Two years ago, Russia invaded Ukraine. Amid the global outcry and horror over the brutal impact of physical weaponry, many also took note of the significant role that cyber operations played at the outset of the fighting. Some proclaimed the Russia-Ukraine conflict as the first “cyber war” not least given the intense initial targeting of critical infrastructure in the initial phase of fighting. The high-profile operation against Viasat Inc’s KA-SAT satellite impacted network connectivity not only in Ukraine but also in France and Germany, raising concerns about “cyber spillover” to other countries not party to the conflict while also highlighting the link between cyber- and outer-space security. Early on, Ukraine mobilized a global “IT Army” that raised legal questions about the role of individuals and the private sector in an armed conflict. A series of revelations about Russia-linked cyber operations against Ukrainian targets and allies in the weeks preceding the invasion only added to the popular expectation that a cyber- and artificial intelligence-fuelled revolution in warfare was about to be unleashed.
Except, it wasn’t. As the two-year mark of the war approaches, cyber operations continue to be a relevant dimension of the conflict but not in the transformative way forecasted by some in 2022. The military and strategic effects of cyber operations have been limited while Ukrainian resilience has been stout, bolstered by international support and Ukraine’s decade-long experience in fending off cyber-attacks. For instance, Microsoft observed that nearly 50 percent of destructive Russian [cyber] attacks observed against Ukrainian networks occurred in the first six weeks of the war, often in tandem with kinetic military action. Some analysts have observed a shift towards greater targeting of Ukraine’s allies through various cyber tactics that in 2023 affected Canada, New Zealand, Poland, Switzerland, and NATO, among others. The disinformation warfare game continues to be strong, however, with influence operations increasing as the conflict continues into a third year. Of course, one can’t rule out the possibility of higher-impact operations occurring in the future – the late 2023 incident targeting Kyivstar, Ukraine’s largest telecommunications operator, is a stark reminder of this –but the general trajectory appears to be toward a greater use of cyber tools for influencing and intelligence-gathering.
Those who sounded a more cautionary tone in 2022 may well have been on to something. But even if the cyber doomsday scenarios have not played out as expected – which is, after all, a positive thing – the last two years have brought into focus some important considerations.
First, the Russia-Ukraine war is a test case for the application and enforcement of international law and norms. All states have endorsed the position that international law applies to state conduct in cyberspace, as well a complementary set of UN-based voluntary norms for responsible cyber behavior, including in peacetime. The norms forbid some of the malicious activity that has occurred in the last two years, such as against targeting critical infrastructure. Despite widespread agreement on the applicability of law and norms, there is debate and uncertainty over how the law applies including when cyber operations cross a threshold at which they are considered an act of war. As the Russia-Ukraine conflict is one of the first instances of such extensive cyber operations within an international armed conflict, understandings about how international humanitarian law (IHL), or the law of armed conflict, applies are being tested in real-time. In this context, the prominent role of a wide range of non-governmental actors such as private companies and patriotic civilian hackers is blurring the line between who is a combatant and who is a civilian, and thus protected under IHL. The use of proxy actors in malicious cyber activity is not at all new, but the nature of such actors in this context is. At the same time, the war is prompting forward action in the legal realm, such as when the lead prosecutor of the International Criminal Court announced in late 2023 that it will investigate cybercrimes that potentially violate the Rome Statute.
Second, cyber harm and violence need to be understood and documented in a more holistic way. Efforts to evaluate or measure the harm caused by cyber operations are sometimes overly focused on their physical or financial impact, overlooking the individual, societal, and environmental effects, including implications for psychological and social well-being. Peacetime malicious cyber activity has long demonstrated these broader implications and harms, but the war has also helped to bring into focus that cyber operations impact civilians in diverse ways. Recent efforts by the CyberPeace Institute to develop a common methodology to evaluate cyber harm have helped to tease out the different forms of violence and harm. Moreover, as the conflict unfolds, and a majority of cyber incidents occur within what many view as a “legal grey zone” there is a need to reach a common understanding about what kinds of effects qualify an incident as an “attack”. A part of understanding how and when different types of international law are applicable to cyber activity requires considering their effects. This is relevant for IHL applicability and international human rights law (IHRL), which applies during both peace and conflict.
Finally, the conflict has tested key and long-standing questions debated among academics, policymakers, and diplomats: how effective are cyber operations as a tool of war? What is their role in coercion and deterrence? What does it mean for hybrid war? How has the concept of active cyber defense gained currency through this conflict? Experts are increasingly converging around the view that cyber operations have a limited role in all of the above and have not directly impacted the course of the war, although of course the true extent and impact of operations may not always be publicly reported on. Looking ahead or attempting prediction is challenging in the context of an evolving and nuanced situation such as this. Yet applying what has been learned to other regional or geographic contexts is crucial, however, as is taking meaningful action in response to narrow legal loopholes, enhancing accountability, and working to prevent further negative impact and harm.
False Alarms: Reflecting on the Role of Cyber Operations in the Russia-Ukraine War
By Allison Pytlak
Emerging Technology
At the start of the Russia-Ukraine war, a series of high-profile cyber operations led many to proclaim the conflict as the world’s first true “cyber war”. Two years on however, cyber operations have had a limited impact on the fighting and are increasingly used for espionage and influence operations. But even if the cyber doomsday scenarios have not played out as some expected, the last two years have brought into focus some important considerations. The war has tested collective understanding about the applicability and enforcement of international law and norms. It is demonstrating the need for a broader approach to measuring cyber harm and violence while also putting to the test some long-standing debates in the cyber community about the effectiveness of cyber as a tool of war.
