Is cyberwarfare not as scary as we feared?


Does mutually assured destruction mean cyberwarfare hasn’t taken as big a toll on us all?

When Russia invaded Ukraine in late February, the consensus view was that the battle would soon be over. Russian invasion forces would run rampant through Ukraine, making significant ground along the way, and taking the capital, Kyiv, in a matter of days.

There was also an assumption that alongside the physical invasion, there’d be an equally speedy attack in cyberspace that would result in the capitulation of Ukraine almost immediately. The whole thing was meant to be over in a matter of days, and the cyberwarfare was due to be all-encompassing and conclusive.

Almost three months on, both sides are still fighting the war – and the ballyhooed cyberwar that we expected didn’t happen. What ended up happening?

False promises

“Cyber operations did not replace the military invasion, and as far as we can tell, the Russian government has not yet used cyber operations as an integral part of its military campaign,” say Nadiya Kostyuk, assistant professor of public policy at Georgia Institute of Technology and Erik Gartzke, professor of political science at the University of California San Diego. Their research suggests that the much-feared doom mongering that we thought was likely to happen in a cyberwar didn’t happen for a number of reasons.

“Cyber operations are most effective in pursuing informational goals, such as gathering intelligence, stealing technology, or winning public opinion or diplomatic debates,” they say. “In contrast, nations use military operations to occupy territory, capture resources, diminish an opponent’s military capability, and terrorize a population.” Using this argument, they say that total destruction was never likely in cyberwar.

However, both sides have been trying desperately to take the other offline, a recognition of the importance of the internet and cyber operations to each country’s continued existence. But they also know that cyber strikes have replaced nuclear bombs as a weapon that needs to be judiciously used.

Mutually assured safety

It has many echoes of the cold nuclear conflict that typified the decades between the 1950s and 1990s, when the Soviet Union and the United States both had huge volumes of nuclear weapons but decided not to use them against each other. They knew that both held such power that using them would cause a similarly destructive retaliation.

In theory, it seems possible that one or both sides could easily take the entire internet and IT technology offline with the press of a button. But they don’t do that – instead, they try to degrade the other party through more minor attacks, deliberately not going for the ‘nuclear’ option.

So far, the Ukraine-Russia war has been one of the lots of fears, which aren’t always followed through. In the early days of the conflict, there were worries that international institutions and countries could get caught up in cyberattacks. The UK’s National Cyber Security Centre warned organisations to improve their cyber defenses; around the same time the Cybersecurity and Infrastructure Security Agency cautioned companies that provide services to US armed forces to be conscious of incursions. It was also around this time that the European Central Bank also warned against cyberattacks.

There are suggestions that things could heat up in the coming weeks and months as Russia becomes frustrated with its lack of progress on the ground, instead turning cyberspace into a scorched digital earth.

“We should prepare for the worst and operate at our best,” said Theresa Payton, cybersecurity expert and former White House chief information officer. But while it’s always a risk to count your chickens before they’re hatched, to date, the fear of cyber destruction has been greater than the reality of it in this conflict.