Narrow windows of opportunity: the limited utility of cyber operations in war

Abstract

The use of offensive cyber operations in war is no longer theoretical conjecture. Still, as we witness their use, important questions remain. How are offensive cyber operations employed in conventional warfighting, and what is their utility for the warfighting? This article answers these questions by analyzing new empirical evidence from the Russo–Ukrainian War, drawing on the novel TECI-model built for systematically analyzing and understanding offensive cyber operations in war through the model’s four constituent variables: target, effect, complexity, and integration. The article finds the utility of cyber operations in war is limited owing to an unsuitability for physical destruction, high risks of failure, high costs of complex operations that are more likely to attain successful and destructive effects, and a dichotomy between the tempi of conventional and cyber operations leading to cross-domain integration difficulties. Still, two narrow windows for achieving utility exist. Cumulative strategic utility is achievable by targeting critical infrastructure and governments in a persistent barrage of less complex cyber operations. Operational and tactical utility is achievable in the beginning of warfighting where the temporal dichotomy is less pronounced because cross-domain integration can be planned before warfighting commences. Filling a gap in the literature, TECI provides a common and operationalized model for future research systematically analyzing cyber operations, allowing for comparisons on the evolving role of cyberspace in war.

Introduction

On 24 February 2022, Russia launched a full-scale invasion of Ukraine, prompting conventional warfighting in all three classical domains of the air, sea, and land [1]. A newer domain—cyberspace—also saw action. Already in the lead-up to the war, Russia conducted cyber operations targeting the Ukrainian government and critical infrastructure [2]. When conventional warfighting broke out, more cyber operations followed. Russia’s invasion of Ukraine is thus historic; it is one of the first conventional wars involving military operations in cyberspace [3]. Although cyber operations are clearly used, it is less clear what they mean for the warfighting. Are they useful or ineffectual?

Cyber scholars have sought to answer this question for a long time. Many assumptions about the utility of cyber operations have been based on a few oft-cited incidents, however, due to a lack of data [4–6]. Despite this, scholars have made important contributions in recent years to the emerging field of cyber conflict studies and to our understanding of the utility of cyber operations in particular. Initially, the field was characterized by a broad discussion on the possible revolutionary potential of cyber war [7–12]. More recently, situating International Relations concepts in the context of the unique traits of cyberspace, scholars have moved toward a more detailed study of whether and how offensive cyber operations can produce strategic and operational effects in and outside the context of warfighting [5, 6, 13–21].

Now, the Russo–Ukrainian War provides novel data allowing us to revisit debates in cyber conflict studies and assess some of the common assumptions. Several scholars have already studied the use of cyber operations in the war [22–32]. While these studies constitute important steps toward a more data-driven discussion of cyber operations, the field lacks a firm basis for comparing findings across different studies, which are often disparate in methodology. We make up for this by formulating a model capable of serving as the common basis for analyzing cyber operations in war.

Besides characterizing the utility of offensive cyber operations in warfighting based on a systematic analysis of data from the Russo–Ukrainian War, this article contributes to the literature by formulating the novel TECI-model named for its four variables of analysis: target, effect, complexity, and integration. The TECI-model is tailored to deliver insights on the utility of cyber operations in war and it serves as a common model for future research on the Russo–Ukrainian War and other conflicts, improving the field’s ability to compare and track the evolving use of cyber operations in war.

Empirically, the article draws mainly on material published by the CyberPeace Institute (CPI) and Microsoft, including both their April and June 2022 reports (We acknowledge that the sources are not free from bias and compensate by cross-checking between multiple sources [33]. Microsoft has commercial interests in cybersecurity and supplies the Ukrainian government with services used to defend against Russian operations. CPI delivers services to Ukrainian NGOs. To strengthen the data’s credibility, this article disregards any value-based assessments of cyber events made by either Microsoft or CPI and uses only fact-based descriptions and technical analyses. These are then cross-checked when possible. The data consist of descriptions and technical analyses of cyber operations conducted in Ukrainian cyberspace by Russian state actors from January until December 2022 (The dataset will be made available upon request by contacting the authors). Using material from both sources serves as a control of their accuracy. The sources are cross-checked to find common trends that, thus constitute a more representative sample of operations in Ukrainian cyberspace. However, publicly available data most likely do not represent a full picture of Ukrainian cyberspace due to the fog of war. Different trends may emerge if more data were released, in which case further research should be conducted.

The empirical evidence is analyzed through the TECI-model. The model contains four variables that describe essential aspects of offensive cyber operations in war, namely the target, effect, and complexity of a cyber operation as well as its integration with conventional military operations. The variables were chosen for their ability to provide insights necessary for assessing the utility of cyber operations in warfighting, as evaluated by the analysis in this article. TECI thus elucidates how military actors employ cyber operations in warfighting, which allows us to determine their strategic, operational, and tactical utility.

The article finds that Russia’s military cyber operations have generally been of limited utility for the conventional warfighting in Ukraine except for in two circumstances. These findings may not be generalizable to future wars, however, for example due to idiosyncratic decisions by Russian cyber forces and the particular composition of Ukrainian cyberspace as well as actions by Western actors [30, 31]. Wars may unfold in ways that lessen or exacerbate the limitations and windows of opportunity found in this article. Still, the findings are indicative of the current state of affairs, and the TECI-model is readily applicable for systematically analyzing future wars.

On the face of it, Russian cyber operations have had a large potential for affecting the warfighting by repeatedly targeting Ukrainian government entities in addition to critical infrastructure, as shown in our analysis. This potential is limited by four other trends, however, with each trend speaking to assumptions in the literature as explained below. No particular trend can be singled out as more significant than the rest in limiting the utility of the cyber operations.

First, Russian cyber operations rarely sought physical destruction, opting instead for destruction of data which lowered their potential utility in warfighting. This trend supports the widely shared assumption in the literature that cyber operations are unsuited for physical destruction [5, 7, 20]. Second, the effects of Russian cyber operations as encoded in their payloads often failed to materialize. This suggests that cyberspace in fact favors the defense with respect to the offense–defense balance, contrary to the common assumption that cyberspace is offense dominant [34, 35]. Third, Russian state actors have tended to recycle already known malware families [36]. This decreased their ability to avoid detection by defensive measures, which partly explains the second trend of absent effects. The third trend, thus speaks to the transience of cyber weapons, confirming the assumption that offensive cyber operations eventually lose their utility without the continuous but costly development of novel cyber weapons [15, 37, 38]. Fourth, cyber operations were seldom integrated into conventional military operations, lowering their potential utility for the warfighting. This supports the common assumption that integrating cyber capabilities with other capabilities is difficult [16, 39, 40].

The article finds two explanations for these limitations. The first explanation concerns the temporal characteristics of operations. Contrasted with conventional warfighting, cyber operations tend to be slower to plan and stage as well as more uncertain in their ability to execute precisely timed effects. There is, in a nutshell, an incongruity between the relatively slow cyber operation and the fast-paced conventional operation. This explains why Russian cyber operations were infrequently integrated with conventional operations, and why conventional means such as missile strikes were likely preferred when destructive effects were sought. The second explanation is the high cost of cyber operations that rely on novel and target-specific malware and tools. Such highly complex operations are more likely to be successful and to achieve destructive effects. It is prohibitively difficult for most actors to continuously conduct such complex and costly operations, however, explaining why Russia began recycling malware a few weeks into the invasion. This limited the operations’ chances of successful and destructive effects as well as their utility.

As exceptions to this general trend of limited utility, however, the article finds two sets of circumstances—narrow windows of opportunity—in which cyber operations can affect conventional warfighting. Both windows of opportunity are evident in the analyzed data from the Russo–Ukrainian War.

The first narrow window of opportunity is a cumulative impact on the strategic level of warfighting. This is achieved by undermining national resources and instruments of power through the persistent targeting of critical infrastructure and government entities as well as forcing the defender to direct resources to defensive cyber capabilities instead of conventional warfighting. The second window of opportunity is an impact on the operational and tactical levels of warfighting specific to the beginning of a war. The incongruity between the slow cyber operation and the fast conventional operation, which otherwise hinders operational and tactical utility, is less applicable right when warfighting commences. The slow aspects of a cyber operation can be conducted before war breaks out, rendering its delivery of effects fast-paced in the war’s beginning. This improves its ability to integrate into conventional operations and so also its chance of generating operational or tactical advantages. In these narrow ways, cyber operations can achieve significance and impact the warfighting despite their otherwise limited utility.

