Why Russia Won't Launch a Full-Scale Cyberattack in Ukraine

Subtle, net-centric information warfare instead of an all-out cyber attack (like Stuxnet) might actually be Russia's tactical approach in Ukraine.

Image: Wikimedia Commons

Back in the 6th century BC, Chinese military general Sun Tzu laid the foundations for information warfare, a broad, holistic aspect of conflict that would later grow to include propaganda and cyberwarfare. "Engage people with what they expect; it is what they are able to discern and confirms their projections," wrote Sun Tzu. "It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment—that which they cannot anticipate."

Fifteen centuries later, security expert Keir Giles made reference to this Sun Tzu quote in discussing his recent ArsTechnica op-ed about Russia's information warfare tactics in Ukraine and Crimea. Giles hoped the editorial would help people understand what Russia has been up to on the cyber front, centering on the argument that even though Russia hasn't yet staged "high-profile, public" cyber attacks in the Ukraine, the region is in the midst of an information war as much as a military occupation.

"If it's the Russian view we are talking about, then it would be fairer to say that cyberwarfare is just one technical facilitator of information warfare," Giles told me. "It is the information itself that is important, and cyber capabilities are just the technical ability to manipulate it. Information warfare is a vastly more holistic concept than cyberwarfare."

Giles noted that the Russians are, amongst other things, planting false information. "On March 1 Russian media reported that Dmitry Yarosh, the leader of Ukraine's Right Sector group and a particular target for Russian criticism, had made an appeal through social media to Islamist insurgent leader Doku Umarov," wrote Giles. "Yarosh wanted Umarov to support Ukraine by attacking Russia. Yarosh claims this is not the case and that the appeal was planted after his account was hacked."

When I asked him about the other ways Russia is using false information, Giles said to just look at any Russian news bulletin, and pointed to a US State Department fact sheet titled President Putin's Fiction: 10 False Claims About Ukraine. Computer and network security researcher Marcus Ranum, who has written and spoken extensively on information and cyberwarfare, calls Russia's tactics something else: "battlefield intelligence plus net-centric warfare." A mouthful, to be sure, but instrumental in making sense of Russia's cyber-based intentions in Ukraine.

If Russia launched a full-scale, public cyber attack against Ukraine, it would be politically messy, and might trigger military retaliation.

"'Net-centric warfare' is a catchall for 'cleverly using computers in a battlefield environment,' i.e., getting drone video down to troops in the field, using cell phone detectors to locate IEDs, etc.," said Ranum. "It's really 'IT applied to the military' in a general sense. The issue is that it's often conflated with 'cyberwar' or 'information operations' for budgetary reasons.

Ranum calls net-centric warfare the "cloud computing of military IT"—it can be whatever people want it to be. The only necessary ingredients are computers, data, and above all, a budget. However, Ranum doesn't consider it a great innovation. "In reality, this stuff is all just battlefield intelligence," said Ranum. "It's just a faster point along the progression from messenger to carrier pigeon to telegraph to observation balloon to satellite."

Subtle, net-centric information warfare instead of an all-out cyber attack (like Stuxnet) might actually be Russia's tactical approach in Ukraine. If Russia launched a full-scale, public cyber attack against Ukraine, it would be politically messy, and might trigger military retaliation. Ranum believes that this is something Putin wants to avoid. "It's the issue of retaliation that makes the 'big frame' cyberwar less likely and closer to impossible," he noted. "In order to do this stuff, you need the political top-cover to survive the fallout that would inevitably result."

For the moment, Putin's Russia seems content just gathering intelligence in low-intensity cyber attacks. "Putin is (rightly) trying to avoid having the situation go military," said Ranum. "He learned a lesson in Georgia: When you have zero-length supply lines and overwhelming power, there is no need to act quickly or precipitously."

Ranum also pointed to a cyberwar dynamic that doesn't seem to get a lot of play, at least not in the media. Which is that while the military might want the power grid taken down (Stuxnet-style), cyber spies will counter that this will put their intelligence-gathering efforts at risk. Applying this to the Russia vs. Ukraine standoff, one quickly realizes that Putin can only go so far with Russian cyber warfare. It's far better to operate in the shadows—a principle that applies both to traditional spycraft and cyber attacks. Big and bold isn't necessarily efficient or effective.

Giles believes that Russia's "brute force" DDoS attacks against Estonia and Georgia are no longer necessary. Current cyber tools allow states to do other things, such as deploy the intelligence-gathering virus Snake; which, according to Giles, is popping up in Ukraine and elsewhere. Publicly bold cyber attacks would, as Giles suggests, also risk "alienating or inconviencing the Russian-friendly populations in Eastern Ukraine." 

Ranum, on the other hand, comes to quite another conclusion about the recent history of Russia's cyber warfare tactics. "The cyber attacks against Estonia really accomplished nothing," Ranum said. "They were annoying and made the Estonian government look a bit less competent for a short while. But, so what?" (As Giles noted in the op-ed, the first attack "definitively linked" to the Russian-Ukraine conflict came on March 1, a day after Russian ground forced occupied Crimea.) 

So, while Giles might be correct in suggesting Putin learned that subtle cyber attacks could be more effective than brute force (DDoS) attacks in an information warfare campaign, Ranum understands that cyber attacks only get states so far. "Sure, there may be hacking taking place, but who cares," added Ranum. "When you've got loads of guys with guns running around, military ships blockading missile boats in their ports, etc, the computer-based activity is going to have to have some amazingly powerful leverage (almost inconceivably powerful) to be able to affect the end situation in the slightest little bit."

In other words, as with traditional intelligence-gathering and information warfare, conflicts aren't going to be resolved on computer networks via full-scale hacks. Even if it becomes a full-scale shooting war, the Russia-Ukraine resolution will ultimately be diplomatic. Of course, hacked intelligence and cyber-based false information will factor into diplomacy, but it won't be the whole story. In that respect, not much has changed since Sun Tzu's time. Information warfare, and its branch of cyber attacks, is but one aspect of a conflict or war. Sun Tzu knew it, and Putin knows it. It's one tool in a much bigger foreign affairs arsenal.