Cyber Conflict and Subversion in the Russia-Ukraine War

Today, states can also do so via cyber operations that infiltrate the computer systems that modern societies and institutions increasingly depend on. The targets differ, but the mechanism works the same way. Hacking into systems means nothing else than finding vulnerabilities and exploiting them. The goal is to manipulate targeted systems to behave in ways neither their designers nor users expected, harming the victim to the benefit of the sponsor of the operation. Importantly, subversion’s indirect and secret mechanism of action offers great promise in theory: a cheap, easy, yet effective means to project power that can offer an alternative to force, or complement it. Accordingly, subversion has long been the source of great fears. Current worries about cyber threats from U.S. adversaries closely echo those expressed in the Cold War.

However, as I have shown, the same characteristics that enable this promise also tend to prevent its fulfillment in practice. Projecting power indirectly and secretly through adversary systems is hard. Subversive actors need to find vulnerabilities that the designers and users of that system missed. Doing so takes time. Meanwhile, subversive actors must stay hidden lest the victim discovers the manipulation, providing an opportunity to neutralize it—by arresting or killing a spy, or by deleting malware or revoking access credentials. Hence, actors must proceed carefully. Moreover, most computer systems are not designed to cause physical damage or bodily harm. All this limits the intensity of effects. Finally, things can go off the rails. Subversion produces effects by making systems behave unexpectedly—and thus inherently involve a high risk of unintended consequences. In short, subversion is constrained in speed, intensity, and control. The more actors try to maximize one or two of these variables under a given set of circumstances, the more they will tend to have to compromise on the remaining one(s). Consequently in most circumstances subversive operations are too slow, too weak, and too volatile to produce significant strategic value in practice.

Evidence from cyber conflict in Ukraine since 2022 largely confirms these expectations. As my new book “Subversion” shows, there was a lot of activity—but little of it made a measurable contribution toward Russia’s goals or an impact on the course of the conflict. Time pressure, sometimes combined with efforts to maintain control over effects, limited the latter’s intensity. Four major cyber operations challenge the theory of subversion and its constraints, however, by seemingly producing relatively intense yet controlled effects with relatively little preparation time. On closer look it becomes clear that some of these operations exploited unique opportunities for insider attacks offered by territorial conquest—underlining not only the continued relevance of traditional subversive infiltration but also the added effectiveness of combining offline and online means of compromising systems.

Maschmeyer continues:

Two years into the conflict, it is time to put these expectations to the test. In 2022, Nadiya Kostyuk and I predicted that if Russia invaded Ukraine, the limitations of cyber operations would render shock-and-awe scenarios exceedingly unlikely compared to the opportunistic use of low-level irritants, which are annoying for victims but strategically inconsequential. The main danger, we highlighted, would not be the effects of cyberattacks against intended targets but, rather, their collateral and uncontrolled damage against unintended targets. The trajectory of Russia’s prewar cyber operations indicated growing efforts to avoid the latter, however.

By and large, these predictions have held up, though a handful of cyber operations challenge them. Overall, cyber operations sponsored by (or suspected to be sponsored by) Russia that targeted Ukraine since 2022 fell into two strategic roles. First, they were deployed as an independent instrument pursuing, and continuing, a long-running general erosion strategy aiming to undermine Ukraine’s strength and societal cohesion from within. Second, some cyber operations also fulfilled an auxiliary role, complementing and facilitating the use of force. 

Russia ran an erosion campaign against Ukraine involving covert warfare, cyber operations, and traditional subversion for close to a decade before the invasion. Many observers have argued that cyber operations significantly enhance gray-zone strategies of this kind. In fact, the term “hybrid war” came to represent this supposedly new form of warfare, and Ukraine has been its paradigmatic case. Events on the ground have disproved these expectations in a horrific way. Russia’s “hybrid war” strategy failed to achieve its core goal of stopping Ukraine from maintaining a pro-Western foreign policy. Consequently, in February 2022, Russia escalated to the use of force.

Unsurprisingly, the cyber operations Russia deployed since then showed the same limitations as those before the invasion. There are already several excellent analyses assessing Russia’s wartime cyber operations. They largely reach the same conclusion, namely that Russia’s cyber operations caused negligible damage and mostly fell short of strategic significance. The more interesting question is how hacking groups have adapted to the challenges of an active war. I argue that Russia’s wartime cyber operations faced the same types of constraints as its peacetime campaigns, but that the wartime environment further exacerbated them. Foremost, time pressure mostly precluded exquisite sabotage operations of the kind of the 2015 and 2016 power grid sabotage in favor of relatively simple low-intensity disruptions through reusable disk wipers. Suspected Russia-sponsored hacking groups have deployed a lot of the latter.

While the quantity of cyber operations has increased, their quality has not fundamentally changed. On the contrary, most wartime activity pursued lower intensity effects compared to pre-invasion operations. That is what one would expect given tighter timelines in an active conflict. Intriguingly, none of the various wipers deployed—by now over 20—spread out of control like NotPetya did in 2017. This is not an accident but reflects clear efforts to maintain control—which further reduces intensity, as expected. All in all, this evidence is closely in line with expectations.

Maschmeyer concludes:

The course of cyber conflict in, and against, Ukraine by and large demonstrates its expected limitations and underlying trade-offs. Meanwhile, the exceptional cases are not fatal to the theory. Rather, they illustrate the importance of facilitating conditions, namely physical access to infrastructure (via conquest), the availability of insider angles, and the potential for learning. Trade-offs remain, but actors can find ways to alleviate them by exploiting the way the physical and virtual worlds are intertwined. Insider angles offer one way to speed things up, for example. Why go through the time-consuming process of identifying technical vulnerabilities and developing exploits when you can also bribe or blackmail your way in? Cyber conflict is a constant struggle between intelligent agents who aim to subvert each other’s systems in creative and cunning ways. As participants evolve, so does the activity—but the fundamental trade-offs involved in the process of exploitation and manipulation remain. That means cyber operations are likely to retain their limitations as instruments of power even as actors strive to improve their tradecraft and skills.

Consider the case of learning. Hacking groups learn and improve. But so do defenders. There is a strong case to be made that the absence of more severe cyberattacks in Ukraine is primarily due to the skills acquired by its network defense teams after being subjected to regular cyberattacks for close to a decade. This may well be the most visible, and measurable, cumulative effect of Russia’s decade-long cyber campaign against the country.

Finally, the case of Ukraine illustrates not only the limitations of cyber operations but also the relative superiority of old-school means of subversion. In contrast to prevailing expectations around the unprecedented effectiveness of cyber operations as low-intensity means of power, as I show in the book, traditional subversion achieved far more strategically relevant outcomes for Russia—such as the 2014 takeover of Crimea, a massive sabotage operation destroying Ukraine’s artillery ammunition stockpile, or the capture of the Chernobyl nuclear ruin in the early hours of the invasion. Cyber operations offer a new way to implement strategies of subversion, but they do not upend its role in world politics.