Cyber operations are inevitable in future warfare. What roles they will play, however, and to what effect, are hotly contested. Over the past decade, U.S. cyber forces have engaged in numerous operations, but they have yet to be tested in high-end conflict against a technically sophisticated adversary, leaving defense planners with limited information from which to design a force structure to confront the varied character cyber conflict may take.
The Russia-Ukraine war suggests that force structure decisions related to cyber operators face temporal tradeoffs. Combat quickly begins to outpace the speed with which offensive cyber operations can be accomplished. This, in turn, reduces the capacity of highly trained cyber operators to achieve effects. As a result, sustaining these types of cyber operations likely will require more resources than were anticipated at the start of the conflict. Attrition and mass—terms now associated with Ukrainian battlefields—may then bleed into the cyber domain.
In the early phase of the conflict, Russia used elite cyber operators to conduct complex cyber operations in support of its military objectives. The pace of these operations waned, however, as Russia expended its exquisite network accesses, leaving it with limited capabilities as the war moved into its protracted state. In contrast, Ukraine’s cyber capabilities were less sophisticated at the outset, but over time a large primarily volunteer force coalesced in support of Ukraine. Preliminary insights from the Russia-Ukraine war highlight that getting force balance right may determine whether cyber forces maintain significance past the initial salvo or are relegated to the sidelines.
The Cyber Crucible in Ukraine
Broadly speaking, the Russia-Ukraine war is pitting two different cyber force structures against each other—the Russian elite-centric model and the Ukrainian volunteer-centric model. The Russian approach traditionally emphasizes an elite corps of cyber operators who develop exquisite capabilities designed for high-impact activities. These personnel are primarily housed in government organizations such as Russian military intelligence (GRU), the internal security and counterintelligence service (FSB), and the foreign intelligence service (SVR).1
In contrast, the Ukrainian Armed Forces lacked a dedicated corps of trained offensive cyber personnel and chose to focus its limited government resources on defensive capabilities. Since the Russian invasion, Ukraine also has cultivated a large network of volunteer civilian operators to conduct cyber activities against Russia. These two models are not mutually exclusive, but each has its own strengths and weaknesses, which are becoming apparent as the war unfolds.
Almost a year prior to Ukraine’s invasion, Russian cyber forces expanded and intensified their online spearphishing campaigns against Ukraine and NATO countries, focusing on gaining access to Ukrainian government, military, and critical infrastructure networks.2 On the eve of the invasion, Russia deployed destructive malware against hundreds of Ukrainian systems and then conducted a denial-of-service attack against the Viasat satellite communications company, disrupting broadband service for tens of thousands of users across Ukraine and Europe.3 Russia generated at least 22 cyberattacks against Ukrainian networks in the first week of the conflict and employed more destructive malware in the first four months of the conflict than it had in the previous eight years.4 However, Russian cyberattacks rapidly declined within eight weeks of the start of the conflict. Offensive cyber operations trickled down to one to two attacks per week, and, by the fifth month, cybersecurity firms began to observe lengthy periods without any observable attacks.5
There are several possible reasons for this decline. Ukraine gained critical experience defending against Russian cyberattacks, accumulating lessons since at least 2014. Also, Western governments and technology companies stepped up actions to help Ukraine defend its networks, reducing the pace of Russia’s operations. U.S. Cyber Command’s (CyberCom’s) hunt-forward operations likely played an important role in helping Ukraine defend some of its most critical networks, while the private sector (e.g., Microsoft, Google/Mandiant) helped protect Ukrainian government and civilian networks at scale.6 In addition, as Russia burned through its previously acquired network accesses, the rhythm of kinetic operations began to outpace its cyber operators’ ability to keep stride.7
Russia’s elite cyber forces were well-prepared for intense and high-profile operations in the opening blows of the invasion, but they faltered as the campaign proved indecisive and failed to seize the Ukrainian capital. Had the Russian Army breached those defenses, observers likely would have described the cyber effects, paired with the invasion, as pivotal to Russia’s success. But the Russian blitzkrieg devolved into trench warfare and set-piece battles, leaving its cyber corps similarly exhausted and struggling to find footholds in Ukrainian cyber terrain that had become significantly hardened. As a result, Russian cyber operations became both more simplistic and sporadic as the conflict dragged on—a trend that continues today.
As Russia’s destructive cyber operations experienced a downturn, pro-Ukrainian volunteer hacker groups increased offensive cyber activities, forcing Russia to cope with thousands of disruptive cyberattacks within its own borders. The volunteers include an international body of pro-Ukrainian hacktivist groups, such as the state-backed IT Army of Ukraine, whose Telegram channel at times boasted 300,000 members.8 Most of the activities conducted by the IT Army and other groups have focused on harassing distributed-denial-of-service attacks bringing down services on Russian websites, including the Moscow Stock Exchange and several prominent banks. The IT Army also purportedly gained access to an electric utility in Leningrad Oblast, causing power outages throughout region.9
While the effects of most of these attacks can be mitigated without government intervention, the sheer volume and the numbers of people involved from different nations create a predicament for the Russian government, which must decide how much effort to spend defending its infrastructure from pro-Ukraine hacking groups. These cyber activities hold little promise of directly affecting battlefield operations, but they contribute to Ukraine’s active resistance and remind Russian citizens they are not immune from the direct effects of the war.
