The writer is a former head of the US Cybersecurity and Infrastructure Security Agency and co-founder and partner of the Krebs Stamos Group

In the run-up to Russia’s invasion of Ukraine, the national security community braced itself for a campaign that combines military combat, disinformation, electronic warfare and cyber-attacks. Vladimir Putin would launch devastating cyber operations, it was thought, to take out the government and critical infrastructure, blind Ukraine’s surveillance capabilities and restrict communication lines to aid invading forces. But that’s not how it went. At least not yet.

Prior to the invasion, there were some modest cyber-attacks, including damaging websites on Ukraine’s government and financial services in January, and similar follow-up operations in February. Satellite broadband provider Viasat was hit by an attack that disrupted commercial and industrial operations across Europe, though that event is not tied to Russia yet. That, of course, is our guess at the moment: the war fog, combined with the fact that many Ukrainian businesses have closed, means there are probably more that we don’t know about.

We also need to be realistic about the role of cyber-attacks – they are not in the same league as the tools of conventional warfare. To put it bluntly, if your family gets shot, does it really matter that you can’t check your email? Instead, cyber operations are ideally suited to the “grey zone” – the arena of conflict below the threshold of bombs and bullets – where tactical targets are not just about disrupting services, but also about intimidation, distraction and confusion.

The future think tank monographs and war college lectures that will inevitably unravel Moscow’s strategy are likely to focus on the surprising lack of cyber-attacks in Putin’s invasion plan. Theories range from the Russians not trying so hard on the offensive cyberfront, to the idea that they did — but that Ukrainian and Western defenders proved too formidable.

In fact, there are several factors that would explain why Moscow’s proven cyber capabilities have been in the background of the overall strategy. First, it appears that the Kremlin kept the battle planning to a small group that may have excluded the cyber personnel of Russia’s security services. Successful cyber operations require careful planning, targeting and development, often taking months, if not years. Instead, it appears that the teams have had to scramble existing network access and attack tools to fit the battle plan.

There is also a matter of necessity. Intercepted transmissions indicate that Russian forces are using radio handsets and Ukrainian telecommunications networks to coordinate movements and keep commanders in Russia informed. In this scenario, Moscow would keep the networks operational for its own use. If the Kremlin thought the Ukrainians would give in to a lightning strike in the capital, they would have wanted to preserve critical infrastructure for when they moved there.

But the war is far from over. The Ukrainians continue to retaliate militarily with astonishing effectiveness, while also dominating the information battle. Western unity against Putin’s tyranny manifested in the devastating sanctions, combined with international companies self-sanctifying their Russian operations, has devastated the economy, cutting off essential services and supplies. The preliminary economic outlook for Russia is bleak, not just for the coming weeks or even months, but possibly for years to come.

The danger is that as political and economic conditions worsen, the red lines and escalation judgments that kept Moscow’s most powerful cyber capabilities in check may adapt. Western sanctions and deadly aid to Ukraine could prompt Russian hackers to lash out against the west and send a clear message: “Stop it, we can make this much worse for you”. Russian ransomware actors could also take advantage of the situation, potentially resorting to cybercrime as one of the few ways to monetize.

Let’s not forget that in the past decade Putin’s henchmen have poisoned dissidents at home and abroad, meddled in dozens of democratic elections, wreaked havoc with offensive cyberattacks like NotPetya, and undermined the whole concept of truth and trust. An injured bear can still lunge and wreak havoc as long as it breathes.

To mitigate this risk, we need to take bold action. Government offensive cyber teams must continue to disrupt Russian attacks while quickly sharing intelligence with the industry about Moscow’s intentions and capabilities. However, we must accept that stopping all attacks is not realistic. Industry leaders must recognize that they have a duty to set themselves tougher targets so that the government can focus on supporting Ukraine, rather than putting out house fires.

This post The predicted cyber war in Ukraine may be yet to come

was original published at “”