Almost two weeks after Russia’s invasion and with no signs of the conflict abating, the resilient defence by Ukrainian forces has left many surprised. The recent attacks on nuclear facilities, the mass geographical scope of shelling operations across the country, and repeated ceasefire breaches indicate that Russia is escalating its offensive operations to complete the illegal capture of Ukraine. We look at some initial takeaways from the Russian invasion of Ukraine in the context of cyberspace.

1, Predictions of cyberwar have been thwarted

One of the more surprising aspects of the war has been the lack of cyber offensive operations by Russia. Compared to early predictions of the conflict being driven primarily in cyberspace, the almost entirely opposite reality is apparent. The war is being waged through the use of physical force and conventional arms with cyberspace barely playing a supporting character. While the Whispergate malware and the more recently-discovered Hermetic malware, both with the aim of rendering computer systems inoperable, present a serious threat to critical assetsof Ukrainian government organizations, they are not necessarily out of the ordinary in the context of Russia’s long-standing cyber operations against Ukraine.

For example, in 2015, private cybersecurity companies and public attributions by the Ukraine’s Security Service (SBU) pointed to cyber espionage efforts of significant depth – including ‘Operation Armagedon’ (active since 2013) with the purpose of stealing information from the Ukrainian government and activities of the Gamaredon group (discovered to be active since 2013, prior to Russia’s annexation of Crimea) which were found to be aligned with Russia’s security interests.

The 2014 election interference was an attack on democratic processes attributed to pro-Russian hactivist group CyberBerkut with suspected ties to GRU’s hacking group APT28 (also called Fancy Bear). This was decried to be information warfare by Ukraine – malware rendered their vote-tallying systems inoperable and displayed erroneous election results. The first cyber-attack on critical infrastructure in 2015 carried out by the Sandworm hacker group – also associated with Russia’s GRU which was responsible for disconnecting electric substations, leaving close to 225,000 people without power in Western Ukraine – represented Russia’s massive escalation in cyber operations. This level of serious escalation has been missing throughout the current state of conflict.

2, There should be a reassessment of the utility of cyber offensive capabilities in warfare

The reasons behind Russia not declaring ‘cyberwar’ or not even heavily supplementing conventional war with offensive operations are not straightforward. Cyber warfare does not lend itself to a linear plan of attack with defined inputs and outcomes as might be the case with most forms of kinetic warfare. Russia’s campaign since 2014 has evolved with respect to sophistication but it is tricky to assess the actual strategic gains they have made in Ukraine in the past. In some cases, the damage was limited (as in the 2014 election interference) while in others like the 2016 power outages and NotPetya, the consequences were significant and some, unintended.

Therefore, it is possible that in Putin’s calculus, the risk of collateral damage to Russia’s systems was too high. However, it may very well be that as the war drags on, these risks might become worth taking with the advantage of the element of surprise in cyber warfare. Attacking military infrastructure and communication lines, critical infrastructure, information operations and electronic warfare in Ukraine are still all within the realm of possibility.

On the other hand, it is equally possible that Russia’s cyber operations have suffered from lack of preparedness or impaired capability or both. Ciaran Martin, former head of the United Kingdom’s National Cyber Security Centre has   that the cyber domain may influence the war at the margins, but it will not decide it.The reality that a state with extremely sophisticated cyber operations capabilities has not relied on the domain to drive its war efforts only reiterates the caution that needs to be taken in assessing the utility of cyberspace in war.

3, Limited impact of the contest between vigilante hackers

Non-state actors with varying cyber capabilities are joining the war against Ukraine. Back in 2017, while denying state involvement in the US elections, Putin   that hackers could contribute to a nation’s efforts if they have a ‘patriotic mindset’. Recent reports of vigilante hackers taking down Ukrainian government websites, sending bomb threat emails and similar tactics.,are a reminder of the malicious behavior of patriotic hackers. A high level of sophistication in these attacks seems implausible to expect. These have so far been restricted to DDoS (Distributed Denial of Service) attacks, hacking into the live dashboard feeds of an unidentified Ukrainian “rapid response team”, and gaining access to official email addresses to carry out phishing attacks.

On the other side, Ukraine has called on cybersecurity specialists to join its ‘Digital Army’ and contribute to  the cyber defence of the country. They have emphasized that this cyber army is a volunteer movement with attacks strictly planned only on Russian government targets, not civilian. Other hacker collectives have mostly carried out activities that aim to counter Russia’s propaganda and are on the much lower spectrum of cyber escalation. Some unverified claims on disrupting rail networks to prevent troops moving in have been made by the Belarusian Cyber Partisans. The sheer speed at which different actors have joined this fight online is intriguing and perhaps unprecedented. The chances of this contest having a huge impact, however, seem low.

Whether cyberspace will feature more decisively remains to be seen as Ukraine’s robust defence continues but it is certain that the reliance on cyberspace as a domain of warfare should not be assumed.