Why Russia Won't Launch a Full-Scale Cyberattack in Ukraine

This story came from Motherboard, our tech website. Read more at Motherboard.tv. Photo courtesy of Wikimedia Commons

Back in the 6th century, Chinese military general Sun Tzu laid the foundations for information warfare, a broad, holistic aspect of conflict that would later grow to include propaganda and cyberwarfare. “Engage people with what they expect; it is what they are able to discern and confirms their projections,” wrote Sun Tzu. “It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment—that which they cannot anticipate.”

Fifteen centuries later, security expert Keir Giles made reference to this Sun Tzu quote in his recent ArsTechnica op-ed about Russia's information warfare tactics in Ukraine and Crimea. Keir hoped the editorial would help people understand what Russia has been up to on the cyber front, centering on the argument that even though Russia hasn't yet staged “high-profile, public” cyberattacks in Ukraine, the region is in the midst of an information war as much as a military occupation.

“If it's the Russian view we are talking about, then it would be fairer to say that cyberwarfare is just one technical facilitator of information warfare,” Keir told me. “It is the information itself that is important, and cyber capabilities are just the technical ability to manipulate it. Information warfare is a vastly more holistic concept than cyberwarfare.”

Keir noted that the Russians are, among other things, planting false information. “On March 1 Russian media reported that Dmitry Yarosh, the leader of Ukraine's Right Sector group and a particular target for Russian criticism, had made an appeal through social media to Islamist insurgent leader Doku Umarov,” wrote Keir. “Yarosh wanted Umarov to support Ukraine by attacking Russia. Yarosh claims this is not the case and that the appeal was planted after his account was hacked.”

When I asked him about the other ways Russia is using false information, Keir said to just look at any Russian news bulletin, and pointed to a US State Department fact sheet titled President Putin's Fiction: 10 False Claims About Ukraine. Computer and network security researcher Marcus Ranum, who has written and spoken extensively on information and cyberwarfare, calls Russia's tactics something else: “battlefield intelligence plus net-centric warfare.” A mouthful, to be sure, but instrumental in making sense of Russia's cyber-based intentions in Ukraine.

“‘Net-centric warfare’ is a catchall for ‘cleverly using computers in a battlefield environment,’ i.e., getting drone video down to troops in the field, using cell phone detectors to locate IEDs, etc.,” said Marcus. “It's really ‘IT applied to the military’ in a general sense. The issue is that it's often conflated with ‘cyberwar’ or ‘information operations’ for budgetary reasons.”

Marcus calls net-centric warfare the “cloud computing of military IT”—it can be whatever people want it to be. The only necessary ingredients are computers, data, and above all, a budget. But Marcus doesn't consider it a great innovation. “In reality, this stuff is all just battlefield intelligence,” said Marcus. “It's just a faster point along the progression from messenger to carrier pigeon to telegraph to observation balloon to satellite.”

Subtle, net-centric information warfare instead of an all-out cyberattack (like Stuxnet) might actually be Russia's tactical approach in Ukraine. If Russia launched a full-scale, public cyberattack against Ukraine, it would be politically messy and might trigger military retaliation. Marcus believes that this is something Putin wants to avoid. “It's the issue of retaliation that makes the ‘big frame’ cyberwar less likely and closer to impossible,” he noted. “In order to do this stuff, you need the political top-cover to survive the fallout that would inevitably result.”

For the moment, Putin's Russia seems content just gathering intelligence in low-intensity cyberattacks. “Putin is (rightly) trying to avoid having the situation go military,” said Marcus. “He learned a lesson in Georgia: When you have zero-length supply lines and overwhelming power, there is no need to act quickly or precipitously.”

Marcus also pointed to a cyberwar dynamic that doesn't seem to get a lot of play, at least not in the media. While the military might want the power grid taken down (Stuxnet-style), cyber spies will counter that this will put their intelligence-gathering efforts at risk. Applying this to the Russia vs. Ukraine standoff, one quickly realizes that Putin can only go so far with Russian cyberwarfare. It's far better to operate in the shadows—a principle that applies both to traditional spycraft and cyberattacks. Big and bold isn't necessarily efficient or effective.

Keir believes that Russia's “brute force” DDoS attacks against Estonia and Georgia are no longer necessary. Current cyber tools allow states to do other things, such as deploy the intelligence-gathering virus Snake, which, according to Keir, is popping up in Ukraine and elsewhere. Publicly bold cyberattacks would, as Keir suggests, also risk “alienating or inconveniencing the Russian-friendly populations in Eastern Ukraine.”

Marcus, on the other hand, comes to quite another conclusion about the recent history of Russia's cyberwarfare tactics. “The cyberattacks against Estonia really accomplished nothing,” Marcus said. “They were annoying and made the Estonian government look a bit less competent for a short while. But so what?” (As Keir noted in the op-ed, the first attack “definitively linked” to the Russian-Ukraine conflict came on March 1, a day after Russian ground forces occupied Crimea.)

While Keir might be correct when he suggests Putin learned that subtle cyberattacks could be more effective than DDoS attacks in an information warfare campaign, Marcus understands that cyberattacks only get states so far. “Sure, there may be hacking taking place, but who cares,” added Marcus. “When you've got loads of guys with guns running around, military ships blockading missile boats in their ports, etc, the computer-based activity is going to have to have some amazingly powerful leverage (almost inconceivably powerful) to be able to affect the end situation in the slightest little bit.”

In other words, as with traditional intelligence-gathering and information warfare, conflicts aren't going to be resolved on computer networks via full-scale hacks. Even if it becomes a full-scale shooting war, the Russia-Ukraine resolution will ultimately be diplomatic. Of course, hacked intelligence and cyber-based false information will factor into diplomacy, but it won't be the whole story. In that respect, not much has changed since Sun Tzu's time. Information warfare, and its branch of cyberattacks, is but one aspect of a conflict or war. Sun Tzu knew it, and Putin knows it. It's one tool in a much bigger foreign affairs arsenal.