The Biggest Cyber Risk in Ukraine?

Just as many military experts predicted that a Russian invasion of Ukraine would be quick and decisive, so many cyber-experts expected that Moscow would fortify its conventional onslaught with a devastating cyberattack. Ukrainian forces would be blinded, critical infrastructure broken, and Russian disinformation rampant. But just as the military experts have been surprised by Russia’s stalled invasion, so have the cyber-experts by the lack of major digital attacks. In the first few days of conflict, cyber-operations seem to be more fizzle than bang.

Some Russian cyber-activity has been discovered, but it seems to have done little to invigorate the Russian military campaign or hinder the Ukrainian response. In the run-up to the invasion, Russia launched wiper malware attacks, which deleted data from computers at Ukrainian government agencies. Russia also appears to have conducted some distributed denial-of-service attacks, which bombarded websites with so much information they became paralyzed, and a series of cybernetwork exploitation attempts on Ukrainian government and military systems. But Ukrainian air defense and aircraft didn’t appear to be affected by cyber-disruptions, and there are no reports of critical infrastructure damage from cyberattacks. Even the Internet seems to be up and running in Ukraine.

Why the apparent restraint? It is almost impossible to know exactly why (or if) the Russians have indeed held back. Perhaps cyber-operations have been attempted and failed; perhaps Russian President Vladimir Putin has held his cyber-capabilities in reserve, saving them for later. Or maybe cyber-operations have taken place, but their effect—which is often virtual and not clearly attributed—will take longer to materialize.

What is known is that the conflict is far from over, and the next question becomes whether cyber-operations could play a larger role as the war turns more violent. It is likely that the next stage of conflict will more than ever be defined by planes, tanks, artillery, and soldiers. It seems unlikely, given the amount of indiscriminate damage currently being inflicted by Russia, that cyber-operations will escalate the violence of the campaign within Ukraine. That said, could cyber-operations lead to horizontal escalation, drawing NATO into the fight, for example? Or, given that the United States and Russia are the world’s largest nuclear powers, could cyber-operations escalate to the worst possible outcome—nuclear war? Recent wargaming research suggests that cyber-exploits into nuclear command and control may be enticing for states looking to neutralize a nuclear escalation threat in the midst of a conventional war, and that actors may underestimate the danger of these exploits and vulnerabilities to nuclear stability.

GETTING PULLED IN

One way cyber-operations could lead to escalation is by pulling the United States or NATO into the conflict. Mark Warner, the Democratic senator from Virginia, warned in late February that potential Russian cyberattacks on critical infrastructure in Ukraine could have accidental spillover effects on NATO countries—for instance if a Russian cyberattack on Ukrainian energy infrastructure caused an outage in a NATO neighbor like Poland. This could inadvertently trip Article 5 of NATO’s founding treaty, which states that an armed attack against one member state will be considered an attack against them all. This would be uncharted waters for NATO, which only recently publicly stated that cyberattacks might invoke Article 5 and is still ambiguous about what types of cyberattack—which range from virtual outages to data manipulations to physical damage (in extremely rare circumstances)—might be serious enough for NATO to respond with conventional retaliation.

The Biden administration has warned that the United States would respond to cyberattacks on U.S. critical infrastructure, such as the country’s electrical grid or water supply (although officials stopped short of saying how the United States would respond). So far, the United States has answered previous cyberattacks with either sanctions, law enforcement actions, or the confiscation of cryptoassets. None of these options seem likely to deter Putin at this point, and so the Biden administration may find itself in an unprecedented position of having few credible options to threaten Russia. It is certainly possible that Putin, facing a conventional war that he thinks he might lose, could attack critical infrastructure in the United States or other NATO countries in the hope that their citizens will push their governments to abandon Ukraine. The financial sector, in particular, would seem to be a logical target for Russian cyberattacks, given the damage that Western economic actions have already done to the Russian economy.

It is difficult to create widespread and long-lasting effects with cyberattacks, however, and the financial sector is the best equipped and most advanced cyber-defender in the world. Plus, research I’ve conducted with Sarah Kreps, director of the Cornell Tech Policy Lab, finds that the American public views cyberattacks as qualitatively different from conventional means of warfare—more akin to economic sanctions than bombs. Thus, cyberattacks are unlikely to provoke the kind of retaliation or emotional response that would pull the United States or its NATO allies into a war with Russia. What’s more, the United States can probably withstand the short-term damage to critical infrastructure that a Russian cyberattack might create, and such attacks might actually increase resolve to support Ukraine. This means a deliberate choice by Russia to use cyberattacks against the United States or NATO to “escalate to dominate”—deliberately ratcheting up the pressure to force Washington to back off—would likely fail.

