Learning the Right Cybersecurity Lessons From Putin

What’s interesting about the digital dimensions of the ongoing conflict in Ukraine thus far is the fact that events seem to bear out much of what cybersecurity scholars have said for years about the utility of cyber-instruments for enhancing state power. As the cybersecurity expert Jason Blessing put it, there was no Russian “cyber blitzkrieg,” and it’s unlikely there will be anything of the sort, at least according to prevailing thinking about cyberconflict. That’s because cyber-instruments just aren’t good tools for controlling escalation or affecting the battlefield.

Yes, the war and Russia’s reaction to global sanctions will likely dictate a new phase of heightened digital insecurity in international affairs as Moscow tries to relieve pressure on its sanctioned economy and signal displeasure with Western support for Ukraine. Indeed, the Biden administration this week appears to be predicting just that. But, as scholars have been quick to expound, the strategic utility for using cybertactics in Ukraine in support of the invasion itself just wasn’t there. Cybertools produce only temporary victories and so aren’t all that good for direct coercion. And an expected quick victory on Russia’s part took sophisticated cybertools off the table immediately by the logic of “don’t break what you’re about to buy.”

Unlike Stuxnet or the 2020 hack of the software vendor SolarWinds, the cyber-events surrounding this conflict seem to be good news for cybersecurity researchers who have long expected this kind of restraint in cyberspace surrounding crisis conditions. The technical features of the digital domain, many argue, lend themselves to efforts aimed at shaping favorable conditions in international affairs but not particularly to those activities we would usually think of as warfighting.

This emerging consensus position is highly defensible. That said, it’s important that we exercise caution as we look to learn from the digital dimensions of this conflict thus far.

In particular, cybersecurity scholars would do well to remember that this war is as much perpetrated by the inner machinations of Vladimir Putin’s regime as much as it is by nationalistic forces or geostrategic context. Several features of the crisis suggest that the peculiarities of the Russian state’s security apparatus may have played substantially into decisions on whether or not to deploy cyber-assets.

One such moment of the crisis came just hours before Russian tanks rolled across Ukraine’s eastern border, as Putin sat a great distance from his top officials in a grand Kremlin chamber and virtually dared them to offer alternative opinions on his suggested course of action. During this bizarre televised session, officials representing both military-intelligence and civilian wings of government answered questions awkwardly as if attempting to walk a fine line between loyalty and command of the facts. One of those officials, the head of Russia’s principal intelligence agency, the Federal Security Service, is now under house arrest due to his supposed ineptitude vis-à-vis gauging the capacity of Ukrainian forces to resist invasion. Other intelligence and military officers appear to have been similarly relieved of their duties.

In the context of the loyalty regime that so clearly characterizes the top of the Russian government, the disconnect between the machinations of Putin’s office and those of state security services may have played a substantial role in dictating how cyber-operations were used in the lead-up to invasion. Cybersecurity analysts have already suggested that the logistical mess and operational uncertainties surrounding Russia’s conventional military buildup likely made it hard for cyberforces to plan out augmentative operations for the conflict’s early stages. At the same time, the strong incentive that Putin’s top advisors felt in reinforcing the idea that a lightning Russian strike might succeed in toppling the government in Kyiv clearly created the propensity for intelligence politicization.

Even given a poor view of the inner workings of the Russian government leading to invasion, these conditions suggest a powerful case that cybersecurity experts and Western strategists should be careful about generalizing from current events. If the lack of a Russian “cyber blitzkrieg” does result from intelligence politicization and the culture of petrostate politics, then the cyber-activities we are observing may be as much a product of entrenched doctrine and strategic culture as they are an expression of Russian views on the utility of cyber-operations for coercion and for prosecuting conflict. Such a takeaway from recent events is incredibly significant for those who will plan for future conflict. Even if most cyber-activity is likely to be driven by the techno-strategic assumptions researchers have articulated in recent years, the dysfunction of an authoritarian government operating under crisis conditions is exactly the place we might expect exceptions to the rules to be concentrated.