The article proceeds in five sections. The first section situates the current debate on cyber operations in war within the broader field of cyber conflict studies. The second section develops the TECI-model for assessing the use of cyber operations in war. The third section applies the TECI-model to systematically analyze Russian cyber operations in the Russo–Ukrainian war. The fourth section discusses these results to elucidate the strategic, operational, and tactical utility of cyber operations in conventional warfighting. The fifth section concludes the article.

Cyber conflict studies: from cyber war to cyber operations

Over the last decade, the literature on cyber warfare and cyber operations has evolved quite extensively, and today some scholars even talk about a new subdiscipline in International Security Studies called cyber conflict studies [41, 42]. The initial discussions within cyber conflict studies were dominated by conceptual and theoretical disagreements, on the one hand, on “cyber war” as a useful analytical category [7, 10, 11, 43–46], and on the other, on the revolutionary potential of our new cyber realities for the international order [8, 47–50]. These disagreements led to several attempts to apply well-known strategic concepts such as deterrence [12, 44, 51–56], offensive–defensive balance [34, 35, 57, 58], and escalation [59–62] to the context of cyberspace often characterized by increased speed, scale, and relative ease of anonymity [8, 17, 54, 63–67]. Specifically for the offense–defense balance, consensus in the literature sees cyberspace as offense dominant, increasing fears of attacks and encouraging arms races [34]. Even so, there is broad agreement on cyberspace being less suitable for causing physical violence than conventional military domains [5, 20].

Most of these contributions, however, relied primarily on few oft-cited incidents like the 2007 Russian cyberattacks against Estonia, the Israeli bombing of a suspected Syrian nuclear reactor allegedly enabled by a cyberattack (Operation Orchard), the Russian cyberattacks accompanying the 2008 military intervention in Georgia, and the US–Israeli Stuxnet worm destroying Iranian nuclear centrifuges (Two notable exceptions to the reliance on few oft-cited incidents are Valeriano and Maness’ 2014 “The dynamics of cyber conflict between rival antagonists” as well as Maness and Valeriano’s 2016 “The Impact of Cyber Conflict on International Interactions” [68, 69]. See also [4].).

With the increasing political acceptance of cyberspace as a domain for military operations, and with more and more states investing in military cyber capabilities [70–72], the literature saw several contributions discussing how states can integrate cyber operations with conventional capabilities in other branches of the armed forces [20, 40, 73, 74] and in alliances [75–77]. Smeets’ PETIO-framework, for example, highlights the importance of C2 and preparatory infrastructure, interorganizational coordination, and having the right people to develop, maintain, and operate exploits and tools as well as to support with administrative, operational, and legal expertise when developing a military cyber force [78]. Others also point to challenges to the integration of cyber and noncyber capabilities stemming from temporal constraints as well as issues with deconfliction and battle damage assessment [75].

Some scholars zoom in on the difficulty of military cyber operations to produce strategic effects [14, 17, 79, 80]. Maschmeyer argues that the effectiveness of military cyber operations is limited by a trilemma between speed, intensity, and control, rendering cyber operations unlikely to deliver on their strategic promise—even in their more covert subversive forms [6]. Scholars further hypothesize that offensive cyber operations are temporally constrained by the transitory nature of cyber weapons, leading to difficulties achieving effects once malware is burned and requiring costly reinvestment to produce new malware to sustain operations [15, 37]. Again, many of these assumptions draw on the cases mentioned above, accompanied by case studies of the Russo–Ukrainian conflict 2013–2017 and the US Operation Glowing Symphony against ISIS [6, 39, 81–84].

The lack of accessible data on the use of cyber capabilities in military operations has also meant that most scholars have turned their attention to activities that take place in the grey zone below the threshold of armed conflict [85]. Often spurred by Russia’s 2016 hack of the US Democratic National Committee or the new US strategic cyber vision of persistent engagement, scholarly contributions have largely come to see cyber operations as part of an intelligence contest, information warfare, or as a preemptive logic [18, 86–94]. While it is certainly justified to conclude that cyber operations have proven most useful as a tool in political competitions short of war, it is premature to disregard the potential benefit of cyber operations in war. With the Russian invasion of Ukraine, a new dataset is available to help us better understand the utility of cyber operations in war and ultimately validate or reject assumptions in the literature.

The TECI-model for understanding cyber operations in war

Analyzing the new data requires an analytical model for understanding militaries’ use of cyber operations in war. This section develops such a model (Some scholars categorize different kinds of cyber harms. Agrafiotis et al. [95] construct a taxonomy of cyber harms that can result from cyberattacks). Summarized in Table 1, the model—named TECI for its constituent variables—systematizes and operationalizes a broad range of perspectives in the literature that have not been readily applicable to systematically analyzing larger data sets in the specific context of warfighting. The TECI-model is explained in detail after first noting some of these existing perspectives in the literature.

Ashraf has introduced a framework for comparing definitions of cyberwar [5]. This framework is not built for understanding the use of cyber operations but still hints at some central aspects of cyber operations. Rattray and Healey [96] have proposed a 12-factor framework for categorizing offensive cyber operations. It is neither tailored to cyber operations in warfighting nor evaluated empirically. More recently, Moore proposed a framework distinguishing between event- and presence-based offensive cyber operations [19]. While this framework is better suited for the context of war, it is not evaluated on extensive empirical evidence in war.

Specifically elaborating on relations between cyberspace and other domains, Egloff and Shires propose “three logics of integration” for categorizing how cyber capabilities can be integrated with noncyber capabilities [20]. Cyber operations can substitute conventional operations by achieving effects instead of conventional operations, support conventional operations by increasing the conventional operations’ power, precision, range, or resilience, and finally complement conventional operations by acting in addition to conventional means thus adding a new course of action to the actor’s repertoire [20]. The logics of substitution, support, and complementation show the realms of possibility for how cyberspace and noncyber domains can be interrelated when conducting cyber operations.

None of the above perspectives and proposed models are simultaneously readily applicable for systematic analysis of larger data sets, evaluated on data other than few oft-cited operations, and tailored to elucidate insights on the utility of offensive cyber operations in war. Still, their underlying ideas suggest useful starting points for developing such a model.

Based on these insights, this section develops and introduces the TECI-model. The model is then applied on data in subsequent sections. TECI spans four operationalized variables: the target, effect, and complexity of a cyber operation as well as its degree of integration with conventional operations. The four variables were carefully chosen as they reveal aspects of cyber operations key to their use and utility in war (While other variables such as actor types and attribution could be included, these are less relevant than the TECI-variables when examining militaries’ use of cyber operations in war. This article only examines operations by state actors, leaving little reason for adding an ‘actor’-variable. Similarly, the question of attribution is not important for examining the utility of cyber operations in war. Attribution is certainly a relevant parameter in conflicts short of war. See [97, 98]. However, it is much less relevant once warfighting has commenced.). To assess the utility of an offensive cyber operation in warfighting, one must have insights into who the operation is affecting (target), how it is affecting the target (effect), how costly, difficult, and time-consuming it is to conduct and defend against (complexity), and how it may be a force-multiplier for the warfighting (integration). Tailored to the study of war, readily applicable for analysis of larger data sets, and empirically evaluated in this paper, TECI delivers exactly these necessary insights to assess the utility of cyber operations in war.

The first variable is the target of a cyber operation. It is a categorical variable denoting the type of entity or entities whose IT-systems are directly affected by the operation. It distinguishes between four categories of targets. The first is critical infrastructure and includes entities in the transportation, energy, utilities, and ICT sectors. The second category, government, covers public authorities across local, regional, and national levels as well as military entities. The third is media, which comprises entities involved in mass communication such as newspapers, broadcasters, and online news media. The fourth category, other targets, covers any other type of target not included in the preceding categories. The four categories, thus pick out and differentiate between targets that are typically considered key for both the defender and the attacker to control or influence in order to further their war efforts.

The second variable gets at the effects of a cyber operation. It is an ordinal variable that measures the direct effects experienced by a cyber operation’s target entity or entities based on the coding of the operation’s cyber weapon. The variable’s scale ranges from no effects to low, medium, and high effects.

