Many longtime cyberwatchers predicted that the current war in Ukraine would offer a glimpse into the future of cyber warfare. They were correct—just not in the way envisioned. The harbinger of the future has not been a parade of paralyzing Russian operations against critical infrastructure and government services. Rather, if current indications are correct, a capable Ukrainian cyber defense points toward a very different outlook for competition in cyberspace. Specifically, it has highlighted the power of international and cross-sector partnerships in defending against the most sophisticated cyber actors. Although such partnerships are not new, something distinct may be occurring in the Ukraine case with implications for how states compete and organize national defense in cyberspace.
Observers of the war were surprised by the lack of Russian cyber effects, with some asking whether Russian operators even tried to show up to the fight. Although Russian cyber operations have seemingly produced fewer meaningful strategic, operational, and tactical effects than anticipated, this outcome certainly did not result from a lack of effort. Russian cyber operators have been targeting Ukraine for years (including a notable attack that disrupted Ukrainian electricity distribution in 2015) and were preparing for the current conflict throughout at least the previous year. The resulting cyber campaign began just before the invasion started in February of this year and has been executed by at least six distinct sophisticated threat actors using eight families of advanced malware capable of disruption and destruction. One in particular (Industroyer2) specifically targets operational technology equipment used in physical industrial processes, such as those involved in electricity distribution. Thus far these operations have targeted at least forty-eight distinct Ukrainian public and industry organizations, including critical infrastructure operators and service providers.
Despite this effort, the effects of these operations appear to have been limited. There are certainly some exceptions, including one noteworthy success in disrupting thousands of Viasat terminals (in Ukraine and beyond) an hour before the invasion commenced. Generally speaking, however, Russian cyber operations have largely failed to pay off on the investment made in resources, people, and time. For instance, despite advances in capability and significant preparatory operations, an attempt to repeat and expand their previous successful attack against the Ukrainian electricity grid failed this time around.
At the same time, Ukraine appears to have had an unexpectedly high and growing number of cyber defense successes. The electricity grid operation failure noted above is not unique. Ukraine has effectively resisted or been resilient to a range of sophisticated Russian operations, from destructive industrial-control-system attacks to intelligence-collection infiltrations. Experts from both industry and academia point to Ukraine’s cyber defense as “the primary reason why Russian cyber efforts have had limited effect.” If true, the success of an apparently weaker state against one of the world’s top offensive cyber powers in a domain where offense has long been assumed to be far easier than defense requires explanation.
A web of partnerships
A number of factors have probably contributed to the success of Ukraine’s cyber defense efforts, but chief among these appears to be partnerships. Although cybersecurity partnerships are not new, success is often elusive and limited. In Ukraine’s case, Kyiv has effectively partnered with numerous capable entities across international, industry, and government lines at the operational level (where the business of cyber defense happens). As a result, Ukraine has been able to leverage an operational partnership web that allows dynamic alignment of disparate technical capabilities, expertise, and authorities for collaborative threat visibility and defensive action.
For instance, Microsoft provided successful defense assistance to Ukraine by both building working connections to Ukrainian cyber defenders, as well as mobilizing its own relationships with other industry and government partners. In one illustrative example, Microsoft observed a Russian GRU (Russian military intelligence) operation in progress, quickly relayed details to the Ukrainian targets to enable their own internal defensive response, and then worked with US Department of Justice partners (a relationship originally built to take down botnets) to gain legal authority to shut down the attack source domains.
Separately, teams composed of US soldiers from US Cyber Command and civilians from American companies deployed prior to the invasion to help prepare Ukrainian defenses. They built working relationships with Ukrainian infrastructure operators, which helped to prevent attacks on the most critical systems—from railroad infrastructure to border control networks. In several cases, they leveraged relationships with private cybersecurity firms and other government entities to provide defensive solutions tailored to the threats they found.
In these cases (and others), successful defense relied on dynamically aligning technical capabilities, expertise, and legal authorities that are internationally distributed across different public and private entities. This ability to collaboratively see and act in a common cyber defense was enabled by a distributed web of operational partnerships between states, between companies, and between governments and private firms.
