Cyberspace has moved from the realm of political competition to a domain permanently involved in warfare—a battlefield on which actors generate combat power to combine with forces in other domains. Theorists have speculated on the nature of cyber warfare and how it will affect future wars, but the 2022 Russian invasion of Ukraine provides an important look into how cyber operations actually integrate into a conventional war. Any conflict’s particular belligerents and circumstances limit what general principles can be inferred—in this case, questions about how destructive cyber can be. Analysis of the Russia-Ukraine war reveals some intriguing ideas that counter many popular arguments and even military doctrine. Perhaps most surprising, in light of prewar expectations, offensive operations have not dominated within the cyber domain.
Regional wars have long served as proving grounds for new technology. The 1904–05 Russo-Japanese War provided the world its first look at combat with newly developed machine guns and artillery.1 Some of the lessons from that conflict set the stage for World War I. Likewise, Nazi Germany explored different uses for air power in the Spanish Civil War and developed techniques for air-ground integration that later supported their Blitzkrieg into France.2
Today’s Russia-Ukraine war affords the first observable case of cyber effects employed alongside large-scale conventional forces. In light of this, theorists should set aside their preconceptions and treat the trends rising from the current conflict as indicators of the role cyber operations might play in future wars. The war suggests new possibilities about the characteristics of cyber warfare: In particular, it appears cyber warfare is not offense dominant and instead functions better as an intelligence-gathering domain.
Indications and Warning
To understand Russia’s cyber actions during its invasion of Ukraine, one must first understand its goal: to rapidly seize Ukraine and establish a buffer state between Russia’s western border and NATO.3 It intended to accomplish this by quickly capturing the capital, Kyiv, and most major population centers. Based on Russia’s behavior in the 2014 annexation of Crimea, it would then have used its control to confuse the Ukrainian population with disinformation while disabling internal communications.4 This confusion would have allowed it time to force the capitulation of the Zelensky government and establish a puppet regime in its place, thus providing the desired friendly barrier. The plan relied on speed and confusion.
As the indications of the pending invasion mounted in early 2022, most military and cyber professionals expected Russia’s cyber forces to blackout communications, cause rampant confusion, and disable Ukrainian infrastructure. In 2014, Russia cut off the information flow to and from Crimea. This lasted long enough for Russia to establish control while simultaneously flooding the global news cycle with enough disinformation to obscure its actions and delay international backlash. In addition, because Russia has long targeted civilian infrastructure as a means of coercion, most theorists assumed it would use cyber to contribute to this tactic in the present war. However, more than two years after the invasion, Russian cyber forces so far have failed to contribute any significant strategic gains.
Though Russia’s cyber operations have not taken the form most envisioned, they have nevertheless set a new standard for the scale of wartime cyberattacks. Starting at the beginning of 2022, Russia ramped up what can best be described as cyber shaping operations.6 In conjunction with the start of the invasion, it launched an extraordinary torrent of cyberattacks against Ukraine. Cyber forces hacked Viasat, the primary Ukrainian internet provider, and blocked large swathes of the country’s communications and government websites.7 Members of the Ukrainian military reported that tactical military communications were down for almost two weeks at the beginning of the war.8
The months following the initial invasion tell a more complete story. By mid-April, Russia’s offensive cyber operations had fallen to a fraction of the initial effort.9 And the ones it executed have raised several questions about its capability, the most important being: Is Russia able to conduct real-time cyber targeting and widespread destructive cyberattacks? If so, why has it not?
To extract any lessons about future cyber warfare from the conflict requires understanding several factors regarding observed—and absent—cyber operations. First, Russia primarily views cyberspace and cyber warfare as a domain of information warfare and houses the majority of its cyber capability in its intelligence community.10 In contrast, its conventional military forces traditionally do not practice a precise, intelligence-driven form of warfare.11 Combine a highly proficient but suspicious intelligence community with a military that prioritizes overwhelming force and the result has been a lack of cyber integration into military operations. Some other possible explanations for this include a fear of expanding the war, a desire to create the greatest possible effects from these single-use weapons, and the lack of military success for Russia’s most practiced cyber weapon: disinformation.13
As in all wars, the enemy gets its proverbial vote, and Ukraine has “voted” since 2014 to harden itself against Russian cyberattacks. It sought help from powerful cyber actors, including the United States and the United Kingdom. It created a culture of cyber best practices through which it has implemented the type of basic internet security advice the rest of the world largely ignores.14 Finally, Ukraine exhibited creativity on the battlefield, improvising with myriad internet connection options to maintain communications and coordinate resistance.15
Lessons to Be Learned
Cyber has long been thought of as an arena with a low barrier to entry and low cost that would allow for limitless augmentation of conventional operations. The large number of peacetime cyber actors led to expectations of a high volume of cyberattacks during wartime. But this has not been observed in Ukraine.16 The significant decline in cyberattacks over time demonstrates that cyber weapons do not have unlimited magazines.17 With these ideas firmly in mind, lessons from the Russia-Ukraine war can be extracted without mistaking the characteristics of the present actors for the character of future cyber wars.