No effects straightforwardly denote the absence of effects of a cyber operation on its intended target, for example in the case of premature discovery. Low effects are defined as the disruption of IT-systems by temporarily undermining their functionality as well as the exfiltration of data from IT-systems. A DDoS-attack or data theft would constitute a low-effect operation. Cyber operations with a low effect importantly do not produce irreversible effects on their targets. Medium effects cover cyber operations that render data permanently inaccessible or, in essence, destroys data. This is an irreversible and therefore more severe effect, but it is importantly limited to the logical layer of cyberspace such that no physical objects are irreversibly damaged. A wiper attack deleting data would be a medium-effect operation (Ransomware attacks, where actors encrypt data with the intent of receiving monetary compensation before decrypting the data, could constitute either medium or low severity depending on the actual effects on data. During warfighting, if the data is decrypted once a target pays an actor, the attack constitutes low severity since the target’s access to the data was disrupted and not irreversibly blocked. If the data is not decrypted, however, the attack would constitute medium severity since the target’s data are permanently and irreversibly inaccessible. Ransomware could even fall into the high severity effects category if the data encryption somehow caused physical damage.). The final high effects category contains operations whose effects amount to physical destruction. These operations cause irreversible damage to hardware or other physical objects. The physical destruction need not present itself in the physical layer of cyberspace only; it may involve the destruction of other physical objects such as industrial hardware like generators brought about by malicious code. A cyber operation damaging hardware or other physical objects in a power grid would thus a high-effect operation.

In sum, this second variable gets at a central aspect of a cyber operation—its effect on target entities—and delineates operations based on the types of these direct effects, with irreversible effects and physical effects understood to be more severe than reversible and nonphysical effects, respectively.

The third variable measures a cyber operation’s complexity. As an ordinal variable, it assumes one of three ordered categories from low to medium and high complexity. Complexity is understood as the scale and technical sophistication of the planning, staging, and execution of a given cyber operation. The complexity is thus positively correlated with the operation’s costs and the time needed to plan, stage, and execute it. Additionally, the operation’s complexity is positively correlated with its target specificity. If an operation targets a very specific entity or a set of specific entities with a very specific effect—such as malware aimed at a certain brand of industrial control systems running certain hardware—the operation is, ceteris paribus, less capable of replicating these effects against other entities. This high degree of target specificity makes the operation more complex as more time and resources are needed to tailor the appropriate aspects of the operation to match its distinctive target or set of distinctive targets (An operation targeting a single, specific entity is understood as more complex than one indiscriminately affecting hundreds of random targets. An operation targeting multiple very specific entities is of course more complex than one targeting just the single one.).

However, the complexity and its correlated costs are difficult to measure directly in most empirical evidence of cyber operations. The cost, duration, or intended target specificity of operations are rarely divulged by their actors. It is nevertheless more often possible to identify the cyber weapons used in an operation, although this identification process may be time-consuming. We define a cyber weapon as the computer code—in the form of malware or other tools—utilized by a cyber operation to achieve a technical effect on targets in or through cyberspace. It is worth emphasizing that the cyber weapon need not be malware but could involve utilizing other tools and techniques, even legitimate ones employed in a malicious way [36].

Importantly, a cyber weapon can act as a proxy for an operation’s costs in time and money, target specificity, and thus its complexity in lieu of other evidence. That is, the use of a highly complex cyber weapon indicates a highly complex operation and vice versa. To find the complexity of a cyber operation, the model therefore analyzes the technical complexity of the operation’s cyber weapon.

The complexity variable is thus operationalized as follows. High complexity covers operations using novel malware or tools that have not been observed before, for example because they utilize zero-days. Such operations are highly complex because they necessitate the time-consuming and costly development of cyber weapons, often with a particular target in mind. To illustrate with a typical example, Stuxnet would be categorized as a highly complex cyber weapon and Operation Olympic Games as a highly complex operation.

Medium complexity covers operations utilizing already known malware or tools, including modified versions of said malware or tools. These are less complex because they do not involve the same time-consuming and costly novel developments, but they are still complex in that they necessitate some degree of target-specific preparation, planning, and execution. An example of medium complexity is the 2017 NotPetya-operation utilizing, i.e. EternalBlue exploits, which had previously been used in the WannaCry-ransomware campaign and allegedly been leaked from the NSA [99, 100]. The original deployment of EternalBlue amounts to high complexity; the reuse of those exploits even if slightly modified is what drives an operation into medium complexity.

Finally, low complexity operations cover those utilizing only DDoS, password spraying, or other simple brute-forcing methods, which are cheaper, easier, and faster to prepare, plan, and execute just as they are suitable for replication against any other targets, indicating low target specificity [101–105].

Of course, operations may involve the use of multiple different cyber weapons such as a mixture of the novel use of malware or tools, recycled malware, and DDoS attacks. This is completely in line with the above formulation of the complexity variable, as will be explained below.

For an operation to be considered of high complexity, it must use novel malware or tools against its target regardless of its use of other cyber weapons. This means an operation involving novel malware, recycled malware, and DDoS-attacks would be classified as highly complex. The medium complexity category is governed by the two-pronged condition that the operation does not use novel malware or tools but does use already known malware or tools against its target regardless of its use of other cyber weapons. This means operations using recycled malware and DDoS-attacks would be of medium complexity whereas operations using recycled as well as novel malware, e.g. would not. Lastly, low complexity operations are governed by the three-pronged condition that the operation does not use novel malware or tools, does not use recycled malware or tools, but does use DDoS, password spraying, or other brute-forcing methods as its cyber weapon. Operations using any type of malware-based exploit against their targets would thus not be considered low complexity; those employing only DDoS-attacks against their targets would.

The fourth and final variable, integration, is ordinal and covers four ordered categories from no to low, medium, and high degrees of integration. This range is based on the degree to which a cyber operation is coordinated with and thus integrated into events into warfighting in the conventional domains.

No integration simply corresponds to the absence of any coordination and thus integration between events and capabilities in cyberspace and noncyber domains.

Low integration picks out cyber operations whose effects are aligned with the objective of effects delivered by conventional capabilities without directly influencing or being influenced by these. This amounts to a low degree of coordination because there is no direct dependency between the cyber and noncyber operation. Still, the low-integration cyber effects are at least loosely coordinated with the noncyber operation in terms of their timing, targeting, and their general purpose if the effects are to truly stand in addition to the noncyber operation and its objective. This loose coordination in timing, target, and purpose account for the evident albeit low degree of integration. An example of low integration is the US Operation Glowing Symphony countering ISIS in cyberspace alongside the conventional campaign against the terrorist group. The operations were aligned in timing, targeting, and overall purpose [106].

Medium integration occurs when a cyber operation is coordinated with noncyber capabilities in the planning phase when military staffs plan and decide between cyber and noncyber courses of action. A medium-integration cyber operation is thus carried out to achieve an operational goal of the warfighting that could have been achieved by other capabilities. Medium integration thus creates cross-domain dependencies by necessitating alignment in at least the battle rhythms of cyber and noncyber planning entities, resulting in a higher level of integration than low integration operations. Importantly, the TECI-model is concerned specifically with cyber operations in the context of warfighting contrary to other models’ focus on contests short of war. In the warfighting-focused TECI-model, the cross-domain dependency in the medium integration logic precisely arises because there is in fact a war “going on around” the cyber and noncyber operations under consideration. The cyber operation, if chosen to achieve an operational goal of the warfighting, is not happening in a vacuum but must fit in and be somewhat aligned with the noncyber efforts characterizing the warfighting at that point in time at least in the planning phase—e.g. its battle rhythm, targets, and objectives.

Finally, high integration covers cyber operations that are directly coordinated with noncyber operations such that the cyber effects contribute to the success of a noncyber operation. In this case, robust and direct dependencies exist between cyber and noncyber operations through, for example, deconfliction or precisely timed effects necessary for progressing the respective operations. This necessitates comprehensive coordination and alignment in battle rhythms between cyber and noncyber capabilities not only in the planning phase—as in the case of medium integration—but also during the execution of the operation itself. A cyber operation characterized by direct coordination with noncyber capabilities throughout its operational life cycle thus exhibits a higher form of integration than the medium-integration where the coordination chiefly occurs before the cyber operation is carried out. An example of high integration is the Israeli Operation Orchard, where cyber assets allegedly disabled Syrian air defenses during an air strike, contributing to the conventional operation’s success through real-time cross-domain dependencies [47].

