Lessons observed from the war on Ukraine

Russian cyber and information warfare in practice

Russia’s full-scale invasion of Ukraine in February 2022 confounded many expectations about Russian military capabilities and Ukrainian resilience – including in the cyber and information aspects of the war. This paper examines Russia’s deployment of cyber and information operations against Ukraine, assesses the effectiveness of Ukrainian responses, and outlines potential lessons for other states.

Many factors contributed to the failure of Russian cyber and information operations to achieve their intended effects. Ukraine had a long time to familiarize itself with its opponent’s methods in the eight years since Russia’s seizure of Crimea and parts of eastern Ukraine. Russia also badly misjudged Ukrainian resilience, failing to anticipate its adversary’s resourcefulness and whole-of-society approach to mobilizing formal and informal resistance. Crucially, too, Ukraine received – and continues to receive – substantial support from tech firms in the West.

Other states looking to learn from the Ukrainian experience should consider, among many factors, the need to be pre-emptive in detecting and monitoring threats, and to ensure that national defence strategies take full account of the interdependencies between different types of Russian operations. There is also a need to review closely the legal implications of wartime activities conducted by civilians and private sector companies, as such activities may blur the distinction between combatants and non-combatants.

Summary

  • Russia’s use of cyber and information warfare against Ukraine has confirmed some previous assessments of Russian doctrine and capabilities and invalidated others. In both cases, observation of operations in the war to date provides valuable insights for other states and coalitions seeking to defend themselves effectively against Russia in the future.
  • Russia’s operations in Ukraine have provided a clear practical demonstration of the holistic and integrated nature of Russia’s approach to using information for effect in wartime conditions. This implies that potential future victims of Russian aggression should recognize the crucial interdependencies this approach exploits – not only between cyber and information activities but also between these and the physical environment and cognitive domain – and adjust defensive strategies accordingly.
  • In particular, information and assets not normally thought to be targets for combat operations must be protected. Private personal information captured before and during military operations has been used by Russia with lethal consequences for its subjects.
  • Ukraine’s successful resistance to Russian cyber campaigns has been substantially enabled by support from international partners but also, critically, from private industry. The involvement of private industry in hostilities raises issues of accountability and legal status, as well as the question of financial and other support for the organizations offering their services. These issues should be addressed as a matter of urgency so that policies are in place before they are next required.
  • The participation of private citizens in information activities as part of the defence of Ukraine potentially undermines the notional protection they are afforded as civilians rather than combatants. While there is no expectation that Russia will observe international humanitarian law, this has the potential to complicate eventual prosecutions for breaches of it.
  • This research paper offers policy recommendations for enhancing the resilience of Western states to cyber and information operations by Russia. These recommendations, by their nature, will also be relevant for protection against any other state or non-state threat actor seeking to exploit similar vulnerabilities.

Source: Chatam House