The illegal Russian invasion of Ukraine in February 2022 left the world aghast at the realization that decades of security stability in Europe have ended. The Westphalian system and a long-held faith in the decline of inter-state war have both been shattered. The real shock from Russia’s invasion, however, was the disproving of a widespread assumption that cyber war is the future of conflict. Tank battles and brutal urban combat have been witnessed at scale, and yet computer code has not made any major battlefield contribution. Could it be that the emperor has no clothes?
It’s cyber, stupid!
Ever since the RAND Corporation declared that “cyberwar is coming” in 1993, talking heads and policy wonks have argued that the cyber domain will rapidly reshape the future of war. Indeed, in recent times it’s been argued that the very nature of war is changing and that combat arms will be increasingly irrelevant, replaced by teams of gamers in uniform who can ‘turn off the lights in Moscow’ from a laptop. In February the Daily Telegraph even described cyber tools as a “second-strike capability for NATO”, implying they are second in impact only to nuclear weapons.
The cyber debate has inevitably shaped British thinking, demonstrated by decisions taken in the latest Strategic Defence and Security Review and with the founding of the National Cyber Force. In November 2021 the Prime Minister had a testy exchange with Tobias Ellwood MP about the future of British Defence strategy, in which he stated that:
“the old concept of fighting big tank battles on the European land mass are over … cyber — this is how warfare of the future is going to be.”
Amongst the morass of groupthink about cyber, a number of informed commentators have cast doubt. Ciaran Martin, former head of GCHQ’s National Cyber Security Centre and now a fellow of Oxford University, has long argued that cyber operations are mischaracterized as weapons of mass destruction where in fact they pose a different threat – more political – of chronic disruption, destabilization and information operations. Such actions can be thought of as ‘cyber harassment’. Thomas Rid, author of the 2013 classic Cyber War Will Not Take Place, has also stressed that cyber capabilities are not like missiles and artillery, in that nothing is directly destroyed. In a military operation the cyber capability can have a disruptive impact, for example by degrading logistics through denial of computer systems, but these operations take significant time to develop and the adversary will eventually find ways to overcome the effect.
As Thomas Rid succinctly argues, “cyber-operations in wartime are not as useful as bombs and missiles when it comes to inflicting the maximum amount of physical and psychological damage on the enemy. An explosive charge is more likely to create long-term harm than malicious software.” Ultimately we need to start thinking about cyber as a tool in the commander’s arsenal instead of a battle winning concept. Rid again provides measured clarity, writing that the online domain offers “digitally upgraded intelligence operations at the edge of war: espionage, sabotage, covert action and counterintelligence, full of deception and disinformation.” More statecraft than warfighting then.
Ukraine as a cyber-sandbox
The Russian state and its aligned cyber actors are widely seen as world-class, so the 2022 Ukraine war provides an excellent opportunity to consider the impact of real-life cyber warfare. Since the annexation of Crimea and the seizure of Luhansk and the Donbas in 2014, Russian aligned actors have launched many large and successful attacks on Ukraine. Most notably, in 2015 and 2016 cyberattacks against power plants left hundreds of thousands temporarily in the dark. When it comes to warfighting, however, these exploits are rarely useful due to the length of time required to develop an access and test it. Another Russian cyberattack, the NotPetya ransom-wiper, which targeted Ukrainian financial institutions but inadvertently spread worldwide, is an excellent example of the collateral damage that an under-tested cyber operation can cause. In a time of war, having a cyberattack leak to affect non-participating countries could quickly cause unwanted escalation and simply isn’t worth the risk.
Fast forward to February 2022, Russian forces were conducting staging and shaping operations pre-invasion. In the cyber domain, as expected, large attacks were launched against Ukraine. A significant denial of service attack downed the websites of Ukraine’s two largest banks and several government entities. Simultaneously a data wiping malware was deployed against Ukraine’s financial, government, aviation and IT sectors. Clearly these attacks had an impact on the functioning of industry and likely propagated an element of fear and frustration within the civilian population. However, there’s no reflections from Ukraine to suggest that the country couldn’t function after the attacks, and clearly the population remained resolute in their opposition to Russian aggression.
