M82-SiteWeb/content/articles/Future_cyberOPS/Shaping_The_Future.md

---
title: Shaping the future of cyber operations
---
In his 2013 book, "Cyber War Will Not Take Place" Thomas Rid argues,
"cyber-operations in wartime are not as useful as bombs and missiles
when it comes to inflicting the maximum amount of physical and
psychological damage on the enemy."

From day one of the Russian offensive, cyber experts and advocates have
been looking for the « cyber » smoking gun in Ukraine. Russia is
unarguably a "first class" country in cyberspace and probably one of the
few countries skillful enough to launch destructive cyber-attacks to
achieve its strategic goals in support of kinetic operations. Thus, as
the crisis escalated before 24 February 2022, fear of a « cyber shock
and awe » grew. However, so far, the Russo-Ukrainian war reminds us that
war is still \"flesh and steel\" . Mud and geography still impose their
rules, and logistics are critical to both sides. Does it mean that cyber
operations are ineffective, too weak, and unable to produce any
strategic value?

To answer this, one must first explore how Russia is shifting from the
use of cyber operations in hybrid conflict to wartime. This is worth a
look as Russia has a strong military background in information
operations (IO) and electronic warfare (EW). Russia has also a strong
reputation in clandestine cyber operation. \"SolarWinds\" is undoubtedly
a masterpiece we have to keep in mind while assessing Russian
capabilities. Understanding how to integrate cyber operations into a
large scale, mainly air-land, campaign can inform our own processes. It
must also contribute to shape our own military model especially when the
French Strategic Vision is highlighting the need to « win the war before
the war » and emphasizing the critical role of information dominance. On
the other side the way Ukraine, with no military command dedicated to
cyberspace, is fighting in the "fifth domain" is equally instructive to
understand the very changing nature of cyberwarfare.

As western armed forces are building up their Cyberforce and developing
Multi dimensional Warfare doctrine, the war in Ukraine is a wakeup call
to speed up the process. Russia failed to integrate cyber offensive
capacities in its shift from low to high intensity. This shift is not
only a matter of force structure, logistic and fire power; it may
broadly have an impact on how the entire chain of command integrates new
fighting domains. What Russo-Ukrainian war tells us about the nature of
cyberwarfare is that shifting from a covert proxy war to a high
intensity campaign requires specific capabilities, human resources, and
task organization.

What have we seen?

For a wider view than that of the most recent weeks of the conflict, we
may analyze Russian cyber operations starting in 2014. What are Russia's
cyber offensive capabilities; How it integrates cyberattacks alongside
conventional or special operations is key to understand the shift from
low to high intensity conflicts.

Clandestine actions and Hybrid Warfare phase.

Cyber conflict between Russia and Ukraine has its roots in the lasting
strategic confrontation between the two countries. Looking back to the
early 2000's, Ukraine was repeatedly targeted by Russian special
operations whether in cyberspace or in the physical domain. In this
early stage, cyber operations mostly gathered intelligence without being
detected or supported political destabilization. From 2014, and the
first hybrid operation, to the 2022 conventional invasion, Russian cyber
activity mostly consisted of major Advanced Persistent Threats (APT)
such as Turla, Sandworm, APT 28 or APT 29.

Records of disruptive cyberattacks between 2014 to 2017 show attempts to
target the power grid (2015 and 2016) leading to few hours of local
disruption for around 230,000 customers in western Ukraine. Then,
election interference (2014) targeted computer systems of the Central
Election Commission. These also contributed to fears of Russian
interference in the democratic process.

All put together, none of these attacks had a real strategic value apart
from signaling effect. However, during this "hybrid war" phase, one
cyberattack had a significant impact on Ukraine and caused collateral
damage far beyond what was initially expected. In 2017, a self-spreading
malware sneaked into the Ukrainian private sector IT system and
irreversibly encrypted data. Pretending to be a ransomware, NotPetya's
purpose was to cause maximum damage. The tactic used to deploy the
malware led cybersecurity experts, UK officials, and the US to blame
Russian responsibility. This widely publicized example of a large
clandestine disruptive operation is almost the only documented example
to be analyzed by western staff officers for lessons learned.

Still during this first phase of conflict, Russian intelligence agencies
conducted most of the offensive activities. Hence, their unique
advantage was to proceed in secret and provide "plausible deniability"
to Russian authorities. A primary aim of a cyber operation is to collect
intelligence through Computer Network Exploitation (CNE) and provide
materials for subversion (leaks). Offensive capabilities are then
subject to a set of challenges including, avoiding detection, assessing
effects, reducing collateral damage, protecting specific tools and
infrastructure, targeted intelligence to tailor the malware, etc.
Consequently, cyber operations during a hybrid war phase rely on a
specific momentum, a high level of secrecy and are hardly integrated
with other military activities included Special Forces. Years of
cyberattacks in hybrid operations in Ukraine apparently produced poor
strategic value and failed to achieve Russian dominance over Ukraine. It
also sowed the idea that cyber operations are always covert or
clandestine, thus being less attractive for the conventional Russian
military apparatus.

Unleash hell ! or not\...

Since February 2022, as the conflict shifted from low-intensity / hybrid
to a high intensity / conventional war, disruptive cyber operations in
support of the Russian air-land campaign are yet to be documented. One
could argue that we missed the point here: cyberattacks may have
occurred but Ukrainian cyberdefense, and its allies simply prevented
them. If true, excepted the ViaSat cyberattack, none of the Russian
attempts to degrade, disrupt or deny Ukrainian freedom of maneuver in
cyberspace was a success. Nevertheless, Microsoft observed close to 40
"destructive attacks ... targeting hundreds of systems"; more than 40

Surprisingly, most of the tactics and tools such as DDoS attacks or data
wiping are not new and barely at the state of the art. Disruptive
operations in support of regular military action seem then to mobilize
less sophisticated capabilities than large-scale intelligence gathering
operations, network exploitation and advanced persistent threat (APT).
Are we then facing the same teams?

