and on generating ambiguity to hinder decision-making processes. Massive disinformation campaigns, using social media to control the political narrative or to radicalise, recruit and direct proxy actors can be vehicles for hybrid threats.’

So ‘hybrid’ came to refer to all mischief-making in this grey zone, so long as it stayed below the threshold of full-scale war.

But it could also be seen in other phrases that have been used in recent decades to convey a more holistic approach in which the desired result requires bringing together a range of capabilities – ‘network-centric’, ‘effects-based’, ‘full spectrum’ and ‘multi-domain’. In discussing ‘multi-domain operations’ the US Army warned how:

‘China and Russia exploit the conditions of the operational environment to achieve their objectives without resorting to armed conflict by fracturing the U.S.’s alliances, partnerships, and resolve. They attempt to create stand-off through the integration of diplomatic and economic actions, unconventional and information warfare (social media, false narratives, cyber-attacks), and the actual or threatened employment of conventional forces. By creating instability within countries and alliances, China and Russia create political separation that results in strategic ambiguity reducing the speed of friendly recognition, decision, and reaction. Through these competitive actions, China and Russia believe they can achieve objectives below the threshold of armed conflict.’

This led to the argument that the United States should also be able to compete ‘in all domains short of conflict’, spanning the ‘competition continuum,’ although the Army’s own contribution on close examination look a lot like a combination of traditional deterrence and war-fighting operations.

Some analysts argue that it might even be possible for the West’s enemies to gain some decisive advantage without ever having to resort to open warfare. Victory might be gained as computer networks crashed and collective minds were turned. Thus Richard Harknett and Max Smeets concluded in an article published a year ago:

‘Cyber operations and campaigns can be pivotal in world affairs by independently … supporting the maintenance or alteration of the balance of power … without having to resort to military violence.’ 

The idea that states or groups can consider themselves to be at war without actually engaging in acts of war is not new. It was once the case that war had a clear legal status. A war would start with a formal declaration, which would have implications for neutrals as well as the belligerents, and normally end with an equally formal cessation of hostilities and possibly a treaty, which would confirm who had won and lost. Somewhat ironically, when in 1928 states nobly agreed to renounce war as an act of policy those determined on aggression simply used other words to describe the situation – ‘incident’, ‘emergency’, ‘police action’, ‘intervention’ and so on. Putin is continuing in this tradition with his talk of a ‘special military operation’.

We have also become used to the possibility that the line between the states of peace and war can be blurred – that there can be periods of growing antagonism in which states seek to hurt each other without descending into full-scale violence. Such a condition might even involve low-level violence, for example border skirmishes and incursions, without further escalation. After all for 45 years international affairs was defined by a ‘Cold War’ between the US and Soviet led blocs.

When wars were declared this would lead to the start of ‘hostilities.’ In war as in peace there might be sabotage, propaganda, subversion, and espionage as well as economic measures and diplomacy, but these would now be ancillary to war’s most distinguishing feature - the use of purposive violence. What has happened over recent decades is that these ancillary activities have come to be seen as being as important, and, in some circumstances even more important, than the violence. They need to be attended to while a conflict is stuck in the grey zone and also after the transition into open war. To ensure this happens these activities have acquired their own institutional presence, and command structures. Much effort now goes into working out how all these activities can be properly coordinated so that they reinforce each other rather than work at cross purposes.

Kinetic and non-Kinetic War

This backdrop helps explain current references to ‘kinetic war.’

Kinetic energy is the energy of motion (from the Greek word kinesis which means motion). An object’s motion is a function of its mass and the force working on it, which gives it speed. More mass and velocity equate to more kinetic energy, which is released when one object collides with another object. This is obviously a feature of bullets, shells, rockets, bombs, and so on, once they have been shot, launched, or dropped. This is why a kinetic war refers to one dominated by the use of firepower to kill or wound people and destroy things.

In principle ‘kinetic’ is an unnecessary qualifier to ‘war’. It has come into use because of the spread of the idea that there might be wars that do not involve fighting. Other than that, it is not an obvious way to describe the normal, bloody business of warfare. It has the hallmarks of a euphemism, a way of describing war without mentioning its pain and horror. When the term first began to be noticed in 2002, Timothy Noah observed how it was objectionable to both doves and hawks.

‘To those who deplore or resist going to war, “kinetic” is unconscionably euphemistic, with antiseptic connotations derived from high-school physics and aesthetic ones traceable to the word’s frequent use by connoisseurs of modern dance. To those who celebrate war (or at least find it grimly necessary), “kinetic” fails to evoke the manly virtues of strength, fierceness, and bravery.’