The first observation is the pivotal role private technology companies have played. Starlink is the most famous example. The company started providing internet service only days after the Russian invasion, allowing the Ukrainians to communicate and control unmanned assets.18 Microsoft, Google, and Amazon also provided aid, with one Ukrainian official crediting Amazon Web Services with saving Ukraine’s digital infrastructure.19 The advantages these partnerships afford can be essential, providing essential services and supplementing military, economic, and governmental functions. In principle, partnerships with key companies could be available to either side, so relationships determine who gets access. They reflect the typical military definition of key terrain in the physical realm; and while the U.S. military has made initial attempts to define key terrain in cyberspace, it has so far proved insufficient.20
Next, theorists have long debated whether cyberspace is a domain of warfighting or intelligence gathering. This war shows that cyberspace is undeniably a domain of intelligence—regardless of its role in warfighting.21 Though offensive Russian cyberattacks slowed significantly after the initial invasion, use of cyberspace to gather intelligence only increased.22 Furthermore, Russia has far more intelligence capability in cyberspace through its Federal Security Service and Foreign Intelligence Service than it does destructive capability in its military intelligence wing, the Main Intelligence Directorate, or GRU, which has directed the majority of cyberattacks in Ukraine.23 The disproportionate investment and the wartime redirection of cyber operations toward intelligence gathering shows where Russia perceives the value to lie—and thus the nature of the domain itself.
Cyber effects that have been successfully integrated into military operations generally overlap with highly specialized and intelligence-reliant operations, although this trend is not evident in the current war except by contrast. In the first year, Russia’s military operated largely devoid of accurate intelligence. But its 2014 military operations show the immense value of cyber effects. Russia’s annexation of Crimea demonstrated that a relatively small number of soldiers paired with the confusion wrought by cyber forces could achieve significant results.24
The 2022 invasion has shown that Russia’s cyber forces were insufficient to keep pace with the operational tempo of its conventional forces.25 They were adequate for peacetime competition and internal information control, but when asked to surge to meet the urgencies of war, they struggled. This also has applied to proxies; Russia often uses organized crime to perform cyber operations, but the command and communication structures required to control organized crime during peaceful competition are much looser than those required to integrate them with military forces in a conventional war. Before the invasion, it was thought that in a protracted conflict, cyberattacks would increase because proxies would have time to understand government objectives and align their actions.26 However, the evident breakdown in integration and alignment with strategic goals indicates that the stress of a drawn-out war hurts loose cyber command relationships rather than benefiting them.27
The Unknown Unknown
Among the unexpected trends the Russian invasion has revealed, possibly the most surprising is that offensive cyber operations have not dominated.28 Prewar forecasts were based on the fact that the internet was built largely without security in mind, leaving it riddled with vulnerabilities that garnered a lot of peacetime attention. But the forecasts were wrong, at least regarding Ukraine.
The question of offense dominance bears on what strategies are viable. In an offense-dominant space, the best defense is not merely a good offense but also a preemptive one. Russia has proved itself one of the world’s great cyber powers, demonstrating its ability to stun the Estonian government in 2007, turn off Ukrainian power in 2015, and interfere with U.S. elections in 2016.29 With this track record, it should have had at least some success with offensive cyberattacks after two years of continuous fighting. But the stark lack of cyber-enabled strategic gains in Ukraine suggests effective defense is possible.30 This does not mean cyberspace is necessarily defense dominant—only that the offensive does not by itself grant a decisive advantage. Other factors decide the outcome.
What Is to Come?
The nature of Russian activities in Ukraine to date limits the utility of predictions about the role of cyber operations and partially obscures answers to some of the largest questions surrounding cyber warfare. The separation of Russia’s military and intelligence entities makes drawing firm conclusions about the lethality of integrated cyber warfare difficult. While Russia has attempted to coordinate cyber and conventional operations, it has fallen short below the operational level. Even when it has used cyber and kinetic fires against the same types of targets or targets in the same area, the effects have not been combined.31 Russia’s Soviet-style political territorialism prevents the integration necessary to make use of cyber effects during a conventional war.
But the trends identified thus far should be a starting point for new concepts and help shape new expectations. The conflict demonstrates very little destructive power flowing from cyberspace. Russia’s emphasis and primary skills in cyberspace have trended toward control of information and suppression of political dissent. At the same time, it is unlikely the Viasat hack and the foiled Industroyer2 attack on a Ukrainian power plant constitute the entirety of Russia’s destructive cyber arsenal.32
The Russia-Ukraine war has not unequivocally proved specific notions about the role any particular trend cyber might play in future conflict. But it strongly suggests some trends are becoming characteristics of cyber warfare: In conflict, cyber warfare appears not to be inherently offense dominant. It appears primarily to be an intelligence-gathering domain, and specialized intelligence-dependent missions maximize the effects of cyber operations. Strategic partnerships with private technology companies can be key terrain in cyberspace.
