U.S., European and Russian negotiators are meeting this week to discuss the security crisis over Ukraine, and the steady buildup of Russian troops along the Ukraine border. The United States and its European allies have threatened to impose additional sanctions on Russia if President Vladimir Putin invades its neighbor.
But while satellite photos in recent months show clear evidence of the Russian troop movements, Russia appears to be taking other moves against Ukraine. In December, Russia reportedly stepped up its cyber intrusions into Ukrainian infrastructure, including government agencies and the energy sector. In response, the United States and Britain have dispatched teams to help shore up Ukraine’s cyberdefenses.
Is this cyber activity a signal that Russia is engaging in “cyber prep” to get ready for an invasion, in cyberspace and/or on the ground? Some commentators warn that “all physical kinetic military action … [in] Eastern Europe will be preceded by a cyber pulse.”
Our research on the challenges of cyber signaling offers some insights. Getting the answer to this question wrong could have tragic effects. On the one hand, failing to recognize the early warning signs of a Russian invasion could enable Putin to get his way in Ukraine. But erroneously ascribing hostile intent based on ambiguous cyber signals could inadvertently and unnecessarily escalate a crisis with a nuclear-armed power.
Biden is threatening Putin with European energy sanctions. That may be difficult to pull off.
Russia could be operating in cyberspace to prepare for war
Russia’s past behavior suggests there are reasons to see the current cyber campaign as a precursor to invasion. When Russia annexed Crimea in 2014, operatives affiliated with the government also conducted a range of cyber operations against targets in Ukraine, including disruptive attacks, website defacements and attempts to locate Ukrainian artillery formations. In 2008, when Russia invaded Georgia, the assault followed several weeks of cyberattacks, including distributed denial of service attacks — which aim to overwhelm targeted servers with traffic.
Russia has also deployed cyberattacks in its ongoing campaign in eastern Ukraine. Most notably, in 2015 Russia launched a cyberattack against Ukraine’s power grid, leaving hundreds of thousands of Ukrainians without power during the winter — and attacked the power grid again in 2016.
In the current Ukraine crisis, it’s possible Russia is using cyberattacks to enhance its military strategy or even substitute for some conventional military operations. Cyber operations could be a way to shape the information environment in Ukraine — and create uncertainty and sow distrust in the Ukrainian government. And cyberattacks against Ukrainian command, control and communications targets could impede Ukraine’s ability to respond to a Russian incursion.
But cyber operations could also be an alternative to war
Of course, Russia’s cyberattacks may not be a signal of impending invasion. A number of other possible reasons might explain this increased activity. First, while it seems unlikely, the timing of observed Russian-linked cyber activity in Ukraine’s networks could be coincidental. Russia and other cyber-capable countries routinely operate in cyberspace to probe for rivals’ vulnerabilities, collect intelligence and hold potential targets at risk — all in support of various national security objectives.
Second, Russia’s escalating cyberattacks may be linked to the ongoing crisis over Ukraine, but could be an alternative to war, rather than a precursor. Indeed, Russia could be preparing options to conduct cyber operations as a means of crisis management or de-escalation.
How cyber operations can help manage crisis escalation with Iran
Rather than use cyber operations as a means of coercion or to shape battlefield dynamics, governments might turn to conduct cyber operations to de-escalate crises. Cyber operations’ nonviolent effects and relative limitations in imposing costs make them an ideal way to resolve a crisis without appearing to have backed down. All sides may perceive cyber operations as less escalatory, in comparison to other military options that may be on the table during a crisis.
Here’s how this might work, in this instance. The Russian president may find this use of cyber power appealing because he has publicly committed to a strident stance over Ukraine and may not want to be perceived as backing down. A cyber campaign might satisfy hawks in his inner circle that Putin is “doing something,” while avoiding causing physical violence that might risk triggering a Western response.
The risks of misperception are high
Are Russia’s cyberattacks in Ukraine a precursor to invasion? One big challenge is that we cannot tell for sure — but another is that different scenarios suggest radically different policy responses from the United States and Europe. Deterrence theory, for instance, might suggest the United States and its allies issue stronger threats to Russia right now, if Russia’s cyber behavior is a clear sign that an invasion is coming.
But if Russia is using cyber operations to extricate itself from the current crisis — or if its cyber activities are decoupled from the crisis — then threatening Russia is dangerous, the research suggests. A U.S. attempt to deter Russia might back Putin into a corner, and make a conflict more likely to occur.
Don’t miss any of TMC’s smart analysis! Sign up for our newsletter.
And if Russia’s cyber activity does signal an invasion? If this is the case, efforts by the United States and its allies to accommodate Putin could encourage further aggression if he is preparing for conflict and calculates that his rivals lack the resolve to act.
Where does this leave decision-makers? Uncertainty about intentions in cyberspace is an endemic challenge. In the long term, these uncertainties reinforce the importance of improving intelligence collection to understand how adversaries might use cyber power in different scenarios.
In the immediate term, formal and informal confidence-building measures between the United States and Russia to communicate about cyber operations and promote transparency — such as the use of the nuclear hotline to address cyber issues, the expert consultations that President Biden and Putin agreed to last June or the recent diplomatic discussions — will be particularly important. Direct communications between leaders provide opportunities to clarify the intent around these cyber operations.
The risks of miscalculation in either direction suggest prudence — and avoiding jumping to conclusions about ambiguous signals like cyber operations.
Professors: Check out TMC’s expanding list of classroom topic guides.
Erica D. Lonergan (nee Borghard) is an assistant professor in the Army Cyber Institute at West Point and a research scholar in the Saltzman Institute of War and Peace Studies at Columbia University.
Shawn W. Lonergan is a U.S. Army Reserve officer assigned to 75th Innovation Command and a senior director in the Cyber, Risk & Regulatory Practice at PricewaterhouseCoopers.
The views expressed here are those of the authors and do not reflect the policy or position of any U.S. government agency or organization.