On the 24th February, as Russia launched their decisive phase and attempted to seize Kyiv, hackers believed to be associated to the Russian GRU intelligence agency crippled a network ran by US satellite internet firm Viasat. This caused a significant loss of communications to the Ukrainian military, police and intelligence community who believed they’d established resilient communications via the use of satellite internet over fixed-line infrastructure. This can certainly be seen as a cyber-operation in support of warfighting objectives, ‘digital fires’ so to speak, and is typical of what we’d expect to see from combined arms doctrine. However, the Ukrainians were able to overcome the issue and eventually re-established connectivity, partly by leveraging Elon Musk’s Starlink constellation. This further demonstrates that cyber provides a disruptive effect but cannot be assumed to permanently deny adversary capabilities.
It’s more of a smoke screen than an airstrike.
Alongside the downing of satellite internet services, on 1st March a Russian missile strike against Kyiv’s TV Tower coincided with widespread destructive cyberattacks on Ukrainian media organizations, compounding the damage and ensuring maximum chaos. Based on these operations, which haven’t been widely seen in past conflicts, we see the combined arms effect that can be delivered by fusing the physical and virtual layers of warfighting. Additionally, Russia has suffered from cyberattacks vandalizing television broadcasts with pro-Ukraine messaging, and a huge data leak published the personal details of all Russian military personnel fighting in Ukraine which no doubt created a psychological effect on the exposed individuals. Therefore, the real lesson from Ukraine for cyber is that it can offer powerful options for disruption and disinformation in both the near and deep spaces.
The reality of modern conflict
There’s plenty of great Wavell Room articles outlining the initial military lessons from this war in Ukraine, but what’s clear is that conventional military capabilities are still required in both breadth and mass. Deep fires and missiles are essential for shaping the battlespace, and there needs to be an effective EW and ISR screen for intelligence and target acquisition. The Russians have done well with the former, and suffered from deficiencies in the latter, particularly in failing to identify Ukrainian air defenses and mobile artillery. Demonstrably, combined arms battlegroups of amour, armored recce and infantry are still important, and in the right numbers. The Russian experience shows that jets and attack helicopters are essential for supporting the Land component, given that where they lost air superiority the casualty rates were high. Underpinning the whole military force must be a resilient communications infrastructure with credible redundancy, lest the force resorts to using unsecured push-to-talk and mobile phones which Ukrainians have used to target Russian formations. Evidently, the violent and interactive nature of war has not disappeared.
But one war can’t dismiss cyber!
It’s true that the Russian invasion of Ukraine is only one example. Yet both countries have access to large cyber capabilities, and we would expect them to be used. Additionally, the preeminence of conventional arms over the digital domain has been demonstrated in numerous recent conflicts including the Azerbaijan Armenia contest, where artillery, infantry and drones were supreme. What’s more the Syrian war, which has involved multiple powerful state actors, is conspicuous for its absence of large scale cyber warfare but presence of massive conventional battles. In the sub-threshold field Israel continues to check Iranian power using a range of effects, cyber included, but especially with precision airstrikes and Special Forces action, despite both countries having highly credible cyber forces.
Ultimately, cyber is a tool available to commanders in many theatres but is merely another weapon and should be considered as akin to information operations. Nearly 60 militaries have an avowed cyber capability and if it was a panacea we’d expect to see it used to devastating effect in conflict. It hasn’t been. That is why interpreting cyber as a golden bullet is to misunderstand the capability.
Cover image: Cyber Warrior, created by K_E_N
Adam K
Adam is a Captain in the British Army with an intelligence background spanning electronic warfare, signals exploitation, and close support to the warfighter. He has worked with cyber units, the FVEY intelligence community, and has operational experience in Afghanistan.
-
Adam K#molongui-disabled-link