The age of cyber warfare has arrived. Peacetime conceptions about the scale and cost of cyber forces and operations have not matched observations made during this war. The question of the destructiveness of cyber weapons therefore remains open. However, professionals must study this war to understand how cyber warfare might evolve in future conflicts.
1. John W. Steinberg, “The Russo-Japanese War and World History,” Association for Asian Studies 13, no. 2 (Fall 2008).
2. Matthew Gaskill, “Shaping War in Europe—Lessons Learned in the Spanish Civil War,” War History Online, 1 September 2018.
3. Jonathan Masters, “Ukraine: Conflict at the Crossroads of Europe and Russia,” Council on Foreign Relations, 14 February 2023.
4. Pierluigi Paganini, “Crimea—The Russian Cyber Strategy to Hit Ukraine,” Infosecinstitute.com, 11 March 2014.
5. Paganini, “Crimea—The Russian Cyber Strategy to Hit Ukraine.”
6. Jakub Przetacznik and Simona Tarpova, “Russia’s War on Ukraine: Timeline of Cyber-attacks,” European Parliamentary Research Service, June 2022.
7. “Attack on Ukrainian Government Websites Linked to GRU Hackers,” Bellingcat, 23 February 2022; and Jon Bateman, “Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications,” Carnegie Endowment for International Peace, 16 December 2022.
8. Dan Rice, “The Untold Story of the Battle for Kyiv,” Small Wars Journal, 31 May 2022.
9. Bateman, “Russia’s Wartime Cyber Operations in Ukraine”; and Nick Beecroft, “Evaluating the International Support to Ukrainian Cyber Defense,” Carnegie Endowment for International Peace, 3 November 2022.
10. Gavin Wilde, “Cyber Operations in Ukraine: Russia’s Unmet Expectations,” Carnegie Endowment for International Peace, 12 December 2022.
11. Gavin Wilde, Nick Beecroft, and Jon Bateman, “What the Russian Invasion Reveals About the Future of Cyber Warfare,” Carnegie Endowment for International Peace, 19 December 2022.
12. Craig Timberg, Ellen Nakashima, Hannes Munzinger, and Hakan Tanriverdi, “Secret Trove Offers Rare Look into Russian Cyberwar Ambitions,” The Washington Post, 30 March 2023; and B. A. Hamilton, “Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations,” Booz Allen Hamilton, 2020.
13. Przetacznik and Tarpova, “Russia’s War on Ukraine”; and Wilde, “Cyber Operations in Ukraine.”
14. Beecroft, “Evaluating the International Support to Ukrainian Cyber Defense.”
15. Rice, “The Untold Story of the Battle for Kyiv.”
16. Maj Eric Pederson, USAF, et al., “DOD Cyberspace: Establishing a Shared Understanding and How to Protect It” (Washington, DC: Defense Air Land Sea Space Application Center, January 2022).
17. Bateman, “Russia’s Wartime Cyber Operations in Ukraine.”
18. Bateman.
19. Bateman; and Beecroft, “Evaluating the International Support to Ukrainian Cyber Defense.”
20. David Raymond et al., “Key Terrain in Cyberspace: Seeking the High Ground,” in 2014 6th International Conference On Cyber Conflict (Tallinn, Estonia: IEEE, June 2014), 287–300.
21. G. A. Crowther, “The Cyber Domain,” Cyber Defense Review 2, no. 3 (Fall 2107): 63–78; and Michael Warner, “Intelligence in Cyber—and Cyber in Intelligence,” Carnegie Endowment for International Peace, 16 October 2017.
22. Bateman, “Russia’s Wartime Cyber Operations in Ukraine.”
23. Bateman; and Microsoft Digital Security Unit, “An Overview of Russia’s Cyberattack Activity in Ukraine,” April 2022.
24. Paganini, “Crimea—The Russian Cyber Strategy to Hit Ukraine.”
25. Bateman, “Russia’s Wartime Cyber Operations in Ukraine.”
26. Wilde, Beecroft, and Bateman, “What the Russian Invasion Reveals.”
27. Bateman, “Russia’s Wartime Cyber Operations in Ukraine.”
28. Joseph S. Nye, Cyber Power (Cambridge, MA: The Belfer Center, 2010).
29. Przetacznik and Tarpova, “Russia’s War on Ukraine”; Rain Ottis, “Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective,” Cooperative Cyber Defence Centre of Excellence, October 2018, 6; and “Senate Intel Releases Election Security Findings in First Volume of Bipartisan Russia Report,” press release, 25 July 2019.
30. Bateman, “Russia’s Wartime Cyber Operations in Ukraine.”
31. Bateman.
32. Hamilton, “Bearing Witness.”