Drone Attack Hits Kyiv

Firefighters respond to a drone attack on Kyiv in October, 2022. (Photo by Paula Bronstein /Getty Images)

WASHINGTON — Russia’s failed cyber “blitzkrieg” in Ukraine has turned into a long slog that puts a premium on adaptability, resilience, and the will to win, one of Kyiv’s top cybersecurity officials told US audiences on a recent tour. And the strategic lesson for the US, several independent experts said, is that this kind of drawn-out cyber conflict is a more likely model for future wars than the sudden-death visions of a “cyber Pearl Harbor” or “cyber 9/11″ predicted by US officials for over a decade.

Ukrainian networks and their defenders, with extensive Western help, have proven resilient under brutal pressure. “We’ve learned how to use all these tools and techniques in critical circumstances, when sometimes there’s no electricity, there’s no communication, when your city is about to be surrounded, when you [are] under missile attacks or under shelling,” said Illia Vitiuk, who heads the cyber department of the Security Service of Ukraine (SBU in Ukrainian). “Sometimes you try to reach the system administrator of the ministry that is under cyber attack, but he’s not here: He disappeared because needed to take his family out of Bucha.”

The Russians weren’t counting on this kind of resilience, said Vitiuk. “They, of course, hoped this was going to be a blitzkrieg, and so they used most of their aces they had in their sleeves just before the invasion,” he told the RSA conference in San Francisco on April 25. That first wave of efforts included “defacing websites, stealing data, wipers and lockers, [and] a vast disinformation campaign.” Russian cyber attacks have ebbed and flowed since, but they never again reached the intensity of January-April 2022, according to Google Cloud’s Mandiant, which has provided extensive assistance to Vitiuk’s team.

It’s a long struggle and far from over, Vitiuk told a Billington cybersecurity forum earlier in April: “If you have 12 rounds in a boxing match…we are in probably round eight now.”

It’s early days to draw sweeping conclusions from the war in Ukraine, warned several experts. “People need to be very, very patient,” said National Security Archives scholar Michael Martelle at a recent Atlantic Council panel. Analyzing Ukraine now, he said, is like analyzing World War II in 1943, when it was still a closely guarded secret that the Allies had broken the German and Japanese codes.

But it is already evident that Russia has failed to land a knockout blow, both on the ground and in cyberspace. That contradicts widespread expectations that cyber offense is stronger than defense and that a sophisticated nation-state could paralyze a target’s networks.

“There’s been sort of this assumption, especially at the beginning of the current war, that there’s just going to be this massive, disruptive, decisive round of disruptions,” Martelle said. “The term ‘cyber Pearl Harbor’ just won’t die, even though it really needs to.”

If you want a World War II Pacific metaphor, Martelle suggested, a better one is the prolonged US submarine campaign that slowly strangled Japanese supply lines, one torpedoed transport at a time. There were no big, dramatic battles like Pearl Harbor or Midway, but rather, he said, “an aggregate, cumulative degradation … at a scope that I believe cyber is actually very well suited for.”

“Martelle’s analogy … with submarine warfare is pretty good,” agreed David Fahrenkrug, who teaches cyber warfare at Georgetown University and has cyber experience inside the Pentagon and Air Force. Like a submarine, a cyber attacker that reveals its presence to attack becomes vastly more vulnerable. “What we can do with cyber power is we can disrupt communications — but not for long periods of time,” Fahrenkrug told Breaking Defense in a recent interview. “You’re relying on stealth to make your effect work, and once they detect you, you’re shit out of luck.”

Illia Vitiuk 3bb261709962e9236a9cf236f0c5b9b9

Illia Vitiuk, Chief of the Cyber Security Department, Security Services of Ukraine (Ukrainian SSU photo)

“People have expected that there’s no limit to what you can do with cyber power: You can hack into any system, collapse that system, and create catastrophes,” Fahrenkrug said, likening the apocalyptic visions to early 20th century advocates of strategic bombing. “The parallel is Douhet imagining if you simply bomb cities then the countries are going to give up. There are deeper mechanisms of resiliency.”