Another point worth considering here comes from the nonstate contest surrounding the war. Perhaps counterintuitively, what we’ve seen so far in the employment of nonstate talent, capabilities, and infrastructure on both sides actually strengthens the argument that parochial context is shaping cyberconflict as much as techno-strategic considerations. Take the recent leak of internal chat logs and other documents from Conti, a major ransomware gang that operates out of Russian IP space. For many commentators, this leaked data shows a fascinating case study of organized cybercrime, replete with extreme hacker behaviors—including internal subcultures characterized by misogyny, racism, and unusual pop culture obsessions—and a surprisingly boring business support environment (as in, criminals also retain accounting professionals and staff human resources departments).

What the Conti case also shows, however, is that cyber-assets—including criminal gangs that have been employed by Russia for years—may have been absent in the early days of the Ukraine conflict because internal political confusion prevented their effective deployment to augment Moscow’s military effort. Leaked logs clearly demonstrate that gangs such as Conti are motivated by blended economic and political interests. Russia’s permissive attitude toward cybercrime is not just a recognition of the value of such activities for degrading and disrupting Western competitors; it’s also a result of kleptocratic stakes in the proceeds of criminal enterprise and clear ties to Russian intelligence.

Consider the following. Just hours following the invasion of Ukraine in late February, Conti took the step of posting a message of full-throated support of the Russian government to its website. This was unusual, as that site had principally existed, up until then, to name and pressure the gang’s victims. What followed was even more unusual, however, as the gang altered and moderated that message just days later. According to leaked files, it appears that certain employees of the gang objected to Putin’s actions, likely prompting leadership to try to calm the internal situation. Clearly, given the subsequent emergence of so much leaked information, this attempt failed. And the story doesn’t end there. At this juncture, the gang’s boss, who goes by the name “Stern,” disappears. Then, days later, Conti deputies finally contact employees to temporarily shutter group activities amid apparent financial strain and ongoing leaks of internal communications and even source code.

Prior to the outset of war between Ukraine and Russia, experts would likely have been quick to consider proxy nonstate actors—often labeled “semi-state actors”—cultivated by the Putin regime going back two decades as useful tools. As such, it might be tempting to simply apply the logic of cyber-instruments as poor tools of conflict prosecution to explain the relative quiet of pro-Russian nonstate proxies to date. That works if we can assume that criminal gangs and patriotic hackers are faithful—though distantly connected—agents of Russian national security interests. But Conti’s inaction seems not to have stemmed from strategic restraint so much as parochial politicking.

And all this is to say nothing of the example of incredible efforts by pro-Ukrainian digital guerrilleros, hundreds of thousands of individuals from Ukraine and beyond who have worked both independently and with the “freaks” of Kyiv’s Ministry of Digital Transformation to score unforeseen disruptive hits against Russian media, infrastructure, and political institutions. In a development that even few cybersecurity specialists would have predicted, these efforts have demonstrated that popular resolve can produce tangible cybercapacities relevant to foreign-policy calculations, even if such contributions are more about shaping favorable conditions off the battlefield than on.

Clearly, scholars and practitioners alike would do well not to forget the micro-foundations of cyberconflict behaviors. On the one hand, there exists sufficient evidence to think that internal political machinations and culture in Moscow dictated Russia’s minimal use of cybertactics in Ukraine. On the other, the odd juxtaposition in the effectiveness of nonstate actors—i.e., a noteworthy pro-Ukrainian groundswell of active cybersupport and an oddly stuttering response from Russia-affiliated actors often thought to be among the most dangerous in the digital world—has shaped an unexpected dimension of Putin’s war that has real foreign-policy relevance. These nonstate developments, in particular, would have been hard to foresee using arguments that center on the utility of cyberweapons alone. As such, the message here is simple. General principles about the practicality of cyber-operations only tell us what is likely. Parochial political, social, and institutional contexts determine what transpires.