In sum, the integration variable explicates and orders the ways in which cyber operations can be integrated with noncyber operations based on the extent of cross-domain coordination and dependencies required.

A systematic analysis of Russian cyber operations in Ukraine

This section applies the TECI-model to data from the 2022 Russo–Ukrainian War to analyze trends in the use of offensive cyber operations in conventional warfighting.

The analysis is concerned only with offensive cyber operations conducted by Russian state actors against Ukrainian targets. This is for two reasons. First, data sources examined by this article are mainly focused on operations by Russian state actors. Second, to analyze the use of cyber operations in conventional warfighting, the data should be comprised of operations against entities that take part in the warfighting. The data is further limited to operations between January and December 2022, thereby including the immediate preparations for war in January and February.

The analysis is divided into four subsections matching the target, effects, complexity, and integration variables. Trends are presented and accompanied by emblematic examples. Major findings are summarized in a concluding subsection.

Targets

Overall, Russian cyber operations predominantly targeted Ukrainian critical infrastructure and government entities. The results of the TECI-model’s target analysis are shown in Fig. 1. This indicates Russia sought to undermine Ukrainian war efforts through offensive cyber operations, directly by targeting the Ukrainian state and indirectly by targeting functions critical to the stability of Ukrainian society.

Critical infrastructure comprises the transportation, energy, utilities, and ICT sectors. The CPI data includes 47 operations by Russian state actors with 42 identifiable Ukrainian targets [107]. The transportation sector was targeted twice, the energy sector four times, and the ICT sector 10 times. Altogether, critical infrastructure accounts for 38% of identifiable targets in CPI’s data.

In April, Microsoft published target types for an allegedly representative selection of Russian cyber operations since the invasion [36]. These constitute a subset of 57 targets. Seven targets belong to the energy sector and 12 to the ICT sector. An unspecified number of operations targeted the transportation sector, which is grouped with other target types, although an operation around 17–23 March targeting a transportation entity is explicitly mentioned [36]. Thus, critical infrastructure entities were likely targeted at least 20 times in the presented subset. This amounts to roughly 35% of targets, matching CPI’s 38%. Additionally, until late April, more than 40% of data-destroying operations targeted critical infrastructure [36].

The government category consists of public authorities across national, regional, and local levels including military entities. Of the 57 targets in Microsoft’s data, two are military entities and 19 are national authorities [36]. The subset does not specify the number of targets in regional and local government, which are grouped with other target types. Yet, the Microsoft data explicitly describes two operations targeting regional authorities around 17–23 March and 3–9 March [36]. This means all levels of government are targeted at least 23 times accounting for 40% of the subset. Microsoft also reports that government entities account for 32% of targets by Russian data-destroying operations [36]. In comparison, 14 of the 42 targets in CPI’s data can be categorized as government entities [107]. This amounts to 33%—largely similar to the Microsoft data.

The remaining categories are media and other targets. Only four of 57 targets or seven % are described as media entities in the Microsoft subset [36]. Six operations or 14% target the media in CPI’s data [107]. Another six targets in CPI’s data can be classified as other targets, accounting for the remaining 14% [107]. In Microsoft’s subset, 11 targets appear in an “other targets” category [36]. The analysis above found at least two of these were regional government entities while at least one was a transportation entity. This leaves at most eight other targets per the model. Microsoft’s subset further reports two targets in the consumer retail sector which brings the number of other targets to 10. Similar to CPI, then, roughly 17% of Microsoft’s subset constitute other targets.

In sum, as shown in Fig. 1, Russian cyber operations targeted other targets and media considerably less frequently than critical infrastructure and government. While media and other targets may be less important for Ukraine’s war efforts than government and critical infrastructure, they still include entities which provide services of importance for the stability of Ukrainian society.

Effects

Analyzing the effects of Russian cyber operations, this subsection finds that a large share of operations had payloads coded to destroy data and thus sought to achieve medium effects while another large share sought low effects through disruption and data exfiltration. Only one operation sought high effects in the form of physical destruction, although there is no clear evidence of this effect materializing. The data further suggest many operations coded to achieve medium and low effects in fact failed to achieve them, although the fog of war in Ukrainian cyberspace inevitably clouds any clear conclusion on this point. The results of the effects analysis are summarized in Fig. 2.

In total, the effects of 29 operations could be identified in CPI’s data as assessed by their payloads. Microsoft’s reporting reveals the technical effects of at least 38 cyber operations in their April report, excluding an unreported number of operations with effects amounting to disruption and data exfiltration, and at least 48 cyber operations in their June report, although many of these were likely also included in the April report.

The only Russian operation whose payload was coded to achieve high effects was discovered on April 8. It targeted industrial control systems in Ukrainian power grid substations [36, 107]. The operation utilized malware now known as Indstroyer2 and the data-destroying CaddyWiper-malware [108]. The former was a modified version of Industroyer-malware used in cyber operations against the Ukrainian power grid in 2016 [108]. According to technical analyses, the Industroyer2 operation sought physically destructive effects, attempting to affect control systems and cut the power for up to two million Ukrainians [36, 108, 109]. Discovered quickly after payload deployment, the operation ultimately did not affect the power grid [108]. Had it been successful, it would have been a strong case for high effects. While Industroyer2 may have destroyed some hardware even if the power grid was not affected and CaddyWiper could have destroyed data on some systems, there is no evidence of this. Still, even as the Industroyer2-operation’s effects did not materialize, it was coded to achieve high effects—and was the only Russian operation to do so.

Medium effects consist in data destruction. Numerous Russian operations in the CPI and Microsoft data fit this category. It is unclear, though, to what extent these effects materialized, i.e. whether the data-destructive effects coded in the cyber weapons were actually triggered on target systems. Some reporting suggests many failed.

Microsoft’s April report describes “destructive” cyber operations as a prominent part of Russian activities in Ukrainian cyberspace [36]. This is Microsoft’s terminology for data-destroying operations. Microsoft reports a data set of 37 operations from 23 February until 8 April that deployed data-destroying cyber weapons [36]. In June, Microsoft claimed having witnessed “multiple waves” of data-destroying operations targeting 48 unique Ukrainian entities [2].

Likewise, in CPI’s data, numerous operations appear to have deployed cyber weapons coded to achieve medium effects. Some of these operations are also described in Microsoft’s data. At least 12 operations in CPI’s data can be classified as seeking data destruction based on observed effects or utilized cyber weapons [107]. Moreover, every identified Russian operation utilizing novel cyber weapons, which is therefore highly complex per the model and among the most costly operations, sought to destroy data [36]. That Russia sought data-destroying effects in the operations they spent the most time and resources on suggests that medium effects were prioritized. They constitute 41% of identified effects in CPI’s data.

The analysis is complicated by difficulties confirming actual effects of cyber operations described in the data before they are discovered and mitigated. Microsoft’s June assessment said data-destroying operations had been more prevalent than the reporting at the time made them out to be [2]. The assessment does not reveal the success rate of Russian operations but states that defensive measures until late June had “withstood attacks far more often” than not [2]. If true, many operations coded to achieve medium effects likely failed to achieve them. Scholars and companies like Microsoft have posited the migration of Ukrainian data to cloud services hosted in NATO countries, where Russia is less willing and able to strike, as one factor limiting the impact of Russia’s data-destructive cyber operations [2, 30, 110]. Nevertheless, both CPI and Microsoft data indicate that a large share of Russian operations at least attempted to deploy cyber weapons coded to achieve medium effects.

Low effects amount to data exfiltration or disruption of systems. The analysis finds a large share of Russian operations employing cyber weapons coded to achieve such low effects. The prevalence is comparable to and possibly greater than the prevalence of medium effects. It is again unclear how often these low effects materialized on target systems.

In CPI’s data, a total of 16 operations can be classified as pursuing either disruption or data exfiltration based on observed effects or cyber weapons like DDoS-attacks or data-stealing malware [107]. This is more than the 12 data-destroying operations. Microsoft does not report the precise prevalence of low effects operations. Instead, the April report observes that Russian state actors have “routinely” attempted to disrupt in addition to destroy data on networks belonging to government and critical infrastructure entities [36]. Microsoft elsewhere describes that Russian state actors both destroy and exfiltrate data on targeted systems [36]. Microsoft’s reporting thus indicates that low effects constitute a nontrivial share of observed effects on Ukrainian targets.

