A research paper by the International Institute for Strategic Studies examines Ukraine's success in cyber warfare with Russia, including putting the former Soviet Union in a mainly defensive, not offensive, position when it comes to non-traditional war tactics.
In a paper titled "Russia's War in Ukraine: Examining the Success of Ukrainian Cyber Defences," author Dan Black, Senior Principal Threat Analyst at Mandiant, says:
"Despite expectations to the contrary, cyber defense, not offense, has been the story of Russia's war against Ukraine as it enters its second year. Shattering concepts of offense dominance, Kyiv's cyber-defensive effort has shown that a strong and layered cyber defense can be mounted against a well-resourced and highly capable adversary. The preeminent question in policy debates has been: 'How can other states replicate Ukraine's success?'"
Black continues:
"There are also other pressing policy questions. The first is: how durable is the 'Ukrainian model' as the war enters another year with seemingly no end in sight? To date, Kyiv has deftly marshalled its defensive resources and orchestrated diverse forms of external support to stem the Russian cyber offensive.
However, concerns of 'fatigue' setting in are just as consequential to Ukraine's cyber defense as they are in other domains of war. After all, defensive reinforcements are not limitless, and competing priorities or emerging crises elsewhere in the world could divert attention and resources away from the Ukraine front.
Changing economic conditions could also stem crucial private-sector support for Ukraine's cyber defense. Moreover, notwithstanding popular narratives about the ineptitude Russia's cyber forces have displayed so far, they remain highly skilled and have shown that they are tactically adaptable.
We should therefore not underestimate Russia's cyber programme nor think that its hitherto shortcomings will persist. Governments should therefore undertake proactive efforts to prioritize critical collective-defense measures to ensure their long-term sustainability.
Notably, there are significant opportunities to be realized here to bolster existing multilateral mechanisms and better coordinate public- and private-sector commitments."
Here are a few more snippets from the paper:
Balancing access and action
"There are several key takeaways from Russia's evolving cyber campaign that can aid our understanding of Ukraine's defense. The first is that offensive cyber operations in practice are likely to be cyclical by nature. As we can see from Russia's efforts to replenish access to critical infrastructure networks throughout the first year of the war, gaps in offensive network action should not be interpreted as the consequence of cyber groups letting up or exhausting their operational capacity. Rather, there had been a continuous effort to probe critical infrastructure, build contingency access methods and diversify tools and tactics to prolong Russia's ability to conduct OCOs. New operational cycles have also come with adjustments in priority that have rapidly placed new technologies, suppliers and organizations at risk. Defenders preparing for future waves of Russia's cyber campaign must recognize that there will be a continuous need to re-target, re-tool and re-establish access when priority is being given to a disruptive mandate."
Russia's information confrontation doctrine and cumulative strategy
"The second lesson relates to targeting. Russia ostensibly pursued a cumulative strategy with its OCOs, likely perceiving that the minute accumulation of simultaneous disruptions to Ukraine's CII would create a critical mass beneficial to Moscow's war aims. This component of Russia's strategy had likely not focused on targets of military value, but on strategic targets that would impact the morale of Ukrainian leadership and civilians—centers of gravity in its broader coercive strategy to erode Ukraine's will. Russian targeting had therefore been much more widespread and indiscriminate than prewar estimates envisioned, with CII valued by Moscow not solely in terms of its military utility, but primarily in its potential to disrupt civilian infrastructure and compound other means of societal-wide psychological pressure. It is important to avoid falling into the trap of seeing cyber operations as a substitute for kinetic firepower and instead consider their potential remit in pursuing broader strategic wartime objectives beyond the battlefield."
Operational pressures in a contested environment
"The third takeaway relates to sustaining operations in a contested wartime environment. While predictions often model the use of highly sensitive capabilities carefully husbanded for conflict, Russia overwhelmingly opted for a more generic concept of operations. Russian cyber units doubled down on their long-term interest in targeting the perimeter of target networks by focusing on 'edge' devices such
as routers, firewalls and email servers that can be exploited using known vulnerabilities for immediate access. This approach is advantageous as it can be harder to detect, can defeat 'impossible travel' and other geographically rooted defensive measures, and does not leave trackable artefacts from purchasing C2 infrastructure. And because incidents involving edge devices such as routers are not often remediated during incident response, they at times provided Russia's military persistent access in order to re-strike networks at a later date. Notably, reports from threat intelligence firms continue to highlight network infrastructure as a significant blind spot for defenders in large part due to visibility limitations imposed by network suppliers. This is an area that warrants much more defensive attention."
Here's a partial look at the paper's conclusion:
"Extracting the enduring lessons from Russia's war in Ukraine—both on the offensive and defensive sides—will surely be at the forefront of policy discussions going forward. As these debates unfold, policymakers need to consider how central Ukraine's superior capacity to adapt and innovate has been to its defensive performance. Moreover, they should recognize that the enablers of this superior adaptive capacity exist largely at the strategic rather than tactical level. Modifications ranging from national legislative changes to strict operational security protocols have combined to negate Russia's advantages and seize the initiative. And throughout the different phases of the war, Ukraine has skillfully adjusted to the nature of Russia's cyber operations and the related political, military and technical challenges. At this juncture, it is uncontroversial to argue that Ukraine has decisively won the adaptation battle in cyberspace."
