Not So Fast on Declaring Cyber Victory in Ukraine

It is increasingly difficult, if not impossible, to participate these days in any cyber-related gathering without the war in Ukraine emerging in conversation. The context tends to center on the presumed lack of successful cyber-attacks from Russian Cyber Units against Ukraine.

Typical Cyber War Narrative for Ukraine

The narrative is usually this: The war began with a successful cyber jab from Russia – namely, the disruption of Viasat, a communications system that supports satellite modems across Ukraine. Apparently, tens of thousands of modems were shut down – which was bad.

But then, the capable Ukrainian cyber defense stepped up to thwart any subsequent attempts from the GRU. The narrative follows that the Ukrainians have somehow managed to finally create an effective cyber defense against a major nation-state actor – in this case, Russia.

By the way, to the credit of the Ukrainians, this narrative seems to emanate more from the pundits, experts, and press than from Ukrainian cyber leaders. Commentary around Ukrainian success on the cyber theater has thus come from passive observers, not active participants.

To illustrate, Sir Jeremy Fleming from the GCHQ said that Ukraine’s cyber defense was “arguably the most effective defensive cyber activity in history.” Lindy Cameron, also of GCHQ, said this: “With strong cyber defenses in plan, the defender has significant agency.”

The current issue of Economist addresses this topic as follows: “When the invasion began, Ukraine’s cyber command had a contingency plan ready.” And here is another quote from Cameron: “The war has illustrated the severe limitations of cyber as a wartime capability.”

Now – we all would like to believe that Ukraine has finally decoded how to stop a determined nation-state when it comes to cybersecurity. I’ve personally devoted my life to that goal, so my comments below are motivated only by my observations. So please hear me out.

Reasons to Stop Declaring Premature Victory

I believe there are several reasons why observers must stop declaring cyber victory for Ukraine. Each element of my argument stems from personal experiences over four decades trying to defend critical infrastructure from major nation-state cyber threats. Here are my views:

Low-Cost Offense – Small amounts of Russian money and effort are required to plan, target, and sustain cyber-attacks against Ukraine. The GRU only needs to break through once, but the defense needs to be perfect every time. And there is no clock. This can go on indefinitely.

In cybersecurity, we refer to the massive advantage an offense possesses as an asymmetry.?In particular, the energy to maintain a cyber defense, in today’s computing environment, far exceeds that required by an attacker. It’s something we in the industry work on every day.

So, when exactly does Russia declare defeat and stop their cyber offensive? If cyber offense was resource intensive, then such a date might exist. But I cannot imagine for the foreseeable future that the GRU would need to pause an iota – until they succeed.

Invisible Build Up Campaigns – The typical cyber campaign is invisible. Things generally look great until they don’t. Most professional cyber defenders know this – and would sooner be caught naked in public than declaring that their defenses have stopped an adversary.

The terms we use in cybersecurity to refer to this invisibility are dwell times and persistence. Both refer to the low and slow nature of the most lethal and effective attacks. The adversary gains a foothold, waits for the right time, and then pounces. It’s a well-understood tactic.

Zero-day threats are another challenging issue. We can be 100% certain that Russia possesses a plethora of these unknown exploits – and it is only a matter of time before one of their malware attacks produces a truly bad consequence. Remember, it only has to hit once.

Plethora of Targets – The GRU can easily point their attacks at a variety of targets, including non-government. And who is to say that they cannot mount attacks at Ukrainian allies, including the United States. Are US civilian agencies prepared to stop a GRU attack?

Furthermore, the Ukrainian citizenry and small business infrastructure are no more or less vulnerable to cyber threats than in any other country. Certainly, they are on high alert, but phishing, disruptions, DDOS, and so on – will work as expected. I see zero evidence otherwise.

My View of Why Russian Attacks Aren’t Working

Look - if you want my view as to why Russian attacks have not been more successful, it’s this: I’ll bet that the hearts of Russian GRU cyber experts are simply not in this campaign at all. To be a cyber attacker, you need to be intelligent – and they must see through this whole damned thing.

Imagine, for example, if the US Cyber Command was commanded to launch serious cyber-attacks against Canada. If these attacks were then somehow just not working as expected, would we honestly suggest that the US was less capable? Or might we suspect that some restraint was involved?

Every attacker knows that you can nuance a break-in, or slightly pull back on an attack. This requires skill, and Russia has that skill (remember the 2016 US election?). But sooner or later, this tactic wears thin, and the Russian offense holding back can only go so far.

A Call for More Responsible Reporting

Accordingly, I offer my warnings – and here’s why: First, I believe it is irresponsible to declare premature victory when it is patently unclear what victory actually means. Every cyber expert knows that an apparent lack of an attack is no victory – so I wish we’d just stop saying this.

And second, claims of victory create unrealistic expectations – namely, that a country like Ukraine can defend its entire citizenry against a capable cyber actor. If this was true, then I sure wish they would share the secret with the rest of us. We could all use the help.

The best we can hope for in Ukraine is that they can sustain critical infrastructure, avoid any major attacks, and somehow manage to maintain a semblance of on-going service provision during what remains of this terrible war. That seems a more reasonable narrative to me.

Yes, we can certainly learn from what appears to be an expert means for dealing with one malware attack after another against Ukraine. The Ukrainian’s ability to respond has been stellar, and like Estonia and other countries who have been attacked, they’ve developed skills.

But I remain highly skeptical that Russian Cyber Units will not eventually be forced to break through and cause serious damage. And if we set unrealistic expectations in the press and in narratives at cyber events, then we just amplify the consequences of such an attack.

As always, please let our team at TAG Cyber know what you think. We look forward to hearing from you.?