In sum, Microsoft and CPI data suggest a large share of Russian operations were coded to achieve low effects through disruption or data exfiltration. The data do not permit estimating a precise success rate for these low effects. If Microsoft’s assessment that Ukrainian defenses succeeded more often than not is true, many low effects may have failed.

The final category of no effects denotes a cyber operation’s failure to achieve its effects, which has been touched upon in the preceding analyses. Based on these, four points are noteworthy. First, it is often difficult to obtain reliable evidence for the effects of reported cyber operations. This complicates the analysis. Second, despite this, our analysis suggests that at least some Russian operations fail such that the effects coded in their cyber weapons do not materialize on target systems. The data includes several such failures. Other sources corroborate Microsoft’s claim on the success of Ukrainian defenses [111, 112]. Third, it is clear, however, that Russia has succeeded to some extent in achieving medium and low effects. Several such successes are evident in the data. What is also clear, as a fourth point, is the absence of high effects.

Complexity

This subsection analyzes the complexity of Russian cyber operations based on the low, medium, and high complexity categories reflecting the respective use of DDoS or other simple brute-forcing methods, known malware and tools, and novel malware and tools. The majority of operations across the period of observation are of medium complexity but the ratio between complexity categories changes through time. See Fig. 3 for the overall distribution of complexity types in Russian cyber operations.

The complexity of 29 Russian operations can be identified in CPI’s data [107]. 18 are medium complexity operations, nine are high complexity, and two are low complexity. Microsoft’s reporting reveals a comparable ratio with nine high complexity operations, an unspecified number of medium complexity operations that is likely in the high 20’s to low 30’s, and four low complexity operations.

A total of nine high complexity operations are evident across CPI and Microsoft data [36, 107]. These operations utilized malware and tools not deployed previously—even in modified versions. One operation took place in the run-up to the invasion, four operations coincided with the invasion’s beginning, and two operations were discovered three and four weeks into the invasion. The remaining two operations occurred much later in September and October, suggesting a 6-month hiatus in the interim [36, 107, 113]. High complexity operations thus coincided with the outbreak of warfighting and dropped in prevalence as warfighting continued until a sudden but short-lived return in the fall.

For example, Russia deployed data-destroying malware against critical infrastructure and government entities on 23 February, hours before the conventional invasion commenced [36]. This “FoxBlade”-malware had not previously been observed [114]. FoxBlade was designed to target specific systems and only propagate on specific networks, showing high target specificity [36]. Technical analyses by ESET indicate that actors behind the FoxBlade-operation likely compromised the targets several weeks before 23 February [115]. This implies high costs in terms of resources and time. The novelty, target specificity, and cost of the FoxBlade-operation point to it being high complexity.

Another example of high complexity is the 24 February attack on Viasat that left Ukrainian customers, including parts of Ukrainian military, without internet [36, 116, 117] (Some have questioned whether AcidRain had a sizeable and long-lasting impact on Ukrainian military communications [118]. This does not change the classification of the AcidRain operation as highly complex per the TECI-model given the nondisputed reports of its utilizing novel malware. It does, however, underscore that even a highly complex cyber operation is not automatically guaranteed to succeed.). The operation utilized novel “AcidRain”-malware, which was unique for the operation and so indicates high complexity [107, 117]. Besides AcidRain and FoxBlade, the high complexity operations utilized specifically developed and novel malware now known as WhisperGate, SonicVote, Lasainraw, DesertBlade, CaddyWiper, FiberLake, and Prestige ransomware [36, 114, 115, 119, 120]. Some have since been recycled in other operations, in which case they signify medium rather than high complexity.

Medium complexity operations over time become the most prevalent in the CPI and Microsoft data. These operations utilize previously observed malware or tools by either recycling those cyber weapons without alterations or modifying them to some extent.

Microsoft’s April report shows that at least FoxBlade, SonicVote, and DesertBlade are utilized in new operations after their discovery [36]. In other reporting, Microsoft describes CaddyWiper as being recycled [114]. Moreover, Microsoft generally observes that Russian state actors tend to modify utilized malware between operations [36]. As analyzed above, in Microsoft’s April report, only 5 of 37 data-destructive incidents between 23 February and 8 April were high complexity operations [36]. Although the data does not allow for a detailed analysis of every incident, the relatively small number of incidents attributable to high complexity operations suggests that a large share of the 37 incidents could be attributed to operations using recycled or modified malware.

Roughly 31% of Russian operations in CPI’s data are of high complexity whereas 62% are medium and 7% are low complexity [107]. Thus, for the entire period from January until December, medium complexity operations are almost twice as prevalent as high complexity operations. This trend is reversed in the beginning of the invasion, however. Seven cases of high complexity operations in the CPI data occur before 17 March within the first month of warfighting. Conversely, 16 of 18 medium complexity operations occur after 22 March. Essentially, Russia mostly conducted high complexity operations in the war’s first weeks after which medium complexity operations become more frequent while high complexity operations disappear until the fall.

Low complexity operations cover the use of DDoS-attacks. Only few of the observed cyber operations fall into this category. Microsoft’s reporting includes four cyber operations utilizing DDoS [36]. The CPI data includes two cases [107]. Russian state actors thus rarely utilized DDoS-attacks. Moreover, all low complexity operations except one occurred before the war. The sole exception is the use of DDoS in conjunction with AcidRain-malware in the operation against Viasat on the invasion’s first day.

In short, Russia deprioritized low complexity nonmalware operations once warfighting commenced in favor of initially high and later medium complexity operations.

Integration

Analyzing the integration between cyber and noncyber capabilities, this subsection finds relatively few Russian cyber operations integrated with conventional operations. For most cyber operations, there is no evidence to suggest their being integrated with other capabilities. When integration is evident, though, it is predominantly in the form of low integration and largely in the first weeks of the war. Across the CPI and Microsoft data, a total of nine cyber operations could be identified as constituting some form of integration. The results are summarized in Fig. 4.

High integration occurs when a cyber operation is supporting a noncyber operation to contribute to its successful completion. The analysis shows two Russian cyber operations that live up to this standard. The first case is the cyber operation against the Zaporizhzhia nuclear powerplant discovered on 2 March [2]. A Russian state actor moved laterally on networks belonging to the nuclear power company running the facility. A day later, Russian conventional forces attacked and occupied the nuclear plant with video footage suggesting the attack was planned in advance [121]. In the absence of public evidence of other actions or intentions of the actor besides their lateral movement, it is not possible to indisputably prove that the cyber operation supported the conventional operation. Since the cyber operation closely preceded the conventional operation and Ukrainian forces were present at the plant, though, it is conceivable that the cyber operation sought to collect intelligence on the plant to support a later conventional attack. On this reading, the Zaporizhzhia operation constitutes high integration.

The second case is the AcidRain-operation against Viasat on 24 February. According to Victor Zhora, deputy chairman of Ukrainian cybersecurity agency SSSCIP, the effects were a “huge loss in communications in the very beginning of the war” [122]. US Secretary of State Antony Blinken stated the operation intended to disrupt Ukrainian command and control [123]. Subsequent reports have questioned whether AcidRain had a “huge” impact on Ukrainian military communication systems or rather impacted a backup communication method [118]. Either way, the operation sought to disrupt Ukrainian C2 and contribute positively to Russia’s concurrent offensive, satisfying the supportive integration logic. The AcidRain-operation is thus a case of high integration of cyber and noncyber capabilities.

Medium integration refers to cyber capabilities coordinated with conventional capabilities in the planning phase of an operation, for example when military staffs decide between cyber and noncyber courses of action. The analysis finds only one case, namely the Industroyer2-operation against Ukrainian substations on April 8 [36, 107, 108]. As shown in the effects analysis, although it was ultimately prevented, the cyber operation sought the physical destruction of hardware in substations to shut off electricity for millions of Ukrainians. This effect could reasonably have been achieved by conventional means. One method would be a missile attack similar to the thousands already conducted by Russia [124]. In fact, Russia routinely used missiles to damage Ukrainian critical infrastructure [125]. Instead of achieving the destructive effect through a kinetic explosion, the Industroyer2-operation sought to achieve it through malware, thus suggesting that some form of coordination and deconfliction of cyber and noncyber capabilities in the planning phase had preceded the execution of the operation. It is thus a case of medium integration. The data indicate no other plausible cases.