Two years ago, Russia invaded Ukraine. Amid the global outcry and horror over the brutal impact of physical weaponry, many also took note of the significant role that cyber operations played at the outset of the fighting. Some proclaimed the Russia-Ukraine conflict as the first “cyber war” not least given the intense initial targeting of critical infrastructure in the initial phase of fighting. The high-profile operation against Viasat Inc’s KA-SAT satellite impacted network connectivity not only in Ukraine but also in France and Germany, raising concerns about “cyber spillover” to other countries not party to the conflict while also highlighting the link between cyber- and outer-space security. Early on, Ukraine mobilized a global “IT Army” that raised legal questions about the role of individuals and the private sector in an armed conflict. A series of revelations about Russia-linked cyber operations against Ukrainian targets and allies in the weeks preceding the invasion only added to the popular expectation that a cyber- and artificial intelligence-fuelled revolution in warfare was about to be unleashed.
Except, it wasn’t. As the two-year mark of the war approaches, cyber operations continue to be a relevant dimension of the conflict but not in the transformative way forecasted by some in 2022. The military and strategic effects of cyber operations have been limited while Ukrainian resilience has been stout, bolstered by international support and Ukraine’s decade-long experience in fending off cyber-attacks. For instance, Microsoft observed that nearly 50 percent of destructive Russian [cyber] attacks observed against Ukrainian networks occurred in the first six weeks of the war, often in tandem with kinetic military action. Some analysts have observed a shift towards greater targeting of Ukraine’s allies through various cyber tactics that in 2023 affected Canada, New Zealand, Poland, Switzerland, and NATO, among others. The disinformation warfare game continues to be strong, however, with influence operations increasing as the conflict continues into a third year. Of course, one can’t rule out the possibility of higher-impact operations occurring in the future – the late 2023 incident targeting Kyivstar, Ukraine’s largest telecommunications operator, is a stark reminder of this –but the general trajectory appears to be toward a greater use of cyber tools for influencing and intelligence-gathering.
Those who sounded a more cautionary tone in 2022 may well have been on to something. But even if the cyber doomsday scenarios have not played out as expected – which is, after all, a positive thing – the last two years have brought into focus some important considerations.
First, the Russia-Ukraine war is a test case for the application and enforcement of international law and norms. All states have endorsed the position that international law applies to state conduct in cyberspace, as well a complementary set of UN-based voluntary norms for responsible cyber behavior, including in peacetime. The norms forbid some of the malicious activity that has occurred in the last two years, such as against targeting critical infrastructure. Despite widespread agreement on the applicability of law and norms, there is debate and uncertainty over how the law applies including when cyber operations cross a threshold at which they are considered an act of war. As the Russia-Ukraine conflict is one of the first instances of such extensive cyber operations within an international armed conflict, understandings about how international humanitarian law (IHL), or the law of armed conflict, applies are being tested in real-time. In this context, the prominent role of a wide range of non-governmental actors such as private companies and patriotic civilian hackers is blurring the line between who is a combatant and who is a civilian, and thus protected under IHL. The use of proxy actors in malicious cyber activity is not at all new, but the nature of such actors in this context is. At the same time, the war is prompting forward action in the legal realm, such as when the lead prosecutor of the International Criminal Court announced in late 2023 that it will investigate cybercrimes that potentially violate the Rome Statute.
Second, cyber harm and violence need to be understood and documented in a more holistic way. Efforts to evaluate or measure the harm caused by cyber operations are sometimes overly focused on their physical or financial impact, overlooking the individual, societal, and environmental effects, including implications for psychological and social well-being. Peacetime malicious cyber activity has long demonstrated these broader implications and harms, but the war has also helped to bring into focus that cyber operations impact civilians in diverse ways. Recent efforts by the CyberPeace Institute to develop a common methodology to evaluate cyber harm have helped to tease out the different forms of violence and harm. Moreover, as the conflict unfolds, and a majority of cyber incidents occur within what many view as a “legal grey zone” there is a need to reach a common understanding about what kinds of effects qualify an incident as an “attack”. A part of understanding how and when different types of international law are applicable to cyber activity requires considering their effects. This is relevant for IHL applicability and international human rights law (IHRL), which applies during both peace and conflict.
Finally, the conflict has tested key and long-standing questions debated among academics, policymakers, and diplomats: how effective are cyber operations as a tool of war? What is their role in coercion and deterrence? What does it mean for hybrid war? How has the concept of active cyber defense gained currency through this conflict? Experts are increasingly converging around the view that cyber operations have a limited role in all of the above and have not directly impacted the course of the war, although of course the true extent and impact of operations may not always be publicly reported on. Looking ahead or attempting prediction is challenging in the context of an evolving and nuanced situation such as this. Yet applying what has been learned to other regional or geographic contexts is crucial, however, as is taking meaningful action in response to narrow legal loopholes, enhancing accountability, and working to prevent further negative impact and harm.
Recent & Related