Cyber, MacGyver, and the Limits of Covert Power
Published by The Lawfare Institute
in Cooperation With
Shortly after Russia invaded Ukraine at the end of February 2022, I received two separate messages from colleagues stranded on the tarmac at major mainland European airports. One was a very senior former British government adviser with extensive direct experience in global affairs. The other was an internationally renowned academic. They had separately reached the same conclusion: Russia’s much predicted cyberwar against the West had begun. Grounding Western commercial aircraft would be one of many ways the Kremlin would use its feared cyber arsenal to stop Western capitals from coming to the aid of Volodymyr Zelenskyy and his beleaguered nation.
This view was unexceptional among the British elite: A week later, the Sunday Times, Britain’s most influential weekly newspaper, published a long read entitled “How the Russians Could Paralyse Britain” via remote malware attacks. More significantly, Russia’s feared cyber capabilities were central to many predictions of a short war and easy Russian victory: One of many such predictions, from Chatham House, went as far as saying that Vladimir Putin could further his illegal objective of territorial conquest by cyberattacks alone and without a physical invasion. Plenty of other analysts, while not going this far, predicted cyber “shock and awe” that would degrade Ukraine’s ability and willingness to fight. General Mark Milley, chairman of the Joint Chiefs of Staff when the war broke out, told the New York Times in April this year that “for a while, we thought this would be a cyberwar.”
Had it been available at the time, I would have referred my correspondents and everyone else to Lennart Maschmeyer’s excellent new book “Subversion.” Maybe then my response—that their delay was likely caused by yet another information technology systems failure from an airline notorious for such problems—would have been immediately believed (it was confirmed by the company in subsequent days). More importantly, had Maschmeyer’s scholarship been more widely known in Western capitals, there may not have been such a profound misreading about the likely role cyber would, and would not, play in that brutal conflict both within Ukraine and beyond.
For several years, Maschmeyer has been at the fore of efforts by a small band of scholars to highlight the message that cyber power—albeit an important tool of modern statecraft for both authoritarian and democratic regimes—cannot do magic. This is not an easy professional choice. It goes against the grain of more than a decade of government bureaucracies “tooling up” on cyber capabilities and much talk of projecting “cyber power.” It is not always well received by those parts of a roughly $200 billion industry that have focused marketing on the more devastating end of the threat.
In 2013, this “cybergeddon” vision of modern conflict was famously and brilliantly called out by Thomas Rid in his classic “Cyber War Will Not Take Place,” the first major work to take on the overestimation of cyber capabilities in conflict and interstate rivalry. “Subversion” is a worthy addition to the library of cyber realism (though analytically very different from, and occasionally in conflict with, Rid’s work). Interestingly, it is framed not as a cyber book but as a study of subversion in general. As a construct, this works more often than not, but Maschmeyer’s real insight is that rather than make subversion easier and cheaper as many originally thought, cyber operations not only face the same limits as traditional methods of subversion but also are often less effective than those older methods and sometimes carry more escalatory risks. So if one of the aims of subversion is to avoid escalation to full-scale military conflict, cyber operations are generally an ineffective way of executing it.
Maschmeyer’s thesis is built around his earlier model of a “subversive trilemma.” A subversion operation faces trade-offs among speed, intensity, and control. Often, only two of these can be achieved, usually at the expense of the third. With cyber operations, speed is often a constraint: Maschmeyer forensically dissects many of the best-known Russian cyber operations against Ukraine before the 2022 invasion, such as the two operations against the Ukrainian energy sector in 2015 and 2016. He shows they required enormous effort to achieve very limited impact. In other cases, such as the infamous NotPetya operation of 2017, control was the key limitation: That event caused, by mistake, an estimated $10 billion of economic damage globally.
Conversely, Maschmeyer reminds us that Russia undertook physical sabotage operations against Ukrainian infrastructure long before the full-scale invasion. One such operation, the destruction of an ammunition depot in 2017, had a much greater impact than any of the many cyber operations over the same period. And it was perpetrated using a toolkit so basic it was one “of which MacGyver would have been proud,” to quote Maschmeyer’s colorful phrase.
With the admittedly huge exception of the Crimea operation, Russia’s “hybrid war” against Ukraine between 2013 and 2022 was a failure, and the cyber part of it was particularly ineffective. As Maschmeyer shows, citizens’ trust in the government of Ukraine increased over these years, and two successive presidents gradually moved the country further away from Moscow’s orbit. Russia’s response to this failure was a full-scale invasion, prompting, among many other things, global trepidation about the world’s first cyberwar.