Low integration means that cyber capabilities are aligned with noncyber capabilities in terms of timing, targeting, and general purpose without directly supporting the latter. With CPI and Microsoft data showing six cases of low integration, it is the most prevalent form of integration. One of the six cases is the FoxBlade operation against government entities discovered on 23 February. This cyber operation sought to destroy data on government servers [2, 36]. Meanwhile, Russia conducted missile attacks in the beginning of the war against a specific government data center [2, 126]. In other words, conventional capabilities also targeted government entities’ access to data in the war’s beginning. This means FoxBlade was aligned with conventional strikes on the data center in terms of timing, targeting, and the general purpose of denying the government access to data. It is then a case of low integration.

The five other cases of low integration in the data are evident on 17 February, between 28 February and 1 March, 4 March, 11 March, and 29 April [2, 36, 127]. Together with the FoxBlade operation on 23 February, the data suggest that low integration is primarily present in the war’s beginning—as was the case for medium and high integration. This coincides with the Russian spring offensive. Notably, though, Microsoft has reported that Russian missile attacks in October coincided with data-destroying cyber operations against critical infrastructure [113]. The cyber operations were thus associated with missile attacks in terms of timing, targets, and geography, indicating low integration [113]. These plausible cases of low integration came after a months-long hiatus in data-destructive cyber operations per Microsoft, which is also evident in our analysis of CPI data. Although the reported data lack detail, they point to Russia pursuing low integration during the Ukrainian fall offensive after a long hiatus without integration since their own offensive.

Altogether, the analysis found nine operations constituting integration between cyber and noncyber capabilities. No integration is thus the most prevalent integration category. The analysis is complicated, however, by limited access to data on both cyber and conventional operations in Ukraine. Even with this caveat, the analysis suggests a large majority of Russian cyber operations were not integrated with noncyber capabilities. This echoes the findings of Bateman as well as Mueller et al. [28, 30].

Four notable trends

In applying the TECI-model on Russian cyber operations in Ukraine, the article finds four notable trends. First, Russian operations rarely sought physically destructive high effects, opting instead for medium or low effects. Second, the effects often failed to materialize. In particular, there are no known successful high effects. Third, over time, Russia mostly conducted medium complexity operations by recycling or modifying used malware and tools, although they opted for high complexity operations using novel malware and tools in the war’s first weeks. Fourth, Russian cyber operations were seldom integrated with noncyber capabilities, and when they were it was predominantly in the war’s first weeks and in the form of low integration.

These findings largely corroborate and add detail to studies published since the outbreak of war [128, 31, 32, 30]. In their 2023 report, Mueller et al. [30] conclude that Russia struggled to integrate cyber and conventional operations and that observed cyber operations mostly opted for “disruption” instead of “degradation” without targeting military entities as often as expected. They argue cyber operations may be more apt at shaping strategic interactions than determining tactical outcomes where conventional means prove better suited, pithily noting: “Why hack what you can destroy?” [30]. Even as the trends in the mentioned studies and this article are largely similar, utilizing a common model such as TECI would have improved the ability to systematically compare and discuss the trends and their hypothesized explanations between the studies.

Limited with exceptions: the utility of cyber operations in war

What do the analyzed trends from Ukraine reveal about the utility of offensive cyber operations in war? This section examines the question in three parts by assessing the utility on strategic, operational, and tactical levels of warfighting. Besides its use in Western military doctrine, the tripartition of warfighting clarifies and delineates where cyber operations may be of utility in the complex and wide-ranging phenomenon of warfighting. What is of utility for a platoon of soldiers in battle—and the characteristics that govern whether a cyber operation can be of such utility—may be different from what is of utility when organizing a nation’s resources to win a war. The tripartition is a simple methodological framework for finding these differences.

The strategic level of warfare concerns a state’s disposition of national resources and instruments of power to wage war [129]. These get at not only a nation’s ability but also its will to wage war. To achieve strategic utility a cyber operation must therefore generate advantages on this strategic level by improving one’s own or undermining the adversary’s ability or will to wage war by affecting national resources or instruments of power.

The operational level concerns military campaigns deploying larger military units in larger geographic areas—theaters of operations—to realize operational objectives that contribute to strategic goals [129]. Operational utility entails providing military advantages against the adversary in a specific theater of operations. A cyber operation should thus improve the ability of units in a theater to accomplish objectives, for example by worsening the adversary’s general combat effectiveness in the specific theater.

The tactical level concerns task-specific deployment of smaller military units in specific terrain generating effects that contribute to larger operational objectives through, e.g. localized engagements with adversarial forces [129]. Cyber operations achieve tactical utility by generating advantages for a friendly unit in its assigned task, for example against an adversarial unit. This could involve worsening the adversarial unit’s ability to maneuver, fire, survive, or otherwise succeed in the local engagement.

In sum, the strategic, operational, or tactical utility of a cyber operation is a matter of generating advantages on the corresponding levels of warfare. These different levels of warfighting can overlap [129]. A general advantage for units in a theater could spill over to the tactical level by creating a local advantage in a specific battle. Disrupting a power grid, which undermines national resources and provides strategic utility, could provide operational utility by limiting access to electricity, which worsens the combat effectiveness of units in an entire theater. This means a cyber operation can be of utility on multiple levels.

Strategic utility

Previous research both question and advocate for the strategic utility of cyber operations. Maschmeyer sees the trilemma of speed, intensity, and control as limiting the strategic potential [6]. Smeets instead writes of the strategic promise of cyber operations as force-multipliers and independent assets [14]. This article qualifies these perspectives as they pertain to the strategic utility of cyber operations in warfighting. Indeed, this article argues that, while no single cyber operation is likely to achieve strategic utility on its own, the impact of multiple sustained cyber operations can cumulatively achieve strategic utility. This appears to be the case for Russia in Ukraine, although the utility has been costly and dwarfed by the cumulative utility of conventional operations.

Prima facie, the target analysis of Russian cyber operations indicated a large potential for strategic utility. Russia predominantly targeted critical infrastructure and government entities, which fall under Ukraine’s national resources and instruments of power important for their ability and will to wage war. Analyses of other model variables sow doubt about this potential, however. Especially the effects analysis reveals the limitations of Russia’s cyber operations.

If a single cyber operation is to generate strategic utility by itself, it is arguably more likely to do so by physically destroying national resources or instruments of power. This is one possibility Smeets sees for a cyber operation to fulfill its strategic promise [14]. Only the Industroyer2-operation was coded to achieve such physically destructive high effects, however. The rarity of operations seeking physical destruction naturally limits Russia’s potential for strategic utility through their cyber operations.

Why did Russia not conduct more high-effect cyber operations? One explanation is the extraordinary availability of conventional weapons suitable for physical destruction. A cyber operation typically takes much longer to plan and stage than missile attacks. The chance of success may also have been higher for a Russian kinetic attack. After all, the analysis showed that a large share of cyber operations failed to achieve the effects, which their cyber weapons were coded to achieve. All of this suggests that highly severe effects are more easily and reliably achieved by conventional means.

Had the Industroyer2-operation been successful, it might have been able to provide strategic utility; cutting the power for 2 million Ukrainians would arguably have negatively influenced Ukraine’s ability and will to wage war. So why was Industroyer2 not successful? One reason may be its medium degree of complexity. It recycled malware observed before by the defender, making it easier to discover and mitigate. Indeed, if Ukrainian cyber forces have been able to react to novel malware used in Russia’s high complexity operations and adapt their defenses accordingly, they will likely have had an easier time discovering and mitigating later operations merely recycling such malware. Reports indicate that Ukraine aided by Western actors built a relatively capable and responsive cyber defense [111]. This can explain why Industroyer2 and other Russian operations failed. Recycling malware made them too easy to discover and mitigate. In other words, cyber operations of medium and low complexity are less likely to achieve successful effects than high complexity operations.