A more troubling scenario involves accidental escalation from cyber-operations—that is, when critical infrastructure is unintentionally damaged by a cyberattack or when a cyberattack is misattributed to Russia (or the United States). This is especially dangerous for civilian infrastructure that also serves military or security purposes—for example, harming a refugee train by using a cyberattack targeting railroads also used to move troops and supplies to the front. Plus, a jumble of actors has jumped into this space, from criminal syndicates to cyber-militias to hacker collectives such as Anonymous. That increases the chances that one of these players will target civilian infrastructure, and misattribution to either Russia or the United States could needlessly trigger retaliation.

WHEN CYBER GOES NUCLEAR

By far the most dangerous form of escalation is the possibility that a cyber-operation increases the likelihood of nuclear war. How likely is such a scenario? No one may know if Russia has a cyberweapon that can target nuclear weapons (or, for that matter, whether the United States does), but there are theories and some data about how the cyber-realm might affect nuclear stability.

American policymakers have generally recognized that attempting to interfere with nuclear command, control, and communications could lead to dangerous incentives for states to launch nuclear weapons preemptively. Threats to nuclear command and control, for example, could leave states so fearful about their second-strike capability (the ability to launch a nuclear weapon in retaliation against an attacker) that in the midst of a conflict they would feel compelled to use nuclear weapons preemptively. Some scholars have warned that attacks against nuclear command-and-control systems could make it impossible to control nuclear war and keep it limited, leading to inadvertent nuclear Armageddon. Despite these fears about the dangers of attacking nuclear command and control, there was never an agreement between the United States and the Soviet Union (and subsequently Russia) to not attack each other’s nuclear command, control, and communications.

Would Russia, or even the United States and its allies, launch a cyberattack against an enemy’s nuclear command-and-control system if they could? And how might that capability affect nuclear instability? Beginning in 2017, my team at the Naval War College and the Hoover Institution ran a wargame that explored this very question. It took place over three years and included 580 players from across the world—predominantly nuclear, cyber, and military experts ranging from former heads of state to military officers to industry leaders. In our simulations, we found that teams who were told they possessed cyber-exploits against nuclear command-and-control systems overwhelmingly used them. Because cyber-operations can be denied and are covert and virtual, players appeared to believe that they did not pose too great a risk of escalation. The tools seemed too valuable not to use, especially because they have a quick expiration date, with vulnerabilities quickly patched once discovered.

Cyber-operations could pull the United States or NATO into the conflict.

Perhaps more worrying, teams that were told they had these exploits were more likely to launch conventional campaigns of air, naval, and special operations strikes against the adversary’s nuclear force—a dangerous road to nuclear escalation. At the same time, teams that were told their nuclear command-and-control systems were vulnerable to a cyberattack often responded by pre-delegating launch authority to lower echelons and in some cases relying on automation or artificial intelligence to launch on warning. All of these actions only increase the chance of accident or inadvertent escalation from cyber to nuclear use.

These were actions players took in a hypothetical wargame between “our county” and “other country,” so they don’t predict the outcome between the United States and Russia in today’s crisis. But they reveal patterns of behaviors and motivations—pathways to escalation—that the United States and Russia need to avoid in order to limit nuclear escalation.

One way to avoid this type of escalation is resilience. When societies can withstand cyberattacks on critical infrastructure, their adversaries are less likely to attack in the first place. If the attack is going to have little effect, why launch it in the first place? The courage being displayed by Ukrainians to survive, to fight, and to make war costly for Putin is an exemplar about how resilience in any domain makes a society more survivable. The same is true for resilient nuclear weapons and command-and-control systems, which make states more confident in their second-strike capability. They are then less likely to find themselves vulnerable to counterforce campaigns and less tempted to launch their own preemptive nuclear attacks.

Finally, one lesson from wargaming is that player “type” matters—for whether cyber leads to escalation and whether crises escalate in general. In our games, the vast majority of players chose not to use nuclear weapons. But, a minority of players were going to escalate in the game no matter what capabilities or vulnerabilities we gave them. As Putin’s veiled nuclear threats and risk-taking behavior in Ukraine suggest, there is only so much a country can do in the face of such an enemy, and there are plenty of non-cyber pathways to escalation.