After Russia failed early in its war against Ukraine to accomplish some strategic objectives through offensive cyberattacks, its turn to physical attacks against Ukrainian critical infrastructure demonstrates “the context of armed conflict dwarfs the cyber impacts,” a Defense Department official said this week.
Protecting assets like data centers during an armed conflict is more than just cybersecurity, it is also “about the physical security of those data centers,” Mieke Eoyang, deputy assistant secretary of defense for Cyber Policy, said on Wednesday during a cybersecurity summit hosted by the Aspen Institute. “It is about whether or not those data centers are within the range of Russian missiles.”
The importance of physical security is just one of the cyber-related lessons that have been learned during the ongoing war in Ukraine.
Eoyang outlined a number of other lessons that DoD has learned, including the need to ensure secure government to government communications and networks, which in the case of Ukraine has been important for the U.S. to share defense and intelligence information. Another lesson is the need to ensure that Ukrainian leaders are able to communicate with their forces, she said.
These are areas where DoD has “a lot of expertise” but there are also other lessons being learned that go beyond the Defense Department to “whole of government” approaches, she said.
“We also have to think about what it means for Ukrainians to be able to continue to communicate with the world because the ability of average Ukrainians to tell their story on TikTok, on Twitter, on Facebook, to share video of what has happened to them has denied Russia, the information environment that they want to prosecute this conflict,” Eoyang said. “And you can see Russia trying to take away from Ukraine the ability to control its own fate and its traffic by trying to reroute traffic through Russia as they take over territory.”
Sustaining routine government functions are also critical, she said. The ability to maintain control over essential data like records for passports, births, and property are important “as you see Russification efforts happening in occupied territories,” Eoyang said.
“But I think that we have to think very differently about how we think about armed conflict and cyber in light of this conflict,” she said.
Both Russia’s military forces and its cyber forces have “underperformed expectations,” which shows that preparations ahead of a conflict are crucial, Eoyang said, noting that Russia didn’t prepare for a long war. She discussed a paper called “The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations,” by the Swiss researcher Lennart Maschmeyer and the tradeoffs that come with speed, intensity and control.
“So, if you want it fast, then you’re trading off between intensity of effect and control,” she said. “And if you are trying to avoid spillover, say because you’re trying to avoid embroiling NATO in a conflict that you don’t want them to join into because you can barely hold your own against Ukraine, then you might have to lower your expectations for intensity.”
Gary Steele, president and CEO of the software company Splunk Inc. [SPLK], said on a panel alongside Eoyang that there had been an expectation that Russian cyberattacks would also have “downstream” impacts on U.S.-based multinational corporations that have a presence in Ukraine, but that hasn’t happened. Still, these companies remain on “high alert” and are being “very thoughtful about what’s happening in their environments.”
Eoyang credited the Biden administration for working with allied leaders on “deterrence messaging” aimed at preventing Russian cyberattacks against U.S. and allied critical infrastructure and working with the private sector to stay alert, share intelligence about adversarial activity and strengthen their cybersecurity posture.
“I do think that we are seeing what happens when Russia is forced to make choices about how it allocates the cyber capacity that it has,” she says. “I don’t think any of us know what the escalation calculus is going to be and at what point we might be having to really think about attacks on U.S. infrastructure. But it is really important that we are taking all the steps that we can to prepare for the possibility of that to make ourselves as hard and resilient a target as we can be throughout the United States.”
Oleh Derevianko, co-founder, chairman and chief vision officer of the ISSP, a Ukrainian cybersecurity firm, said on the panel that one assumption that everyone always gets wrong is “that technology is the decisive factor in cybersecurity.” While the technology is important, more critical are the skills and talents of the people using the technology.