High complexity operations are comparatively more likely to achieve not only successful effects but also high effects. This is because achieving physical destruction typically necessitates the specific manipulation of specific industrial control systems. This high degree of specificity is arguably more difficult to realize by recycling older malware compared to developing novel and tailored malware, which means that high complexity operations are more suited for this task than medium complexity operations. In sum, high complexity operations are more likely to achieve both successful effects and high effects. Together with the assumption that a cyber operation is more likely to provide strategic utility by generating high effects, it follows that high complexity operations are more likely to achieve strategic utility than other operation types. This is unfortunate for the strategic utility potential of Russian cyber operations since relatively few of them were of high complexity compared to medium complexity, and almost all high complexity operations were conducted in the war’s first month.

The relatively few high complexity operations can be explained by their tall demands on resources, time, and target knowledge. One high complexity operation is costly enough, but continuously conducting them requires the continuous tolerance of such costs and regeneration of burned cyber weapons. Even for state actors, it is may well be prohibitively costly to sustain a high rate of high complexity operations over time. The 6-month hiatus in the conduct of high complexity operations between March and September underscores these difficulties; Russia seemingly needs time to regenerate their capabilities. The data confirm Smeets’ claim about the transient nature of cyber weapons [15, 37].

Essentially, high costs limited Russia’s capability for high complexity operations and thus their chances of achieving both successful and high effects, which in turn limited their potential for achieving strategic utility through cyberspace. The analyzed data therefore suggest that a cyber operation is unlikely to achieve strategic utility in warfighting. The high complexity and high-effect operation is the best candidate for achieving strategic utility, but it is too rare an occurrence and less attractive than conventional capabilities to provide such utility in warfighting.

This argument rests on the assumption that a cyber operation best achieves strategic utility through high effects. Although the assumption may be true, it does not preclude other effect types from being able to affect national resources and instruments of power, even if the likelihood is comparatively lower. The majority of Russian cyber operations were coded to achieve medium effects. Could such a nonkinetic but data-destructive cyber operation be of strategic utility? On its face, the analyzed data suggest this is not the case. There is no medium-effect cyber operation in the data that in and of itself appears to have had a measurable impact on Ukraine’s national resources or instruments of power.

Yet, a cyber operation’s potential for influencing the strategic level of warfare need not be viewed in isolation. It is a tall order for a single operation—in any domain—to singlehandedly impact a nation’s ability and will to wage war. Analyzing the utility of a military operation in isolation risks overlooking the possible cumulative utility of several operations, which individually did not measurably impact national resources and instruments of power but together prove enough to do so. The risk of overlooking a cumulative utility is irrelevant for Russia’s high-effect cyber operations in Ukraine given that only one has been conducted so far. It is relevant, however, for Russia’s medium-effect operations that constitute a prominent share of their actions in the analyzed data. The question thus becomes: Have the nonkinetic data-destructive cyber operations cumulatively achieved strategic utility?

Some trends in the analyzed data support the existence of such a cumulative strategic utility. In the Microsoft data, Russian state actors conducted 37 medium-effect cyber operations between 23 February and 8 April [36]. A total of 22 of these occur in the war’s first week, averaging three per day. For the entire period, Russia leveraged an average of six data-destructive operations per week. More than 72% of them targeted critical infrastructure and government entities, many of them civilian (Mueller et al. [30] point to the shifting of Russian cyber operations toward civilian and away from military targets. This supports the argument that even low and medium cyber effects—e.g. on communication networks such as the Viasat hack—may be part of a pursuit of a cumulative strategic effect through undermining the civilian will to fight.). Taken together, it is a nontrivial and sizable collective of cyber operations being conducted in a short period. It indicates a potential for this collective of medium-effect operations to have cumulatively influenced Ukraine’s ability and will to wage war by undermining the state’s capacity to administer resources and instruments of power through the destruction of data and digital systems. Of course, the effects analysis’ conclusion that a substantial share of operations failed to achieve their data-destructive effects limits this cumulative potential.

All of the medium-effect operations need not be successful in their effects for the collective of medium-effect operations to achieve cumulative strategic utility, though. Even in the absence of materialized effects, the medium-effect operations could force Ukraine to prioritize resources on cyber defenses that could have been used on warfighting in other domains. Conventional warfighting is likely what will be decisive for the war’s outcome. Preventing Ukraine from allocating resources for conventional warfighting may then well have strategic importance. The collective of data-destructive cyber operations could achieve cumulative strategic utility by, on the one hand, directly undermining Ukraine’s resources and instruments of power whenever their effects were successful and by, on the other hand, undermining Ukraine’s ability to prioritize resources optimally for winning the war even when their effects failed.

It is difficult to access data on Ukraine’s prioritization of national resources. One piece of the puzzle is the allocation of the 22.3 billion Hryvnia in foreign economic assistance donated to the National Bank of Ukraine [130]. By January 2023, Ukraine had allocated a total of 3.8 billion—more than 17%—of these toward SSSCIP, which is the primary actor behind their cyber defense (3.8 billion Hryvnia correspond to ~110 million USD). This is a nontrivial share of donated resources that could have gone toward the conventional warfighting. The collective of medium-effect Russian cyber operations could have forced Ukraine to make this disposition, especially in the first weeks of the war when the frequency of these operations was most intense. Of course, National Bank donations do not give a complete picture of Ukraine’s allocation of national resources. It does, however, illustrate that Ukraine considered the threat of Russian cyber operations serious enough to warrant the strategic decision of allocating considerable resources to cyber versus conventional capabilities.

Even if Russia’s medium-effect cyber operations achieved cumulative strategic utility, it is unclear if it was cost-beneficial considering the high cost of especially their high complexity operations, which provided many of the medium effects directly as well as indirectly through later malware recycling. Finally, the cumulative strategic utility of Russian cyber operations is almost certainly minimal compared to the cumulative strategic utility of their conventional operations like missile attacks.

Operational utility

Some scholars have questioned the ability of cyber operations to affect events on the battlefield. Schulze points to cyber operations being operationally ineffective due to difficulties in integrating with conventional capabilities [40]. In a study of the Ukraine conflict from 2014 to 2016, Kostyuk and Zhukov [39] find that cyber operations did not compel reactions in noncyber domains. This suggests cyber operations are of limited operational utility.

This article reaches a similar albeit more nuanced conclusion. In the analyzed data from the Russo–Ukrainian War, cyber operations generally failed to achieve operational utility with one notable exception. One cyber operation—the AcidRain-operation—managed to affect the operational level of warfare, even if it did so by only removing a backup communication method for Ukrainian military, as some newer reports argue [118]. The operation highlights a narrow potential for cyber operations to provide operational utility in the beginning of warfighting. Generally, though, the operational utility is limited by difficulties integrating cyber and conventional operations especially at higher levels of integration. This is due to a temporal mismatch between relatively slow planning speeds of cyber operations and conventional operations’ typical demand for fast and precisely timed effects. This limiting factor is less pronounced in the beginning of a war because the slower planning can be done before war breaks out.

As analyzed earlier, the AcidRain-operation is an example of high integration between cyber and noncyber as it supported Russia’s conventional warfighting by undermining Ukrainian C2 capability—at least on the first day of the war. The fact that AcidRain is categorized as high integration immediately suggests it provided operational utility for Russia. Indeed, the operation straightforwardly passes the requirement for operational utility; it improved the ability of Russian units in a theater of operations to accomplish their objectives. It did so by generally undermining Ukrainian C2 capability and generating a substantial advantage for Russian units in general in a theater of operations in Ukraine. Even the least damaging version of the alleged effects of AcidRain—disrupting Ukrainian satellite communication serving as a backup for military communication—amounts to the undermining of Ukrainian C2. AcidRain thus shows that it is indeed possible for cyber operations to achieve operational utility in warfighting. As the only example, AcidRain suggests that, although cyber operations can achieve operational utility, they rarely do.

Part of the explanation for this can be found in the analysis’ second trend of Russian cyber operations often failing to materialize the effects their cyber weapons were coded to achieve. Another part of the explanation is found in the fourth trend of the rarity of integration between cyber and noncyber capabilities. If it was difficult for Russia to achieve successful effects in the first place and additionally to integrate their effects with conventional operations, the basis for achieving operational utility was limited. The “missing effects” part of the explanation was discussed above. The second part of “integration difficulties” needs a closer examination.

