One hour before its troops invaded Ukraine, Russia launched a cyber attack against satellite internet company Viasat, disabling most of its European network. Ukraine's military communications were temporarily crippled.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
Since the Viasat attack, Russian cyber operations have been persistent but less successful. Many of its cyber activities - like knocking Ukrainian websites offline - have attracted publicity but caused only temporary disruption. Other attacks have been thwarted by Ukrainian cyber defenders.
As the war has become entrenched, Russia's focus has shifted to conventional more than cyber weapons. Efforts to choke Ukraine's energy supply before winter have mostly involved missile strikes, not keyboard strokes.
In short, Russia has failed to deliver a cyber coup de grace to Ukraine. Some commentators see this as proof that cyber operations are overhyped and won't feature prominently in future wars. This is a wrong, and dangerous, lesson to draw.
This conflict may well be this century's Spanish Civil War - a prelude to the innovations of World War II that gave an advantage to those militaries that cared to watch and adapt. On cyber, there are at least seven lessons worth learning.
Attack timing
First, cyber weapons aren't as physically powerful as conventional weapons, but this doesn't mean they can't be significant. The Viasat attack shows the strategic power of a well-timed cyber operation, especially during the fog and uncertainty of the pre-war phase.
Surprise cyber sabotage of military capabilities and their sustaining infrastructure is how future wars will start. During hostilities, an unexpected or undetected cyber operation can degrade a target and exacerbate chaos.
Second, cyber operations need to be tightly planned and coordinated. This is where Russia has fallen short - pursuing cyber actions that are out of step with air and ground actions. To avoid Australia making the same mistakes, the forthcoming Defence Strategic Review should give cyber operators a seat at the table where strategy is set and joint operations are planned.
READ MORE:
Third, cyber operations are emerging as a powerful way to coerce countries outside the battlespace. One of the few unwritten rules between the US and Russia is that this conflict shouldn't become a wider, regional war, at least not conventionally. Russia has turned to cyberspace to pressure NATO, with government and proxy criminal hackers disrupting critical infrastructure in Europe and the US.
In any future Taiwan contingency, we should expect China to use cyber attacks to subdue Taiwan, but also to hold at risk the home fronts of the US, Australia and others to keep them out of the fight.
Non-state hacktivists
Fourth, non-state "hacktivists" are likely an enduring feature of war, but their impacts have been overestimated. Russia's invasion triggered the biggest movement of digital foreign fighters in history. Anonymous and other hacking collectives have claimed attacks against Russian and Belarusian websites, but the impacts have been brief and irrelevant to Russian decision-making. At best, cyber showmanship can have a propaganda effect - in this case, reminding the world that Ukraine has the moral high-ground.
Fifth, there is a gulf between how authoritarian and democratic countries wield cyber weapons. The Viasat attack exemplified Russia's disregard for collateral damage - disrupting thousands of European organisations and stopping some 6000 German wind turbines from spinning.
Russia has also entered an unholy marriage with criminal hackers, who blend patriotism with personal gain. Australian officials must bring discussion of cyber offence even further out of the shadows, consistently demonstrating what a lawful and responsible approach looks like.
Choosing sides
Sixth, in future conflicts, multinational technology companies will be forced to choose sides. Soon after Russia's invasion, hyper-scalers Amazon, Google and Microsoft moved Ukrainian government networks to the cloud, providing cyber resilience. Other tech companies - from Cisco to IBM and Dell - withdrew from the Russian market, while social media and search giants limited or banned Russian propaganda.
Russia-Ukraine is a rare war where there's broad global consensus about who the bad guys are. Australian defence planners should have some anxiety about whether tech companies might choose a different side - or no side - in future conflicts.
Finally, cyber defence must start today. Ukraine's cyber defenders honed their skills over a decade of Russian cyber attacks against their government networks, electricity grid, elections and more.
Even still, Ukraine struggled to defend the digital parapets as Russia invaded, crowdsourcing cyber defenders via an online spreadsheet, and looking to the Five Eyes, European Union and global tech companies for support. For its part, Russia's lack of properly encrypted field communications has let Ukrainians pinpoint their military leaders and assassinate them.
Australia has invested heavily in cyber defence in recent years, but we still have a critical shortage of cyber professionals and no national incident response coordination mechanism in the event of a cyber crisis. Cyber security also needs to be more prominent in our defence procurement and sustainment decisions.
As part of the AUKUS partnership, Australia, the UK and US have agreed to collaborate on cyber defence capabilities for critical communications and operations systems. This commitment seems to have made less progress - and certainly gained less media attention - than submarines. But it is just, if not more, important.
Ultimately, as winter descends on the battlefield, both this war and the lessons we draw from it will continue to evolve. With victory on either side's terms looking increasingly impossible, it may develop in anarchic and dangerous ways. We should be prepared for more cyber surprises.
- Katherine Mansted is a senior fellow at the ANU's National Security College