The term is therefore interesting less because of what it describes but because it implies a different sort of war –non-kinetic – that achieves the objectives normally associated with war but without employing the normal methods.

What then is non-kinetic war? In physics, potential energy is stored within an object by virtue of its position relative to other objects. Only when they are acted upon to produce motion do they acquire kinetic energy.  So strictly speaking the proper contrast with kinetic warfare is potential or latent warfare, that is one for which preparations have been made and can be threatened. On this basis a very good example of non-kinetic warfare would be nuclear deterrence. The weapons do not have to be used to have an effect; the thought of the potential energy that might be released suffices.

In all of this we can see a possible meaning of non-kinetic war as referring to a struggle for advantage that might take place before the outbreak of full-scale war, except that it is quite specific. To make any sense of the term it must refer to a high-level of conflict that is essentially non-violent. It has been used to refer to the application of the softer forms of power, such as those aspects of counterinsurgency warfare intended to win over the ‘hearts and minds’ of the local population, for example by building roads, schools, and hospitals. But in counterinsurgency theory these soft measures still had to work with the harder forms of power. It was not an alternative to fighting the insurgents. To win hearts and minds it was also essential to keep people safe from being attacked and demonstrate that the enemy could be defeated.

The normal contrast is with cyberattacks and information campaigns. As we have seen these are now regularly highlighted as effective ways of damaging opponents and rivals in the grey zone while still having a vital complementary role to play once open war breaks out. These methods could only lead to a form of truly ‘non-kinetic’ war if in some way they meant that the enemy could be defeated without death and destruction. This has always seemed unlikely. If the effects were drastic, with transportation and energy systems crashing, or communities turned against each other, the effects would be extremely violent, in the same way that blockades or economic sanctions that truly bite cannot be considered truly non-violent because of their harmful effects on the target population.

In some recent discussions cyber weapons are presented as having serious benefits compared to the kinetic. One artillery shell can at best destroy one target and often many are needed to do so. The effects are permanent and cannot be reversed. To get greater effects a greater volume of shells will be needed, and there is then the risk of the stockpiles running out before the war aims can be achieved. By contrast cyber weapons can be used in the grey zone, and against many targets all at once, and they can be used over and over again. While they can do permanent damage their effects are often reversible. On the downside these effects are not always predictable and may be limited, and because they are often used covertly their meaning can be ambiguous to the victim.

Cyberattacks in the Current War

The current war provides us with an opportunity to evaluate the comparative merits of the kinetic and the cyber. Compared with pre-war expectations cyber has had a limited impact. But this is emphatically not because of a lack of Russian effort. The head of the UK’s National Cyber Security Centre has described the Russian cyber campaign to be ‘probably the most sustained and intensive…. on record.’ In the weeks before the war began a major effort was made to wipe out Ukrainian government networks, deleting data so that systems were unable to function. On 24 February, according to NATO, Russia ‘successfully deployed more destructive malware . . . than the rest of the world’s cyberpowers combined typically use in a given year.’ As of late June, Microsoft claimed to have detected ‘eight distinct malware programs—some wipers and some other forms of destructive malware—against 48 different Ukrainian agencies and enterprises.’ They have used a significant number of all the destructive malware variants known to exist.

The most important attack came one hour before Russian troops crossed the border, when the Viasat satellite communications network was disrupted by Russian military intelligence. Jon Bateman (whose detailed research on all aspects of this issue is invaluable) describes this as ‘the marquee cyber event of the war so far’. According to Viasat, Russian hackers launched a ‘targeted denial of service attack [that] made it difficult for many modems to remain online.’ They also executed ‘a ground-based network intrusion . . . to gain remote access to the trusted management segment’ of the network. There they issued ‘destructive commands’ to ‘a large number of residential modems simultaneously.’ Some equipment was quickly restored but Viasat had to ship tens of thousands of modems to replace those that stayed offline. Rescue came in the form of Starlink terminals, with levels of connectivity that have proved to be resilient.

The attack on Viasat was only one of a number of efforts to jam Ukrainian communications, interfering with links between the central command and front line soldiers. Once the initial offensives faltered this Russian effort lost its focus. Moreover, it was also struggling with the same problems that had afflicted its conventional military operations: underestimation of Ukrainian defences. There was soon an evident disconnect between the tempo of the Russian offensive and the Ukrainian counters, and the management of the sabotage, propaganda and intelligence-collecting operations, conducted by the spy agencies, the FSB and GRU. Despite the talk of hybrid operations, these were not well synchronised.