If initial indications are correct, the Ukraine case holds several important implications for defense in cyberspace. First, the assumption that offense has the advantage over defense in cyberspace appears to be on shakier ground. Although a handful of scholars have rightly questioned the foundations of the idea of offense dominance in cyberspace, they are very much in the minority; offense dominance is the conventional wisdom in cyber scholarship and policy. As one scholar noted, “unknown vulnerabilities, unpredictable threats, complex defense surface, and supply chain risks add up to costs that far outweigh those of offense.” Ukraine may be the first real-world example of this idea’s fragility at a broad campaign level. As a recent report on Ukraine concluded, “these cyber defenses have proven stronger than offensive cyber capabilities.”
Second, the Ukraine case further opens the door to the potential of denial strategies in cyberspace, though not as traditionally considered. Ukraine’s cyber defense, facilitated through partnerships, involved better-informed traditional cybersecurity activities within targeted systems, as well as defensive actions beyond firewalls. If replicated elsewhere, this would likely expand the range of areas where the cost of pursuing targets for offense outweighs its potential gain (denial strategies can both increase costs and reduce gains in an adversary’s calculus), particularly into areas where current deterrence falls short (primarily activities judged to be below the threshold of armed conflict).
Finally, the Ukraine experience extends a lesson from other domains into cyberspace: how the capabilities are organized and used in combination matters as much or more than the characteristics of the capabilities themselves. Investment in cybersecurity continues to grow; yet the number of successful sophisticated hacks that threaten critical systems continues to rise. A key challenge is that these individual investments in cyber defense technology and people are fractured within and between different states and public and private organizations. Organizing these investments to operate in collaborative defense has the potential to counter sophisticated actors whose cyber campaigns often rely on exploiting these fractures. This further implies an important take-away from this case: those states with the ability to develop, organize, and leverage operational international and cross-sector partnerships will have a significant comparative advantage over those with weaker partnership options and capacity.
Looking beyond Ukraine, these implications suggest the need to refine approaches to international and cross-sector cybersecurity partnerships. First, the United States and its allies (public and private) should consider a revised partnership strategy that focuses on building a thick web of relationships among disparate capable actors (domestic, international, government, industry, civil society, etc.). Leveraging insights from previous partner-building efforts to expand operational interconnections and enable others to do the same would help mitigate the uncertainty of cyber risk and provide increased adaptability in threat visibility and mitigation. Such a strategy would also place greater emphasis on two partnering lessons that are often addressed individually: the need to have both leadership buy-in and involvement, as well as the need for operational-level engagement. Without leadership buy-in, operators must contend with limited resources and scope of authority. Without pushing interactions below the c-suite and e-ring to the people conducting the actual business of cyber defense, partnerships are more executive chatter than action.
Second, developing greater integration of effort across these partnerships would seem to be a critical parallel effort. Although often driven by individual organizational interests, varying degrees of common interest in cyber defense exist to enable collaborative interaction for mutual benefit. Investing in strategic and operational focal points for collaboration has already proven useful where they exist and would provide ready platforms for cross-community sharing, collaborative analysis, and alignment of effort.
Finally, steering cybersecurity technology development to facilitate this approach would help amplify its effects. New technology solutions should enable easy (where possible, automated) exchange and coordination among organizations with distinct interests, resources, and requirements (as well as trust, policy, and legal demands). One ongoing project, for example, performs large-scale real-time anomaly detection while meeting the various privacy requirements of multiple participants.
Although it is still too early to make comprehensive assessments of cyber conflict in Ukraine, the lessons drawn from the partnerships involved in defense will most likely affect future cyber competition. Cyberwatchers should be closely observing the Ukraine case to discern how these partnerships are developed, how they operate, and what influences their effectiveness. The insights revealed may enable policy makers to reduce the risk of cyber attacks where it matters most and provide comparative advantage to those with the greatest partnership capacity.
Sean Atkins is an active duty Air Force officer currently serving as Department Chair of the Joint All Domain Strategist program at the Air Command and Staff College. He holds a PhD in Political Science from the Massachusetts Institute of Technology.
The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the US Air Force, Department of Defense, or the US government.
Read more essays in the series
Forward Defense, housed within the Scowcroft Center for Strategy and Security, generates ideas and connects stakeholders in the defense ecosystem to promote an enduring military advantage for the United States, its allies, and partners. Our work identifies the defense strategies, capabilities, and resources the United States needs to deter and, if necessary, prevail in future conflict.