Maschmeyer sifts through the (available) facts of the cyber dimension to the conflict. He analyzes several key areas of Russia’s post-invasion cyber operations: psychological and economic warfare campaigns, critical infrastructure sabotage, and attempts to gain advantages on the battlefield. In all categories, the cyber dimension significantly undershot Kremlin objectives, even if it was never entirely irrelevant.
Controversially, Maschmeyer takes a cautious view of the impact of the famous hack of the Viasat satellite communications system at the start of the war, having been assured by senior Ukrainian officials that the military commanders dependent on this system had other ways of communicating. (Other experts hotly dispute this and believe the Viasat attack had a significant impact.) He chronicles the failed attempts by the same aggressors who attacked the power facilities in 2015 and 2016 to repeat those lengthy efforts on a short time scale. Overall, as he writes: “[C]yber war did not happen, yet cyber operations became a key dimension of the conflict,” most significantly in the field of intelligence gathering.
Maschmeyer’s text, while generally excellent, has its drawbacks. It is constructed as a general theory of subversion, but it is more compelling in its takedown of hype around cyber power than it is in welding this groundbreaking bit of analysis into a more general theory beyond the digital domain.
Of the three case studies on which the book rests, two—a chapter on Russia’s cyber aggression against Ukraine from the annexation of Crimea and another on the post-invasion cyber campaign—represent different parts of the most sustained cyber operations campaign ever inflicted on one state by another, making these cases the most obvious ones to analyze.
The third, however, from the pre-digital age, is the Soviets’ response to the Prague Spring in 1968. Here, Maschmeyer convincingly demonstrates that his trilemma applied: The Soviets tried to avoid invading Czechoslovakia through a campaign of subversion, but speed and intensity were delivered at the expense of control, and they failed miserably to dislodge Alexander Dubcek or alter his course of action. So, much as in 2022 after the failure of “hybrid warfare,” when Soviet subversion failed in 1968, the tanks rolled in. Interestingly, at that point subversion did work, yielding a “do not resist” order from the pro-Moscow Czech defense minister.
In terms of the book’s argument, this is so far, so good. But in terms of proving a general theory of subversion beyond the cyber domain, this single case is not analyzed in detail alongside, for example, the contemporaneous subversive efforts by the United States in Latin America and elsewhere. In such cases, many would no doubt argue that Washington’s tactics often overcame the limitations of Maschmeyer’s trilemma and achieved their policy goals, including, frequently, regime change. (There is a counterargument, and one that Maschmeyer is capable of making, but he does not do so in this book). Indeed, with his brief analysis of the Crimea operation, he reminds us that traditional subversion can be highly effective.
So the primary, but still enormous, value of this book is its analysis of the limitations of cyber power. Many will object to the firehose of cold water he douses on much of the hype around cyberwar as played out in Eastern Europe over a decade and counting. These arguments are well-trodden ground, and they center on unprovable assertions that the most effective subversive cyber operations will never be known, or at least not for a long time, or that other powers could align cyber operations with a military campaign more effectively than Russia has managed.
Here, Maschmeyer’s book is more nuanced than the summaries of his (and others’) arguments that are written as part of a hotly contested debate. For example, his meticulous research shows that Ukraine’s improvement of its cyber defenses, aided by the West, mattered in blunting the effectiveness of Russia’s operations. (One early attack, in 2014, against the country’s Electoral Commission, failed because the organization had good backups, but a 2017 cyber operation against Kyiv’s weakly protected Finance Ministry caused significant disruption to social security payments and thus could be classified as a success for Russia’s cyber aggressors.)
This is a genuinely important book. That’s because a generation of policymakers and opinion formers have been conditioned to think of cyber capabilities—both those pointed against them and their own—as immediately available, low-risk, easy-to-use tools that can deliver decisive and—if you want—deniable impact against a range of targets. They are often none of these and rarely, if ever, all of them at the same time.
Bad cyber mythology really matters: It shifts defensive resources away from the real cyber harms of software disruption of important organizations or large-scale data loss. And crucially, it also deludes government strategists into believing that clever computer code is an easy substitute for hard-power capabilities to achieve objectives cheaply and painlessly. A few months before Russia crossed Ukraine’s borders, then-British Prime Minister Boris Johnson infamously argued in Parliament that “the era of big tank battles on the European landmass are over” and that the British Army could comfortably be reduced to a size not seen since the Napoleonic Wars because “we are investing … in [high-tech weapons], and cyber.” Maschmeyer has done a public service with his meticulously researched and extensively evidenced debunking of such nonsense.