Sharing opinions is important. Opinion pieces represent the diverse views of The Cipher Brief audience and do not represent views of The Cipher Brief.
OPINION — The Russo-Ukrainian war is here, and it doesn’t include the catastrophic cyberattacks that scaremongers have been predicting despite Russia’s demonstrated capabilities. Russia has not integrated offensive cyber operations into their ground invasion in any meaningful way, nor are they likely to start. The inaccurate predictions show not only a lack of understanding of Russian cyber strategy, but also a fundamentally flawed understanding of the benefits and constraints of cyber effects.
A flawed assessment of adversary strategy and capability is one way to guarantee defeat. What most fail to understand is that the advantages afforded by offensive cyber operations are irrelevant to Russia’s opening maneuvers.
Offensive cyber operations are best deployed in conditions where visibility and attribution are detrimental to mission success. For Russia, the traditional visibility of a daytime ground invasion is essential to disparage national will and to deter a counterinsurgency. During the fast-paced, torrent of wartime news, Russia’s mission successes must be highly visible (even exaggerated) to counter the fog of war and to demoralize the adversary. Traditional visibility is inherently lacking in the cyber domain and as a result, cyber effects often go unnoticed or are attributed to other factors. Kinetic effects have a greater impact on perception, and perception is very important at this point in the conflict.
Operationally, a minimum viable effort is preferable to a complicated one during wartime. Well-executed offensive cyber operations are long, slow and carry a risk of unwanted secondary effects. Why disable a critical capability with a cyberweapon when bolt cutters when a bomb will do? Also, cyber effects are typically temporary or cause disruptions that can be overcome with an adept incident response team. Kinetic effects are usually more permanent or more costly to overcome.
Russia has a successful ongoing cyber strategy and it’s the exact opposite of cyber shock and awe: persistent, incremental aggression aimed at enemy infrastructure and institutions. Their strategy takes the long-game approach and uses cyber power as an instrument of imperceptible, gradual degradation to weaken their targets from the inside out. Civilian and government IT networks across the globe have borne the brunt of Russian countervalue campaigns for the last ten years.
Through trial and error and a decade of experience, Russia has likely verified what every hacker and software developer already knows: precision attacks are resource-intensive, and given the volatility of cyberspace, synchronized mission success at scale is difficult to achieve. Temporary disruptions to communications or energy are proven, but a large-scale coordinated attack is still unprecedented.
As the character of the cyberwar continues to reveal itself, US cyber national security strategy must adjust. Instead of reacting to the specter of an imminent attack, a comprehensive strategy that repairs current damage and deters future aggression is urgently needed. Reactionary measures to hyperbolic conjecture do not make the U.S. stronger. “Shields Up” is a slogan, not a strategy, and an unrealistic one at that. The level of sustained resilience required to reliably counter the cyber forces of the major threat actors is unachievable, especially at scale. The incremental degradation to critical services and institutions is less sensational than a large attack, but it poses an equally existential threat to America’s place in the global world order.
Gentry Lane is the CEO & founder of ANOVA Intelligence, a cyber national security software company. She is also a Fellow at the Potomac Institute for Policy Studies and a Visiting Fellow at the National Security Institute at George Mason University’s Antonin Law School.
Sharing opinions is important. Opinion pieces represent the diverse views of The Cipher Brief audience and do not represent views of The Cipher Brief. Have an opinion to share? Drop us an email at Info@thecipherbrief.com.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief