19 December 2023

Many myths surround Russia’s cyber­warfare against Ukraine

Prior to the full-scale invasion, there were fears that Russia’s cyberwarfare capabilities alone would be enough to defeat Ukraine. That’s not what happened. A new report by an FOI researcher presents five hypotheses to explore this.

A map over Ukraine.

One of the hypotheses is that Ukraine’s robust cyber defence has deterred Russia from more extensive cyberwarfare. Image from Shutterstock.

Examples of cyberwarfare include modifying or destroying the computer system or network of an adversary using one’s own computers. Cyber operations play a crucial role in information influence campaigns and improper influence in general. The report was produced on behalf of the Swedish Armed Forces and covers the period from 2014, when Russia invaded Crimea, to the full-scale outbreak of war in 2022.

“I have examined a great deal of material and have been able to conclude that the concerns expressed by many observers about Russia’s cyberwarfare have not been met,” says Per-Erik Nilsson, a senior scientist at FOI.

He has developed five hypotheses regarding Russia’s cyberwarfare against Ukraine. None of the hypotheses have more significance than the others, so their listing has no particular order; Per-Erik Nilsson warns against drawing hasty conclusions about any of them.

Hypothesis 1: Expectations of Russia’s offensive cyberwarfare capabilities were exaggerated

“Many well-known analysts have written that we have seen only a fraction of Russia’s capabilities in conducting cyberwarfare. They warned that Russia, relying on its cyberwarfare capabilities alone, would likely destroy Ukraine’s electricity grid and mobile networks, as well as its military command centres. Its cyber capabilities were ascribed an almost mythical capability, an image that the Russian leadership itself has helped to spread,” says Per-Erik Nilsson.

Hypothesis 2: Russia has failed to use the full potential of its offensive cyberwarfare capabilities

“According to this hypothesis,” says Per-Erik Nilsson, “Russia was so confident that the invasion would proceed rapidly and smoothly that a major cyber offensive was unnecessary. It is also possible that Russia’s war planning was inadequate, since it was confined to an overly narrow circle and thus failed to properly prepare it to use its entire cyberwarfare arsenal. Russia may also have been gravely mistaken in subjecting Ukraine to continual cyberattacks in the years following its invasion of Crimea, as this trained Ukraine in countermeasures and alerted NATO to its activities.

Hypothesis 3: Russia’s cyberwarfare is fairly effective and has caused considerable damage

“The key takeaway here is that expectations of what cyberwarfare can achieve have been unrealistic. In other words, if we focus on the damage that Russia has actually wrought, we see that its impact has been significant. There are not only numerous credible examples but also corroborating sources indicating that thousands of mobile telephony base stations have been damaged, for instance, while Ukraine’s wireless communication networks have served it well,” says Per-Erik Nilsson.

According to this hypothesis, Ukraine’s increasing access to advanced weapons systems with sophisticated software may paradoxically be detrimental, as it creates opportunities for Russia to disrupt them using long-available but previously unused cyberwarfare methods.

Hypothesis 4: Ukraine’s robust cyber defence has deterred Russia from more extensive cyberwarfare

“Even before the outbreak of the full-scale war, Ukraine invested in cybersecurity and built a resilient IT infrastructure, reinforcing stable internet connectivity. Prior to the invasion, Ukrainian authorities relocated critical government data to foreign storage centres, ensuring that the information does not vanish when Russia bombs Ukrainian computer centres. Ukraine has also successfully assembled a so-called cyberarmy of volunteers from around the world to conduct cyberattacks against Russia,” according to Per-Erik Nilsson.

Hypothesis 5: The world has seen what can be expected from Russian cyberwarfare

“This is the most speculative hypothesis. It proposes that what we have seen so far during the war is approximately what we can expect from cyberwarfare and that it can never be a substitute for traditional warfare. As one expert put it, ‘If cyber operations can coerce anyone into submission, why would Russia go to all the trouble of mobilising troops and attempting to take Ukraine by force?’” says Per-Erik Nilsson.

Develop countermeasures based on facts instead of unrealistic scenarios

As stated earlier in the article, it is critical to avoid hasty conclusions about any of the five hypotheses. This is mainly due to the fact that the available data remain incomplete.

“What is clear, however, is that Sweden and other countries should build resilience against cyberwarfare through facts that are based on actual circumstances, including technical, organisational, social and political aspects, rather than unrealistic future scenarios,” says Per-Erik Nilsson.

However, Per-Erik Nilsson concludes by saying that speculative thinking has a crucial role in exploring future scenarios:

“There is much to learn from Ukraine’s cyber defence and cybersecurity efforts.”