Russia-Ukraine conflict forces DOD to revise assumptions about cyber’s impact in war
Russia’s invasion of Ukraine in February 2022 — and the subsequent year-and-half of combat — has made the Pentagon rethink the role cyber will play in war, namely, that there won’t be immediate payoff of effects.
While many government officials and cybersecurity experts have all acknowledged Russian missteps and flawed assumptions going into the war — to include how their application of cyber in the conflict underperformed — the Department of Defense has observed that cyber operations will not have the role previously thought.
“Cyber has an important role to play in conflict, it’s just not the role that I think we expected it to play at the outset of Russia-Ukraine. But we do expect cyber to play a significant role in a conflict, but it would not be a cyber by itself,” Mieke Eoyang, deputy assistant secretary of defense for cyber policy, told reporters Friday during a Defense Writers Group meeting. “One of the things that we have learned here is that the kinetic conflict is different than what we expected cyber to do on its own.”
The DOD’s 2023 cyber strategy, unveiled last week, notes that cyber capabilities by themselves are unlikely to deter adversaries. Rather, they are best used alongside other instruments of national power.
“I feel like this document in particular, reflects a lot of thinking that’s changed in the Department of Defense as we deepen our understanding of cyber’s role in armed conflict. And the hypothetical versus the real of what has occurred in Russia-Ukraine I think really underpins a lot of what we’re doing here … I think that we are recalibrating how we think about cyber,” Eoyang said regarding the new strategy, which was the first update since 2018.
The strategy also broadly outlines other changes such as how the department works with the private sector to better defend networks and the increased work with foreign partners.
The DOD for years has believed that cyber will be a part of conflicts and has worked to create mechanisms and organizations to integrate digital operations into the planning cycles alongside the traditional domains of war. Indeed, Eoyang in the past has suggested that the Russia-Ukraine conflict has forced the department to think differently about cyber.
But, she made distinctions between the Russian approach in Ukraine and how the U.S. military seeks to utilize cyber in conflict, saying it comes down to control and planning.
“For us in the Department of Defense, we’re going to optimize for control because we believe in precision across a wide range of things. That means that for us to make sure that things are impactful, it’s going to take some planning. I think it is interesting to assess Russian activity in this conflict and thinking about the factors of timing for them,” she said. “Cyber is not a tool that is a responsive to battlefield conditions. If you’re seeing it on the TV and ask for ‘the cybers’ to address that thing … it’s unlikely there’s going to be much that is impactful to deliver at that time. It takes a significant amount of planning to do that or do that well, or you risk what Russia experienced in NotPetya, which is spillover and unintended consequences that are beyond what you anticipated and can be rebounded and be harmful for yourself.”
NotPetya was a ransomware incident in 2017 in which Russia sought to inflict harm on systems in Ukraine, but the effects unintentionally spilled out into other parts of the world and caused significant damage.
Eoyang said one of the observations from Russia’s experience in Ukraine was the importance of integrating cyber alongside other facets of military operations, adding “that’s a matter of planning, patience, things like that” and “I think we do worry about the relative strategic patience of the parties there.”
Cyber ops take a long time to plan in order to be successful. Parties must first gain access to a system — which can be time consuming — and then map out that network to discover any vulnerabilities while also understanding what effect they want to have without unintended consequences. Moreover, the pace of war moves much faster than the so-called “gray zone” competitions short of armed conflict in which much of the malicious cyber activity has taken place to date.
Eoyang detailed some assumptions going into the Russia-Ukraine conflict that didn’t come to fruition.
“Certainly, I, but I think others, assumed that the disruptions to communications via cyber would be much more severe and have a much more strategic impact on Ukraine’s ability to fight than it did. Ukraine’s ability to be resilient and its will to fight surpassed those disruptions,” she said. “But I think we expected based on what we understood and understand to be Russia’s capability in cyber, a much more impactful and integrated series of cyber incidents, malicious cyber activities, happening on the battlefield.”
Regarding other lessons the conflict has taught the DOD, Eoyang noted the criticality of cloud migration.
“We saw the importance of cloud migration during this conflict. The ability of Ukrainians to move their data extra territorially but still maintain access to it, was really important,” she said.