Russia has historically relied on criminal and nonstate cyber groups to support its operations. High-profile attacks in Estonia in 2007 and during the Russo-Georgian War in 2008 show that these elements are a regular feature in Russian cyber operations; however, their role in the current conflict appears to be more limited.10 For example, following the German government’s announcement that it would send tanks to Ukraine, a GRU-affiliated group called XakNet brought down several German websites. In addition, the pro-Russian hacktivist group Killnet has coordinated denial-of-service attacks and hack-and-release operations against multiple Ukrainian allies.11
Russia and Ukraine now rely heavily on private-sector talent, although it is difficult to quantify the impact. As the conflict drags on, this domestic pool will likely atrophy, further affecting the sustainability of cyber operations. Tens of thousands of IT professionals left Russia after the full-scale invasion in 2022.12 The brain drain was severe enough to prompt legislation eliminating income tax on IT workers in Russia through 2024.13 Conversely, Ukraine’s IT industry has proven remarkably resilient, remaining one of the few sectors that grew during the first 12 months of the conflict.14 However, the demand for fresh recruits on the front lines could stymie attempts to mature cyber capabilities. The persistent demand for more cyber talent only underscores that the cyber domain is not immune to the principle of mass.
Lessons for U.S. Cyber Force Structure
The effectiveness of Russia’s and Ukraine’s cyber operations is an ongoing debate. Nonetheless, Russia’s war against Ukraine is the first large-scale conflict to include significant cyber operations by a major cyber power and provides insights into the types of challenges the United States may face in a future conflict. Force planners must consider the cyber resources required to sustain major combat operations, which should include options to bolster the force’s offensive cyber capacity while simultaneously defending against expansive threats to the U.S. homeland.
Lessons from Ukraine suggest relying on elite cyber forces will not be enough, and the United States should consider how it can better use reservists and coordinate volunteer cyber operators outside its traditional military structure.
CyberCom is the functional combatant command responsible for conducting Department of Defense (DoD) cyber operations. Established in 2010, it plans to have approximately 7,000 active-duty personnel and activated reservists by 2027, organized into 147 operational teams that constitute the Cyber Mission Force. CyberCom’s various subordinate commands manage these forces, with each specializing in different geographic areas or functions, such as supporting the combatant commands or defending U.S. interests from malicious cyber actors.
CyberCom cultivates its offensive cyber capabilities predominantly within its active-duty force, developing highly skilled cyber operators who take one to three years to complete their training, at a cost of $220,000–$500,000.15 Given these substantial costs, it makes little sense to build out additional offensive capacity inside the reserve component, whose members have limited time and funding to receive training. As a result, DoD may have sufficient capacity to meet its current missions during steady-state competition, but scaling these forces to meet the demands during a protracted conflict will be difficult.
Compared with that of Russia and Ukraine, U.S. cyber force structure is more akin to the elite approach adopted by Russia’s GRU and FSB. This might mean U.S. forces would be capable of executing a limited number of effective offensive cyber operations in the early stages of conflict, but could then struggle to keep pace as an adversary’s cybersecurity posture strengthens in response to the attacks. Not only will sustaining the pace of offensive cyber operations against a capable adversary be challenging, but the frequency of cyberattacks against the U.S. homeland also will likely grow, potentially creating dilemmas for DoD decision-makers who must determine how best to allocate limited cyber resources.
To meet this demand, DoD should: (1) expand the size of CyberCom’s active-duty offensive cyber force by shifting more defensive missions to the reserves; (2) establish the National Guard as the primary DoD entity responsible for DoD operations related to U.S. critical infrastructure defense; and (3) develop plans and build infrastructure that would enable it to operationalize a volunteer cyber force should the need arise.
Expanding the reserve component’s contribution to defensive cyber operations would free CyberCom’s active force to provide greater offensive capacity. Approximately half the Cyber Mission Force is aligned to defensive missions, many of which are geared toward protecting networks within DoD’s sprawling IT environment, also known as the DoD Information Network (DoDIN).16 However, if reserve units and service members could be mobilized rapidly during a conflict to defend DoDIN, the Cyber Mission Force could invest more in high-cost and time-intensive offensive cyber activities.
