Edited by Kenneth Geers. NATO Cooperative Cyber Defence Centre of Excellence, Tallinn 2015. 175 pp.
This is the first book to provide a wide-ranging discussion of Russia’s aggression against Ukraine in 2013–15.
Potential readers: the book is available online free of charge1 and includes analyses by cyber-warfare theorists (Martin Libicki, James Lewis, Jason Healey, the book’s editor Kenneth Geers, etc.) as well as military theorists (Keir Giles, James Wirtz, etc.), which place the events happening in cyberspace in a wider (geo)political, military and strategic context. The book offers potential answers to the question Russia, which also used non-military methods against Ukraine and has powerful cyber weapons, did not use them against Ukraine’s energy, transport and financial systems. While journalists have written much on the topic of cyber-attacks in Ukraine, this book is the first to offer a more analytical view. The book’s greatest value is that the reader gains, in fewer than 200 pages, a comprehensive understanding of what cyber-attacks and incidents took place, what they meant and what this all means for the future. There is also a table summarising the most severe cyber incidents.
The book consists of 18 chapters, grouped into general subjects: strategic approaches of Russia’s military aggression and cyber activity in Ukraine, the role of cyber war in Russia’s strategic thinking and the war in Ukraine, and conclusions based on the previous theoretical approaches to cyber war in relation to events in Ukraine. One of the most exciting parts of the book is the tactical overview in the second part. Two articles, one written by the former head of Ukraine’s security incident department, describe the incidents, providing overviews unlike any previously published. Another interesting article is an inside look by a cyber expert from the network security company FireEye, which explores long-term high-level espionage campaigns—some of which have been proven to have connections to Russian governing bodies—in a non-technical and therefore easily understandable article, the likes of which are not easy to find on the Internet.
The book’s 20 authors also provide analyses of Russia’s information warfare, rhetoric and the use of social media in contributing to the country’s interests, as well as chapters on international law, the development of cyber regulation, and the cyber security policy of the Ukrainian government. Future scenarios by Jason Healey and Michelle Cantos, which describe the possibilities of how Vladimir Putin might use complex cyber-attacks to destabilise Ukraine or to make the West submit to Russia’s interests, are also worth highlighting. These may turn out to be prophetic, as the authors note that several security analysts they interviewed told them that Russia could be “preparing the battlefield” by infecting critical Western infrastructures with high-level malware (e.g. Havex and BlackEnergy). Indeed, less than a month after the book was published, cyber-attacks took place against a power plant in Ukraine (causing a blackout that lasted several hours), and access to information systems was gained with BlackEnergy malware, which was also discovered in Kiev airport’s IT systems.
Just as there is no consensus on whether cyber warfare belongs to the realm of science fiction or serious military theory, the authors of this book have different opinions on the interpretation of events. Martin Libicki, a known cyber-warfare sceptic, lists the reasons why he believes there was no cyber war in Ukraine and states that, contrary to popular opinion, cyber-attacks are not necessarily used in modern warfare. Professor James Wirtz of the US Naval Postgraduate School writes that cyber warfare is part of Russia’s great strategy that serves a political cause, and that Moscow has shown it can use cyber power effectively for strategic purposes. As Russia understands the political and strategic influences of new technology, it was able to profit from the associated opportunities. NATO was not the military target of Russia’s cyber power, and the strategic approaches used by the US and NATO did not prove their worth. Russia achieved a fait accompli successfully and with minimal losses owing to its cyber power. Russia thereby achieved a strategic victory.
James Lewis, senior research fellow at the Center for Strategic and International Studies (CSIS) and a former US government official, is of a different opinion—he believes Russia’s cyber-attacks had no strategic or military influence (for example, they did not damage Ukraine’s units). Russia achieved only short-term results with cyber warfare. Lewis notes that, while the usefulness of collecting intelligence through cyber methods cannot be denied, achieving military or political impact with cyber instruments is far more questionable.
Several authors note that Russian forces demonstrated good electronic warfare capability in their attacks both on the Crimea and in eastern Ukraine, but unfortunately the book contains no descriptions of how this capability was employed in warfare (such analyses can be found on the Internet). However, several authors point out that, according to Russia’s concept, cyber-attacks and electronic warfare are two possible weapons in a wide arsenal of information warfare that is waged day in and day out. The West’s and Russia’s concepts of cyber and information warfare are also reflected in the way the authors in this book reach cardinally different conclusions based on their conceptual choice. In other words, the conceptual framework in many ways determines the outcome of the thought process.
Margarita Levin Jaitner of the Swedish National Defence College notes that Russia achieved the main aim of information warfare—information superiority—in the Crimea. The book also features an interesting analysis on the use of proxies in cyberspace by Tim Maurer, who states that, while the use of volunteers in cyberspace was an active part of the conflict, Ukraine was unable to make them serve the national cause. Similarly, cyber criminals did not refocus their activity on supporting the state’s political goals, and continued making a profit. I cannot entirely agree with the latter, since politically motivated complex cyber campaigns that use the same malware (or similar software) that is employed by cyber attackers are connected to the Russian government. It is therefore likely that criminal groups are motivated by their own economic interests as well as acting in the interests of the government that gives them carte blanche. There is one thing all authors seem to agree upon—countries will continue using cyber instruments to execute their power in the future, and cyber-attacks will play an important role in the conflicts of the future.