A War in Cyberspace: Cyber Escalation in the Russia-Ukraine War

A catastrophic cyberwar, as was initially predicted, has not yet materialized between Russia and Ukraine or Russia and the United States. Except for a couple of major cyberattacks in Ukraine, such as a series of distributed denial of service (DDoS) attacks targeting Ukrainian banking and defense websites and a communications outage stemming from an attack on the satellite internet provider Viasat in February 2022, there have not been any major cyber incidents during the invasion.

From the 2015 Sandworm power grid hack resulting in mass outages across Ukraine to the notorious NotPetya malware that led to severe economic disruption across the globe in 2017, Russia has not shied away from exercising its cyber capabilities against Ukraine. However, experts have speculated why Russia has, till now, avoided a debilitating cyberattack against Ukraine. Firstly, Russia may be still weighing its offensive optionsand waiting for the right time to launch an aggressive cyberattack to cause the most damage. Secondly, Russia might have chosen to focus all its energies on strengthening its rapidly weakening kinetic front. Thirdly, Russia does not believe that the current circumstances warrant a cyberattack and would launch one if the United States intensifies sanctions or more of its troops perish in battle. These reasons for Russian restraint are particularly interesting to analyze in the context of perspectives on escalation dynamics in cyberspace. The question remains - Why has Russia adopted resistance in sharp contrast to its commonly aggressive cyber posture against Ukraine?

One can find the answer to this question by examining two contemporary perspectives on escalation in cyberspace: cyber escalation as reality vs cyber escalation as a fallacy. The former contends that Russian premier Vladimir Putin might deploy cyber weapons in the near future which could lead to unprecedented escalation while the latter argues that precedence elucidates the non-escalatory features of a cyberattack and utilization of cyber as a strategic tool is key in alleviating the crisis.

The latter argue that cyber escalation is a fallacy because cyber-attacks have not proven particularly escalatory on the battlefield. They contend that cyberattacks have always been maintained below the level of armed conflict; thus, an escalation from cyber to an armed conflict is unlikely. Moreover, some question the logic of cyber escalation in the context of the Russian invasion of Ukraine when there is no strong precedence for such escalatory dynamics. For example, Russia’s hacking into the Olympics in 2018 or Russian hacking of the colonial pipeline didn’t lead to a tit-for-tat response from affected countries. Consequently, it is unrealistic to assume that a Russian cyberattack against Ukraine or Russia would bring about proportionate retaliation. 

Additionally, the cyber security dilemma has been heavily debated. Even if there is some level of retaliation in response to a cyberattack, it is unlikely to cause immobilizing harm to the state. Tacitly agreed-upon norms between countries prevent massive escalation in the cyber domain. Although the cyber security dilemma has internal logic to it, cyber competition between two states remains inherently unstable. Unlike clear signaling through an overt change in battlefield strategy and placement, an improvement in cyber capabilities is usually an invisible process and thus fails to cause any significant reaction from the other state. Lastly, several cyber experts argue that cyber helps deter crises by offering off-ramp non-kinetic options for leaders wary of using further force; the stability-instability paradox prevents uncontrollable escalation and allows cyber to remain a domain of relative stability.[6] Thus, policymakers could treat cyber operations less like escalatory weapons and more like strategic tools to gain valuable intelligence, sabotage adversary networks, and signal capabilities in crises. 

On the contrary, some experts believe that cyber escalation in the context of the Russian invasion of Ukraine is imminent because we have never experienced the use of cyber capabilities in a conflict of this scale before. According to expert analysis, Russian President Vladimir Putin has saved and built his cyber capabilities to use as a last-resort measure if the invasion continues into summer. By summer, Russia would have presumably exhausted its military means to achieve its objectives and, in a last-ditch effort, attack critical U.S. infrastructure considering it would not have much to lose at that point. An attack on U.S. critical infrastructure is expected to lead to a similar scale of retaliation. Thus, intense cyberattacks from Russia could invite American and European retaliatory cyber-strikes, leading to a cybersecurity dilemma that might take a life of its own.

Notably, in its nuclear declaratory policy, Russia has stated that an attack on its critical government or military sites could lead to nuclear usage. Although escalation from cyber to nuclear is unprecedented, it is not completely unrealistic considering Putin is not a rational adversary. Cyber remains Putin’s most powerful weapon. Unintentional deaths can be caused by attacks on power grids or transportation networks that could sound the alarm for military incursions. Moreover, each side’s perception of the other’s largely invisible cyber capabilities could lead both sides to unnecessarily climb up the escalation ladder. The cyber domain remains the realm of the unknown. The U.S. should fortify its cyber-deterrence regime and be prepared to conduct cyber operations whenever necessary.

There are three ways the U.S. can respond if Russia escalates into the cyber domain. Firstly, it could impose more intense and widespread sanctions on the Russian oligarchy and financial structures. However, its collateral effects could cause unnecessary oppression of innocent citizens. Secondly, the U.S. could potentially go after the hackers and disable their systems. Lastly, the U.S. could carry out a cyber strike against Russian critical infrastructure although, according to the aforementioned Russian nuclear declaratory policy, threats to its nuclear plants are considered grave enough to deploy nuclear weapons.

As the war in Ukraine intensifies, the international system destabilizes, and great-power competition deepens, the risk of cyber escalation increases. On the contrary, cyber operations may provide an important outlet for tensions, given their limited effects. Whether cyber escalation is imminent remains to be seen but it is important to recognize that Russia holds significant cyber power and can deploy it whenever needed without warning. The U.S. and its European allies should remain prepared for any unprecedented, in time and scale, and a possibly deadly cyberattack against their respective critical infrastructure.

DISCLAIMER: All views expressed are those of the writers and do not necessarily represent that of the IWAB platform.