Where is Russia’s cyber blitzkrieg?

Fighting in Ukraine continues but the much-anticipated Russian cyber blitzkrieg hasn’t occurred. Russian forces have failed to deploy devastating cyber attacks in the opening salvo, despite ample opportunity to cripple Ukrainian networks. Where is the dramatic, game-changing cyber war we were promised? Pundits are scrambling for explanations. Spoiler alert: Cyber isn’t a magic wand to wave and gain battlefield superiority. Cyber attacks are rarely decisive on their own, and they don’t exist in a vacuum. Strategic context is critical for unpacking the use of cyber operations, and Russia’s invasion strategy undeniably has shaped and restricted its menu of cyber options.

First, the Kremlin’s goal of regime change in Kyiv means that Russian cyber operations are subject to the “you break it, you buy it” rule. If your plan is to install a puppet government, the last thing you want to do is obliterate Ukraine’s communications networks and other critical infrastructure. Life would be miserable for any regime trying to manage a population with no electricity or water. Now add an extra layer of Ukrainian outrage against a Russian lackey whom they likely would violently oppose. As a result, the Russians have launched limited attacks to temporarily disrupt public services. This has included website vandalism, overloading government servers with traffic, and using malware to wipe data from banking networks.

Putin’s overconfidence in a swift and overwhelming victory is another reason for the lack of cyber-induced damage. In thinking that this would be a quick smash-and-grab, the Kremlin de facto shelved what could have been its most powerful cyber capabilities. High-impact cyber attacks require immense resources, planning time, and operational control so that they hit their mark and aren’t discovered before pulling the trigger. Meeting these conditions is extremely hard, and it’s not worth the effort if you expect a quick win. Disruption therefore takes a backseat to intelligence collection. While tracking targets on Ukrainian networks is valuable, taking them offline is counterproductive. Putin’s months-long military buildup gave time to plan for high-end cyber warfare. That we haven’t seen it is a testament to false assumptions of quick victory and an underestimation of Ukrainian cyber defense.

Finally, the Russian military’s poor planning and execution in the early stages of invasion cast doubt on its ability to truly integrate cyber with conventional operations in combat. As I’ve written, this is a challenge for many militaries. It is particularly true for Russia, where the military and intelligence cyber-ecosystem is crowded with units that constantly compete and lack coordination. But incorporating cyber effects into kinetic operations is even harder for a military whose soldiers don’t know where they are or why they’re deployed. Their reliance on civilian radios and mobile phones for communication doesn’t inspire much confidence either. 

The Russians clearly excel in cyber espionage: By hacking one company (SolarWinds) and corrupting a single software product, Russian cyber operators gained access to several Fortune 500 companies and U.S. government agencies. However, given the lack of impact in the past and current logistical struggles, we should temper our expectations about Russian cyber prowess in wartime. 

The Kremlin hasn’t gotten the military knockout blow it wanted, and missed its window of opportunity. Cyber operations would not have been decisive. But they could have enabled a first-mover advantage by taking out Ukraine’s digital eyes and ears, including the ability to receive and integrate intelligence shared by NATO. This is not to say that cyber has no role to play moving forward; quite the opposite. The longer the war lasts, the greater likelihood that Russian forces will test out new tools on Ukrainian networks. Such activity can manifest as increased intelligence collection or the use of cyber capabilities at the tactical level to produce limited, localized effects. Both could contribute to the lethality of Russia’s conventional strikes. For example, tactical cyber attacks could facilitate a ground unit’s ability to secure or destroy a target by briefly disrupting specific networks within the given area of operation.

So far, cyber operations have been “the dog that didn’t bark.” But the day could come when Russia uses cyber operations to give conventional forces a temporary edge or to retaliate against those supporting Ukraine. This requires more sober and concerted planning than we have seen from the Kremlin thus far. The longer-term challenge is how future aggressors interpret these events. Will militaries convince themselves that cyber has little use early on in an invasion, or will they learn from Russia’s mistakes to better synchronize cyber operations with conventional ones? My money is on the latter, and I’d be willing to bet that Beijing is already studying hard. 

Jason Blessing, Ph.D., is a Jeane Kirkpatrick Visiting Research Fellow with the foreign and defense policy department at the American Enterprise Institute. His research focuses on cybersecurity as well as transatlantic relations. Follow him on twitter @JasonABlessing.