The reserve component consists of the Army National Guard, the Air National Guard, and each service’s federal reserve forces, which are organized into 33 cyber protection teams and three national mission teams, each with approximately 1,300–1,500 service members.17 These forces are gaining valuable experience responding to real-world cyber incidents and supporting operational units in defensive roles. From 2022 to 2023, the Army Reserve Cyber Protection Brigade deployed defensive cyber personnel to major exercises in Europe and the Pacific, and in May 2023, it conducted cyber protection operations in support of the 3rd Multi-Domain Task Force, one of the Army’s premier theater-level maneuver elements.18
DoD also should consider giving the National Guard primacy over the mission to respond to major cyberattacks on U.S. critical infrastructure, allowing it to train, equip, and organize to that mission in support of both state and federal requirements. National Guard cyber forces operating under state authorities routinely respond to cyber incidents and have been activated to support a range of cyber missions, including monitoring networks in support of national elections. These units responded to ransomware attacks in five different states in 2019 and 33 cyber incidents across 15 different states in 2020.19 Under certain circumstances, National Guard forces can simultaneously serve in both state and federal statuses, potentially giving those units flexibility to respond to attacks against a broad range of targets.20
Finally, DoD should develop plans for mobilizing volunteer cyber talent. How this would be organized and coordinated could take several forms, but establishing a primary office of responsibility, such as Deputy Assistant Secretary of Defense for Cyber Policy, to study the issue and identify legal pitfalls could be the first step. There should be discussion about what level of integration such a volunteer force might require. For example, the Ukrainian IT Army appears to have a core group of leaders directly connected to military and intelligence agencies, along with a more public-facing grassroots movement coordinated through public tools such as Telegram. Other questions include the role the private sector might play in coordination efforts and to what extent industry leaders and experts would be involved in decision-making. These are not simple problems, but preemptive discussions and early planning must be part of the solution.
DoD cyber forces have been operational for less than a decade, leaving defense planners with limited historical data to inform their decisions. Lessons from the war in Ukraine, however, suggest that sustaining offensive cyber operations during a protracted conflict will be difficult, and options to bolster the force’s offensive capacity should be considered.
Given the time and cost required, expanding the number of offensive cyber units in the reserve component is probably not feasible currently, but reserve forces are likely capable of supporting more defensive missions, allowing a greater portion of the active force to focus on offensive cyber operations. Rebalancing the missions assigned to each part of the force would help maximize each component’s contribution to national security and help mitigate the risk that DoD cyber forces will become overextended in the event of a prolonged conflict.
1. Andrew S. Bowen, Russian Cyber Units (Washington, DC: Congressional Research Service, 2022).
2. Shane Huntley, Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape, Google Threat Analysis Group, 16 February 2023, 10–12.
3. Huntley, Fog of War, 14.
4. Microsoft Digital Security Unit, An Overview of Russia’s Cyberattack Activity in Ukraine, Special Report: Ukraine, 27 April 2022, 4.
5. Huntley, Fog of War, 15.
6. GEN Paul Nakasone, USA, Posture Statement of General Paul M. Nakasone Commander, United States Cyber Command Before the 117th Congress Senate Committee on Armed Services April 5, 2022, United States Cyber Command, 5 April 2022; and Microsoft Digital Security Unit, An Overview of Russia’s Cyberattack, 4.
7. Andy Greenberg “Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless,” Wired, 18 November 2022.
8. Aiden Render-Katolik, “The IT Army of Ukraine,” CSIS.org, 15 August 2023.
9. Render-Katolik, “The IT Army of Ukraine.”
10. Sarah P. White, Understanding Cyberwarfare: Lessons from the Russia-Georgia War, Modern Warfare Institute, 20 March 2018.
11. Alexander Ratz and Andreas Rinke, “Russian ‘Hacktivists’ Briefly Knock German Websites Offline,” Reuters, 25 January 2023.
12. Cade Metz and Adam Satariano, “Russian Tech Industry Faces ‘Brain Drain’ as Workers Flee,” The New York Times, 13 April 2022.
13. Liudas Dapkus, “As Russia Sees Tech Brain Drain, Other Nations Hope to Gain,” Associated Press, 31 March 2022.
14. USAID, “With USAID Support, Ukraine’s Tech Sector Thrives Despite Russia’s Full-Scale War,” 5 May 2023.
15. Mark Pomerleau, “GAO: CyberCom and Services Not on Same Page Tracking Personnel,” DefenseScoop, 21 December 2022.
16. U.S. Department of Defense, Quadrennial Defense Review (2014), 41. See also Nakasone, Posture Statement Before the 117th Congress, 2.
17. Most of the services maintain cyber reserve personnel who support missions outside the cyber protection team (CPT) structure, meaning the total number of cyber personnel is greater than those assigned to these operational units. There are 10 CPTs in the U.S. Army Reserve operating across five cyber protection centers; 11 CPTs in the Army National Guard comprised of service members from across 33 states; and 12 CPTs and 3 cyber national mission teams in the Air National Guard operating in 11 states. See Jeffrey L. Caton, Examining the Roles of Army Reserve Component Forces in Military Cyberspace Operations (Carlisle, PA: U.S. Army War College Press, 2019), 7–11; and National Guard Bureau, National Guard Cyber Defense Team.
18. U.S. Army Reserve Cyber Protection Brigade, “Army Reserve Cyber Protection Brigade Contributes to Successful Northern Edge Exercise,” U.S. Army, 30 May 2023.
19. Joseph Lengyel, “2021 National Guard Bureau Posture Statement” (2021); and Daniel Hokanson, “2022 National Guard Bureau Posture Statement” (2022).
20. U.S. National Guard, Dual Status Command Fact Sheet.