So Fahrenkrug, like Martelle, doubts that a Pearl Harbor-esque blow is likely in the digital world. “What is the ‘decisive battle’ that takes place in cyberspace?” he wondered aloud. “I don’t think it exists.”

“The Paradox Of Cyberspace”

“The paradox of cyberspace,” said Fahrenkrug, is that any given node — a server, a router, a user’s laptop or phone — is highly vulnerable, but when its tied together in a overall network, a system can be incredibly resilient. That’s because the nature of networks is to be decentralized and redundant, with multiple nodes and pathways — and because civilian investment has created a thriving ecosystem with multiple options for most services.

“If you want to suppress an adversary’s communication networks, you have to hit lots of positions and nodes nearly simultaneously,” Fahrenkrug said. “That is a very difficult operation to pull off and requires significant planning and coordination and exquisite timing.”

Consider the Russians’ greatest single cyber success: their Feb. 24 attack on the Viasat satellite communications network, which disrupted users in 55 countries, from multiple Ukrainian security and military agencies — the obvious target — to German wind turbines. Hundreds or thousands of modems had to be physically replaced. But Elon Musk’s SpaceX soon offered its Starlink service, which has become the digital backbone of Ukrainian forces despite Russian attempts to jam it.

While Ukraine was able to recover from the Viasat hack, “it wasn’t that Viasat itself was specifically resilient,” noted Jamil Jaffer, a former Hill and White House staffer who now heads the National Security Institute at George Mason University. “It was that there was another capability — in this case, Starlink — that was brought to bear, with the spending of a lot of money by multiple governments and industry.”

“That’s not always going to be the case,” Jaffer warned. “There are some capabilities that are not immediately replaceable, because while fragile capabilities are an Achilles’ heel, having fully available backup capabilities can get very expensive.”

Despite these vulnerabilities, Jaffer told Breaking Defense that he, too, was skeptical of the possibility of a digital knockout blow. “In my view, a cyber Pearl Harbor is less likely than a war of attrition in the cyber domain,” he said. “To the limited extent that deterrence is actually working in the cyber domain, I think the major nation-states that could pull it off recognize that an attack that has massive consequences would result in some significant form of retaliation.”

That doesn’t mean cyber weapons will never become decisive, Jaffer warned. “I like Martelle’s analogy of early days of submarine warfare, although I’m not sure it’s completely accurate,” he said.  “As there, the use of cyber here opened up a new domain of operations, and while it may have been initially inconsistent and hard to coordinate with other arms, it grew much more effective over time.” Like subs and planes, he argued, “cyber is and will be a component of warfare going forward and will be a key part of a combined-arms, joint-force effort.”

That cyber attacks aren’t apocalyptic on their own hardly makes them useless. Cyber cannot physically destroy a target the way a bomb can, Martelle argued, but it can gather intelligence and help locate targets for physical attack, as with Russian officers slain after Ukrainians geolocated their cellphones. “Cyber is not going to be the best tool… to permanently break things or to kill people,” he said. “The most efficient use of computer network access in a shooting war is to provide targeting support to kinetic strikes.”

That kind of support to conventional operations, in fact, is a lot of what Vitiuk says his unit is now doing. Ukrainian hackers tap into security cameras behind enemy lines to spy on Russian troop locations, he said, while ordinary citizens — some in occupied territory, acting at great risk to themselves — can download an app to report enemy movements and precise locations of potential targets. Even Ukrainian cyber criminals have volunteered data stolen from Russian networks.

“You don’t need to pay them, you don’t need to force them,” Vitiuk said. Allied support from Western governments and companies has been essential, he said, as has Ukraine’s hands-on experience of fighting Russian hackers since the initial invasion of 2014. But first and foremost, he said, “is our unwavering will to win — because we had no other options: We need to protect and save our country.”