Cyberspace and War in Ukraine: Prepare for Worse

Some observers have noted the absence of major cyber incidents during Russia’s invasion of Ukraine. The situation does not afford complacency, however. Despite the few breakdowns—so far—in cyberspace beyond Ukraine, their risk has increased rather than diminished. The apparent lull in international cyber activity related to the war is likely illusory; it portends a deterioration in the security of computer systems and networks in Russia and in the nations that sanctioned it or armed Ukraine. Below we explain why.

The central premise of our argument is that Russia and NATO member states will want to avoid a direct military clash at nearly all costs (Putin’s desire to protect his regime from imminent collapse might be an exception). If anything, the tragedies of the war in Ukraine reveal the enormous economic and human costs of conventional battles involving the Russian military behemoth. Although the risk of an accidental or unwanted war between Russia and NATO is always present and has increased, both sides will want to reduce it. That is how to interpret Russian President Vladimir Putin’s recent allusion to nuclear war: He rattled the atom in order not to have to use it. Similarly, President Joe Biden’s warning about the certainty of “World War 3” if Russia attacked NATO was a rhetorical device to reduce its chances. Both sides have signaled that they wish to avoid an epochal war among them; they threaten it in order not to fight it. This is conventional deterrence thinking at its finest. Familiar red lines are reinforced so that all sides can see them plainly amid the crisis.

Far less clear are the lines of response to offensive cyber activity within the realm of “unpeace”: actions that are not physically violent or fatal like war but whose harmful effects on national security are too great to be considered normal peacetime competition. The line between unpeace and war is clear because the boundary of war is easily recognizable. The lower line between unpeace and peace, however, is largely unclear; nations have not painted it, although many Western states seem to assume that existing international laws and norms of restraint apply to forms of conflict less than war.

War in Ukraine will present Western nations with response dilemmas in cyberspace. One concern is the risk of breakdowns in Western cyberspace: It has risen dramatically owing to the intense economic and diplomatic showdown with Moscow (as Lucas Kello warned in a speech at U.S. Cyber Command on March 10). Our logic here is simple: There is an implied symmetry between, on the one side, the effects of economic and financial sanctions against the Russian economy and financial sector and, on the other, the effects of cyberattacks against economic and financial targets in the sanctioning nations.

A large coalition of Western and Western-aligned states (such as Japan and South Korea) have levied economic and financial sanctions against Russia. The country is now possibly the most heavily sanctioned nation in the world—even more so than North Korea under the reclusive Kim Jong Un’s rule. The sanctions go far beyond the targeted financial penalties that the U.S. Treasury Department has applied to individuals and organizations such as the Russian Internet Research Agency, which it deemed responsible for previous hacking activities, or those imposed after the SolarWinds incident. They far surpass, too, the scope and effects of the United Kingdom’s diplomatic and financial penalties in response to the Russian Main Intelligence Directorate’s (GRU) poisoning operation (with the banned chemical agent novichok) against its former agent Sergei Skripal in Salisbury in 2018. The current sanctions regime against Russia is particularly potent because it has included an extraordinary freeze on central bank assets and the expulsion of some of Russia’s largest banks from the global interbank payments system, SWIFT. Hundreds of multinational and mostly Western companies have exited the Russian market or suspended their operations there. The ruble has undergone dramatic price drops not seen since the 1998 financial crisis, which has inflicted economic pain on the general Russian population. The net result of these economic dislocations is an expected drop in Russian gross domestic product of 15 percent in 2022—a decline that would reduce the Russian economy to its size in 2007 at current prices. 

Against the backdrop of Russia’s economic meltdown, the Kremlin’s retaliatory options within the diplomatic and economic realms are limited. Russia has so far responded, among other measures, with a ban on ruble loans to citizens of “unfriendly” states, closed its domestic airspace to Western airplanes and demanded payment for Russian gas in rubles. These punitive instruments have not hit very hard—if only because Russia’s strongest measure, the closing of oil and gas exports to Europe and North America, would severely curtail its remaining source of hard currency (hence why Russia has avoided this measure). The United States, the United Kingdom, the European Union and other Western players can wield the potent club of economic sanctions because of their dominant position within the global financial system (for example, the role of the dollar, the pound and the euro as world reserve currencies). Russia does not enjoy such a position of dominance; it will seek punitive options elsewhere.

Cyberspace offers attractive alternative options. Hackers and security planners in Moscow must be assessing how to mirror some of the sanctions’ economic and financial effects through disruptions in Western cyberspace. Scenarios are not hard to imagine. They include, for example, an interruption of computers that support stock trading at the NASDAQ or the London Stock Exchange (the Moscow Exchange index has lost almost 50 percent of its value since its February high); the processing of payments at SWIFT (from which Russian banks were recently ejected); or the data servers of JPMorgan Chase, Deutsche Bank and other banks that have dialed down their Russian operations.