During 2022 there were 2,100 cyberattacks against Ukrainian organizations, of which some 600 were before the start of the war.  Of these more than 300 were against the security and defence sector, over 400 attacks against civil society (commercial, energy, financial, telecommunications and software sectors) with another 500 aimed at government groups. From September when Russia began a systematic campaign against Ukraine’s critical infrastructure, using missiles and kamikaze drones, this also became the focus of Russia’s cyber strikes. These included an unsuccessful effort aimed at an electrical substation that would have disrupted power for millions of Ukrainians. 

Despite the expectation that cyberattacks would play a major role the practice was therefore far less impressive. Why was this?

First, it takes time to prepare these attacks. It is necessary to get to know the target systems and infiltrate them (increasing the risk of detection as this is done). The Viasat attack might have taken a year of preparation. Nor is it that easy to switch the same cyber weapons from target to another.

Second, when cyber weapons are effective it is not always easy to control their effects. There may have been some concern in Moscow about the political impact of malware spreading, although Moscow seems to be more relaxed in this regard now. In 2017 the NotPetya virus disabled some 500,000 computers in Ukraine alone, but also spread quickly, hitting Russia’s state-owned oil company Rosneft as well as badly hitting Maersk, the Danish shipping company.

Third it is skilled work, The reported loss of up to 10 percent of IT specialists leaving Russia during 2022 and the demands of mobilization will not have helped.

Lastly, and most importantly, having suffered from these attacks from 2014 Ukraine had invested in security and resilience. With the help of governments and international companies it was able to cope. Cyfirma, a company advising on cyber security, explains what was done:

‘Many crucial services were transferred to data centers outside of the country, beyond the reach of Russian fires. Ukraine’s military, contrary to many Russian units, had prepared alternative means of communication. Amazon helped in developing cloud-based backups of essential government data, putting essentially the whole government “into a box”. Or more precisely suitcase-sized solid-state hard drives, called Snowball Edge units. Critical infrastructure and economic information, more than 10 million gigabytes of data, including information from 27 Ukrainian ministries, have been flown out the country and put into cloud.’

NATO provided access to its repository of known malware, Britain provided firewalls and forensic capabilities, the US pledged large but publicly undisclosed assistance, the EU digital governance powerhouse Estonia offered help based on its long term success in the digitalization of the economy. Western assistance did not stop with governments and militaries though, besides the aforementioned help from Amazon, Microsoft alone pledged $400m in free help, being quickly followed by other companies from the industry, providing tools and know-how. Cyber officials have, however, noted that the cooperation has been far from one sided. Marcus Willett, a former head of cyber issues for GCHQ was quoted stating that ‘…the Ukrainians taught the US and the UK more about Russian cyber-tactics than they learned from them.’

It is of course always unwise to generalise from one experience, although this was an area in which Russia supposedly excelled. It may well be that a cyber offensive mounted by the US and its allies would be more effective. As far as we know Russia has not suffered serious attacks, other than from the hacktivist group Anonymous which has run a crowdsourced campaign against Russia. They have hacked: printers to beat censorship by printing anti-government messages; hosting servers to attack Russian websites and services; Smart TVs, internet streams, news sites and TV channels to broadcast banned images and information about the war; and companies that still do business in Russia. The impact of these acts is unclear although the Kremlin can’t have been pleased, not least because it reveals their potential vulnerability to more sophisticated attacks from their enemies in the future.

The basic conclusion still must be that cyberattacks have yet to demonstrate the potential claimed for them. Where they have had an impact this has been in a supporting role. As noted, from last September they played a part in the attacks on Ukrainian civil infrastructure, along with missiles and drones. But it was the ‘kinetic’ missiles and drones that made it difficult for Ukraine to keep the lights on and people warm. Put crudely rather than trying to work out how to penetrate a network involved with energy transmission, which might turn out to have effective defences or backup, it was simpler to blast the electricity station. 

This war has been dominated by firepower, by systems that kill people and destroy things. That remains the main business of war, which other capabilities support but do not displace. I suspect that is why the term ‘kinetic’ is in vogue, because in its quasi-scientific simplicity it captures war’s core and inescapable character. But that is why it is also redundant. Kinetic war is not a distinctive type. It is all war.