The Ukraine war is the first digital conflict

T

he Russian invasion of Ukraine is perhaps the first major shooting war in which the two sides are fully equipped to trade blows in cyberspace. The conflict highlights how far technology has evolved in such a short time.

In 1997, when I was in middle school, the Internet had yet to conquer the public consciousness. One of my classmates had a reputation as something of a tech whiz. He boasted that he could remotely break into someone else’s computer and make the disk drive pop out all by itself — an impressive feat in those days, long before the term “cyber warfare” entered the lexicon.

Compare what was possible back in 1997 with the capabilities of today. Governments take control of each other’s official websites, hospital systems (as happened at Hadera’s Hillel Yaffe Medical Center), railroad systems (as happened in Iran), and other critical infrastructures. The phones of senior defense figures are hacked routinely. And with today’s smart televisions, smartphones, and even smart refrigerators that alert you when you need to make a run to the convenience store, there is hardly any aspect of our lives that isn’t exposed to surveillance.

These capabilities have been thrown into sharp relief by the war between Russia and Ukraine, the first war in which, alongside the conventional forces fighting on the traditional battlefield, each side has a cyber army that could knock the enemy off balance.

This could take the form of propaganda, taking over sites or news channels, or something more aggressive such as damaging civilian infrastructure or taking control of a nuclear power plant. Cyberspace is a potential front in this war, for all intents and purposes. We spoke to several experts in this field to trace the roots of these developments.

“Cyber intrusions began as the digital equivalent of spying — exfiltration of data or security secrets,” says Syracuse University College of Law professor William Banks, an internationally recognized authority on cyber warfare and related legal issues. “As offensive cyber capabilities increased, the potential for cyberattacks that cause harm equivalent to kinetic attacks grew. Stuxnet [the US-Israeli cyberattack on Iran’s nuke program] was an extreme example, and in the war in Ukraine, shutting down the electric grid or the water supply or the generators at Chernobyl would be as well.”

“When the digital era came into prominence in the ’60s, electronic warfare between the Soviet Union and NATO evolved to include electronic emission, signals, and other related communications technology gathering techniques,” says Colonel James Curtis, a career Air Force communications officer who served in the White House under Bush 41 and Clinton, and is now IT and cybersecurity program director in the math and computer science department at Webster University. “Today, the combination of digital social engineering, social media, and misinformation have become the ‘triad of disruption’ used by Russia, China, and other nations against the open democracies of the world in an effort to sow discord, chaos, lies, and influence — all in their cause to weaken democratic foundations.”

Trevor Logan, cyber research analyst at the Foundation for the Defense of Democracies (FDD), said that 2007 was a hallmark year for cyber warfare. “That year, Israeli cyber actors reportedly disrupted a Syrian air defense system before Israeli fighters bombed a suspected nuclear materials site in Syria,” Logan says. “Also in 2007, suspected Russian state-sponsored hackers launched a cyberattack on Estonia that lasted 22 days, in response to the announced relocation of a Soviet-era statue in Tallinn.”

One additional feature of warfare in the cyber era that didn’t exist previously is the rise of independent actors, such as the Anonymous hacking collective. These groups are attacking Russian government and business sites with the purpose of embarrassing the Putin regime, to show them that their actions in Ukraine come with a price. But Col. Curtis warns that this could lead to unpredictable escalation.

“If these groups start going after critical infrastructure such as nuclear plants, electrical grids, water, and so on, it could be a very different situation from what it is today,” he says. “That is the fear of any nation — attacks on the critical infrastructure.”

Although Russia has not refrained from attacking civilians through conventional means, it has not conducted cyberattacks on the civilian infrastructure. Our experts are divided as to the reasons for this.

“Despite the clear capability and capacity to conduct cyberattacks that would undoubtedly have a severe impact on Ukraine’s networks, Russia has yet to use cyber in its invasion of Ukraine,” says the FDD’s Trevor Logan. “While no one truly knows why this is the case, there has been speculation that Russian military strategists did not think cyber was necessary. Others have assessed that Russia’s logistical woes and failed attempt to quickly capture Kyiv indicate that Russian strategists had placed faith in all their plans that they would be able to quickly end this invasion and secure victory without the need for cyberattacks. While it is unclear why cyber was not considered during the initial invasion, it is important to remember that cyber is always a capability Russia can fall back on if it chooses to.”

Col. Curtis attributes Russian reluctance to different reasons: “Because of the potential loss of life, international condemnation, and a sense that a line is crossed once major cyber-attacks occur against critical infrastructure,” he says. “Using that weapon would be no different than using a kinetic weapon if applied against the most sensitive critical assets of a nation; so, a response by the nation attacked through the use of kinetic weapons would be justified under the laws of war. The US has reserved this right to use kinetic weapons against any nation-state that would use cyberwarfare against critical infrastructure.”

Logan and Curtis are in general agreement, though, that cyberwarfare is not at the point where it will completely replace conventional tactics.

“While cyber is continuing to expand in its usefulness as an instrument of state power, cyber is more of a complement to tanks and aircraft than a replacement,” says Logan. “While tanks and aircraft can profoundly impact the battlefield, the effects are often localized to that area.”

“It is true that cyberwarfare could be just as devastating to the populace,” says Curtis. “However, you must take and hold land to fully conquer a foe. So, in effect you could cause massive damage via cyberwarfare, but you could not sustain the results without traditional weapons of war. And unlike traditional weapons of war, cyber weapons are possessed by everyone. So, the battlefield is pretty level for criminal organizations, terrorists, and nation-states.”

With cyberwarfare clearly bringing a paradigm shift in military tactics, it raises the question of how a cyberattack would be regarded in the traditional framework of international law. Professor Banks of Syracuse University says the answer depends at least partly on who is on the receiving end.

“International law forbids the ‘use of force’ or ‘armed attacks,’ and there is no clear line marking when a cyber intrusion would cross either threshold,” he says. “Russia has some of the most sophisticated offensive cyber capabilities, equivalent to the US and Israel, and much stronger than Ukraine. There is understandable worry that attacks on Russian infrastructure that could be attributed to the US or another Western nation would spur escalation. But US critical infrastructure is less well defended than in most states, because ours is largely in private hands, and we have relied so far on voluntary compliance with recommended cyber defenses. Russia controls its infrastructure, from top to bottom.”

Trevor Logan says that international bodies are just beginning to define the parameters in this murky world. “The NATO Cooperative Cyber Defense Center of Excellence authored the Tallinn Manual (and subsequent update in the Tallinn 2.0 Manual) to propose how international law should govern cyber incidents between countries,” he says. “While the Tallinn Manual is recognized as an influential resource for legal advisers, the recommendations are currently non-binding in international law.”

Col. Curtis says that although this is an evolving area and has not been fully vetted, US policy is that cyberwarfare can be viewed the same as traditional kinetic warfare. But he cautions that the rest of the world has yet to fully agree on what constitutes a cyberattack.

“When does hacking rise to the level of warfare?” asks Curtis rhetorically. “Is all of a nation’s critical infrastructure considered a war target? What about election systems or nuclear energy facilities? These and many other questions are yet to be resolved through international law.”

In any event, Col. Curtis is concerned about what could happen if Russia absorbed a massive cyberattack and decided to retaliate against the US — regardless of whether it was the source.

“They could go after critical infrastructure, conduct denial-of-service attacks, hit social and traditional media outlets, businesses, and the government itself,” he says. “While the US cybersecurity programs are continuously improving, there are many vulnerabilities across the nation that could be exploited to significantly degrade America’s financial, health, government operations, and other aspects of daily life.”

(Originally featured in Mishpacha, Issue 904)