Then there are the asymmetric options: acts of unpeace whose effects transcend the economic realm without crossing the lines of war. Forensic evidence shows that Russia has burrowed itself deeply within key U.S. networks. The intelligence community’s 2022 Annual Threat Assessment cautioned that Russia was honing its ability to target underwater cables and industrial control systems. Reports of Russian GRU hackers penetrating the U.S. electrical grid are commonplace. Perhaps the clearest indication of the growing risk of breakdowns in cyberspace was President Biden’s public warning on March 21 that the West should expect them.

But that is not all. Beyond the intentional effects of Russian cyberattacks are their unintentional effects. During a military invasion that appears to be failing on many fronts, Russian cyber operations are likely to be at least as brazen and indiscriminate as in the past. An illustrative case is the “NotPetya” wiper malware that the GRU unleashed upon Ukrainian businesses in 2017 but whose cascading effects disrupted commercial operations in many countries (notably interrupting the activities of the global shipping giant Maersk). A more recent example is the hack (likely by Russian state agents) of Viasat, a U.S. satellite internet provider used by the Ukrainian military and police. What is particularly significant is that the operation’s effects, like NotPetya’s, spread far beyond Ukraine. It affected thousands of wind turbines in Germany—which are still not fully operational—and disconnected tens of thousands of European internet users. 

There is also the case of Finland and Sweden. Russia’s invasion of Ukraine is driving the two traditionally neutral states firmly toward NATO membership. They will face a period of critical vulnerability spanning their formal request for accession (which is expected in the coming months) and their actual accession (which requires ratification among the alliance’s 30 member states). Russia’s motives to disrupt the joiners’ information space will rise even as collective defense guarantees to protect them are still being worked out.

If and when these scenarios (or their variants) materialize, the history of cyber conflict suggests that the United States and its partners will struggle to mount a forceful response. Although they often promised to respond decisively, they traditionally failed to do so. Rather, Western nations—in particular, the United States—have been risk averse in their reactions. Officials are wary of responding in kind for fear of engaging in escalating tit-for-tat cyber exchanges in a domain marked by an inherent potential for collateral damage and blowback. 

More broadly, officials struggle to interpret the legal vagaries of unpeaceful conflict—where are its red or “pink” lines?—which delays decision-making in the aftermath of major incidents. Hence they struggle to figure out how to impose costs outside of cyberspace for actions within it. In the current crisis, Western nations are fast running out of those options. The sanctions box of penalties is almost exhausted. At any rate, it is not clear that imposing them without communicating clear criteria for their lifting is an effective punishment tool (as Daniel Drezner argued). Moreover, levying sanctions for cyber activity while simultaneously imposing them for military activity risks muddling the signaling to Moscow. Where exactly, flustered Kremlin analysts might wonder, are the response thresholds for different conflict domains? 

Therefrom arises another policy dilemma: whether to relax the reluctance to impose costs within Russian cyberspace. With the sanctions toolbox emptying and the aversion to direct military measures prevailing, a viable pathway to affect Russian interests—whether in response to future cyberattacks or events on the ground—might be found in cyberspace. 

An intensification of conflict in cyberspace will likely require a reduction of risk aversion in the response calculus. Western nations should not reinforce the perception in Moscow that missile strikes in Kyiv are unacceptable but the interruption of banking operations in Manhattan or Frankfurt is tolerable—a perception that far predates the Ukraine war and which has lived too long. And not just the hawks in Moscow will be watching. Observers in other capitals such as Beijing or Tehran will also bear witness. Western officials will want to teach them that computer breakdowns back home will elicit unacceptable penalties.

More than ever before in the history of cyber conflict, the United States and its partners—long reluctant cyber warriors—might find cyber operations a more attractive option for strategic action abroad. Examples are not hard to conjure. Similar to past actions by U.S. Cyber Command, the operations might involve takedowns of servers of Russian information warfare outfits and hacking units (like within the GRU) or the disruption of criminal ransomware groups (which have recently shifted their resources toward patriotic activities). More boldly, they might entail the interruption of computer networks that support Russian financial or commercial operations that circumvent sanctions.

In sum, the absence of breakdowns in cyberspace likely marks a period of false stability. After Nazi Germany invaded Poland in 1939, it took eight months—the “phony war” period—for conflict to break out in earnest on the Western front. Unlike 1939, the current prospect of direct war involving large nations is low. But we expect that, like then, the conflict will eventually spread to other fronts. The common desire to avoid a direct war on the ground has increased the risk of lesser but still consequential conflict in cyberspace (although unprecedented warnings and multiple CISA alerts, such as this one, about sophisticated attack tools could already be having a deterring effect). After the aggressor shifts its focus from immediate tactical objectives to broader strategic gains, it may want to pursue them there. The Ukraine war will probably shape the next chapters in the annals of cyber conflict. Western security planners should be active authors in the saga. Beyond shoring up defenses, they should prepare their responses now.