Attempts to disrupt Ukrainian command and control, communications or
power grid failed whereas at the tactical level traditional electronic
warfare activities support troops on the frontline. Shifting from
clandestine hybrid operations to disruptive actions in support of an
uncovered face conventional offensive seems to be quite challenging.
When avoiding attribution is no more a concern one could easily ask why
those operations are still led by the intel community.

Information warfare is not a myth in the digital age and\....it works !

Years of hybrid approach of conflict shaped new capabilities for
information operations (IO) in the Russian course of action. Combined
use of electronic warfare, SIGINT and message delivery in support of the
targeting process seems quite effective, at least since 2014, and one
would expect Russian forces to deliver such effects during the initial
assault phase.

Sending text messages to Ukrainian troops or family to degrade morale
and encourage them to surrender or to break operational security
procedures is a masterpiece of information operation. From late 2014 to
2016, a Russian malware was able to retrieve communications and
locational data from devices used by the Ukrainian artillery, at the
tactical level it enabled Russian artillery strikes in support of
pro-Russian separatists in eastern Ukraine.

Eight years later, Ukrainian troops learned from their mistakes and very
few examples of such successful deliberate targeting are reported.
Instead, massive use of jamming capabilities and large scale artillery
shelling are replacing targeted hybrid tactics.

Information warfare is not limited to tactical support; the changing
nature of IO is much more tangible in support of political objectives,
or to directly strike strategic targets and international audience.
Understanding the impact of social media on how people and leaders
address a situation is what differentiates the most between the 2014
hybrid and the 2022 conventional phases.

As disruptive cyberattacks had a questionable effect, one cannot forget
the impact on the population and the growing feeling of fear and
frustration generated during the pre-invasion phase. This point should
be considered when assessing low-intensity or low-impact cyberattacks.
One official website offline for a couple of hours, large scale
defacements or a multiple services disruption may not have a strategic
impact comparable to a missile strike but generate a feeling among the
population and the defenders hardly assessed. Those are tactics directly
inherited from guerilla type warfare. Small bites lower the morale and
the fighting spirit but can hardly be decisive by themselves.

Digital information operations in this war are a critical part of the
conflict both to gain international support for Ukraine and to spread
misinformation and disinformation on the Russian side.

What have we learned and is it relevant?

Ukraine was probably a cyber-sandbox for Russia during the hybrid phase
between 2014 and 2017. The World-class actor conducted massive cyber
espionage and was probably deeply enrooted in most of Ukrainian critical
infrastructure. What Russo-Ukrainian war tells us about the nature of
cyberwarfare is that shifting from a covert proxy war to a high
intensity campaign requires specific capabilities and task organization.
It also requires a strategy to operate both with the latest technology
and at the same time old-fashioned methods to avoid enemy jamming or
cell phone trapping capabilities. Ukrainian troops use methods like
runners and dispatch riders, or wired networks.

Russian relative use of cyber disruptive operations is far from a sign
of weakness and inefficiency but more likely a proof of mis-integration
and failure to adapt its cyber force to this type of confrontation.
Years of covert operations conducted by the Russian intelligence
community proved their ability and technical skills, the missing point
is how to coordinate or integrate those capabilities within a
conventional military operation. The Russian military apparatus seems to
experience the lack of trained and educated cyber operations planners.
The lack of understanding of how to integrate effects from cyberspace
operations into plans combined with the misunderstanding of military
planning by those in charge of offensive military operations (hackers
group or intelligence officers) lead to a dead end.

Therefore, at the tactical level, electronic warfare is still a major
tool to disrupt and degrade adversary freedom of maneuver in cyberspace
and at the strategic level; intelligence agencies play their own game
targeting political and military high value targets.

To assess and analyze Russian cyber operations in Ukraine we also have
to change the way we think of it. As Lauren Zabierek says, "Just because
certain expectations of the use of cyber have not matched what we have
thus far observed does not mean that Russia is not using cyber to
achieve intended effects against Ukraine." Thus as one expected the "big
one" or a Cyber-gedon, we've learned in this conflict that Cyber and
military operations serve different objectives and "Cyber operations are
most effective in pursuing informational goals, such as gathering
intelligence, stealing technology or winning public opinion or
diplomatic debates."

The changing nature of cyberwar puts the stress on information
dominance. The first large-scale conflict of the social media era, the
war is followed world-wide on Twitter, Telegram, Tik Tok and others
platforms. Lack of trusted sources and implication of the private sector
turned social media to a tactical asset. Open-source intelligence and
commercial satellite imagery now provide tactical data for both sides
this quickly contribute to replace defaulting regular military systems

This may probably be the most relevant lesson form this war. Smartphones
and publicly available technology could be enablers in every soldier's
pocket. The ability to report enemy positions and movement, document
with videos and picture, access to satellite imagery or high-speed
internet connection is a game changer for the population and for the
armed forces. Therefore, to shape our future cyberforce we may not only
consider lessons learned from Russia because they have a full range of
capability, but we may also take into account how a country without a
dedicated cyber military organization is fighting.

Protecting targeted audience from massive online disinformation appear
to be a collective line of effort. From service members to civilians,
from military leaders to political decision makers, understanding the
strength and weakness of our information processing system seems to be
the core of a in depth defense. Integration of cyber capabilities into
more conventional military operations appers to be quite challenging and
requires educated and trained staff officers.

Russia proves today that Cyber is a tool among others for the force
commander, and it is not a magic bullet.