As explained, although the actual deployment of a cyber weapon may occur at the speed of light, the whole of a cyber operation including the planning and staging process is typically time-consuming. This is especially so when the cyber operation is of high complexity or is coded to achieve high effects. Moreover, a cyber operation may not be able to guarantee a precise timing of its effects owing to the complexity of the domain. Conversely, conventional domains of warfare are typically characterized by a higher pace in the conduct of operations, especially on the operational and tactical levels of warfighting. Supporting a conventional operation also requires precise timing to ensure the supportive effects are aligned appropriately with the unfolding of the conventional operation, similar to integrating disparate capabilities in combined arms warfare.

There is consequently a dichotomy between the relatively long duration and sometimes imprecisely timed effects of a cyber operation and the conventional operations’ faster pace and need for precise effects. If the pace of events in conventional domains is sufficiently high, a cyber operation is too slow and temporally imprecise to integrate into conventional operations. Similar claims have been made by other cyber conflict scholars [40].

The dichotomy is most pronounced in high integration, where the aim of directly supporting a conventional operation severely constrains when and how cyber effects should materialize, and medium integration, where the cyber weapon directly competes against typically faster conventional weapons. The looser connection between cyber and noncyber domains in low integration’s complementing logic means the dichotomy is less pronounced; the necessary alignment between cyber and noncyber effects is less strict. One should, thus expect a higher frequency of low integration compared to medium and high integration. This is exactly what this article finds. In sum, the temporal dichotomy explains why so few Russian cyber operations were integrated with conventional operations, and it points to a general limitation in the operational utility of cyber operations.

If cyber operations are generally limited in achieving operational utility in war, why did AcidRain do so? The operation’s timing is crucial here. Based on its high complexity, the operation likely commenced planning and staging such as conducting reconnaissance, developing malware, and compromising target systems weeks before 24 February. There is no evidence in the data suggesting AcidRain was unusually fast [117]. However, the need for a fast-paced or precisely timed cyber effect to support conventional operations was not present until 24 February due to the simple fact that conventional warfighting had not commenced yet. Russia had time to plan and stage AcidRain-malware as well as coordinate this with the deployment of conventional capabilities. The temporal dichotomy was thus not an issue for the AcidRain-operation because the “slow” part of the cyber operation was conducted before the “fast” conventional needs for effects arose.

The AcidRain-operation demonstrates the potential of cyber operations achieving operational utility in the beginning of warfighting despite their general limitations. This is because there is ample time before warfighting commences to complete slower parts of a cyber operation so as to sidestep the temporal dichotomy that otherwise typically limits a cyber operation’s integration with conventional operations.

Tactical utility

Is the tactical level of warfare as limiting for the utility of cyber operations as the operational? Schulze points to historical evidence for the tactical ineffectiveness of cyber operations [40, 131, 132]. Conversely, Brantly and Collins [133] argue that Russia achieved frequent and persistent tactical effects through cyber operations in Ukraine during the hybrid war until 2018.

The analyzed data in this article suggest cyber operations are generally limited in their ability to meaningfully affect the tactical level of warfare similar to the limitations evident on the operational level. In fact, the temporal dichotomy is possibly even more limiting at the tactical level. Importantly, though, the window of opportunity for utility in the beginning of a war observed at the operational level plausibly holds true at the tactical level as well. This qualifies the previous findings in the literature.

Two Russian cyber operations are prima facie candidates for achieving tactical utility. The first is the AcidRain-operation. In providing operational utility for units during the Kyiv offensive, the debilitating effect on Ukrainian (backup) C2 provided Russian units with potential tactical advantages in local battles—and so also tactical utility. There is no direct evidence for this in the analyzed data. However, combining the evidence for the operational utility with the fact that circumstances in the operational level of warfare influence the tactical level, the tactical utility of AcidRain is a plausible conclusion. This suggests cyber operations can achieve tactical utility in the beginning of warfighting for the same reasons they can achieve operational utility.

The second candidate is the operation against the Zaporizhzhia nuclear power plant, which the above analysis deemed an example of high integration due to the operation plausibly supporting a conventional attack on the plant by collecting intelligence. It is thus plausible that the cyber operation generated an advantage for Russian units engaged in the local battle for the power plant. This meets the definition of tactical utility. Some caveats should be noted, however. The data does not reveal exactly when cyber actors comprised the networks, their exact actions, or their intentions. The nuclear power plant is also critical infrastructure, and so it is possible that Russia originally targeted it to conduct an operation akin to Industroyer2 without intending integration with conventional operations. The later opportunity to support a conventional attack may have been unforeseen.

Overall, the few candidates for cyber operations of tactical utility indicate their general limitation. The dichotomy between the slow-paced cyber operation and the fast-paced conventional operation is again likely part of the explanation for the limited tactical utility. In fact, the dichotomy is possibly more pronounced at the tactical level of warfare. Here, the pace of operations is faster as the operations accomplish tactical tasks necessary for progressing toward operational level objectives. In a nutshell, the operational level “waits” for events at the tactical level. Operations at the tactical level such as direct combat between units are also more confined in time and space than campaigns at the operational level. Accordingly, to be aligned with and thus of utility at the tactical level, cyber effects must be more precise and versatile in time and space. The above discussion of operational utility already clarified why this is a tall order, except for the moment when warfighting commences.

Conclusions

Applying the TECI-model on the Russo–Ukrainian War, this article found four notable trends in Russia’s offensive cyber operations that contribute to the literature’s understanding of the utility of cyber operations in war.

First, Russian cyber operations rarely sought physically destructive effects but opted for data destruction, exfiltration, or disruption. This validates the assumption in the literature that cyber operations are unsuitable for physical destruction. Second, a substantial share of Russia’s offensive cyber operations failed to achieve effects. This rejects the assumption that cyberspace is offense dominant; the defender may have an easier time than thought. This is partly caused by the third trend. Russia began recycling malware after the first weeks of warfighting, which lowered their ability to penetrate Ukrainian defenses. This suggests sustaining high complexity operations with novel malware and tools through a longer period of warfighting is prohibitively costly. It validates the literature’s assumptions about the transience of cyber weapons and their need for costly regeneration. Fourth, and finally, cyber operations were rarely integrated with conventional operations. When they were, it was the least demanding form of integration and primarily in the war’s beginning. This validates assumptions in the literature about the difficulty of integrating cyber and noncyber capabilities, i.e. due to a dichotomy between their operational tempi.

Data from the Russo–Ukrainian War thus point to offensive cyber operations having limited utility in war. The article found two important exceptions to this. Offensive cyber operations can achieve strategic utility cumulatively through persistent data-destructive targeting of national resources and operational as well as tactical utility in the beginning of warfighting when there is time to synchronize cyber and noncyber capabilities. It is worth noting that the early claims in cyber conflict studies positing a cyber doom and a future of cyber operations decisively shaping conventional warfare are still unsubstantiated by evidence including this article’s findings [49, 134–136]. Rather, the limited utility of cyber operations in warfighting—even with the two important exceptions above—point to cyber operations serving more impactful roles outside of warfighting such as in enhancing information warfare operations and strategic influence campaigns as suggested by Mueller et al. [30].

Granted, our findings may not be generalizable to other conflicts or future developments in the Russo–Ukrainian War. Some scholars have argued that Russian military essentially failed in the strategic and operational planning of the invasion of Ukraine which perhaps reflects a similar inaccurate planning in cyberspace [28, 137]. Others suggest that Russia prioritizes cyber-enabled espionage and information operations over military cyber effects [30]. Meanwhile, multiple Western militaries and companies have offered substantial assistance to Ukraine’s cyber defenses, including migrating data to cloud services hosted in NATO countries [110]. Had Russian military been organized differently and avoided their strategic planning failures, and had Ukraine received less assistance in cyberspace, another picture of the utility of cyber operations could have emerged. A conflict between other actors in other circumstances may well introduce its own idiosyncratic factors influencing the utility of cyber operations in warfighting. It is too early to determine how representative our findings are.

The article’s main contribution to the field of cyber conflict studies is thus the TECI-model itself. Precisely because the role of cyber operations in warfighting is unsettled, and because this role may change over time, the field needs an operationalized model capable of systematically analyzing cyber operations in war to compare and track the utility of cyber operations over time and across conflicts. The TECI-model fills this gap in the literature, has been empirically tested and applied on data in this article, and will be as readily applicable on future data sets from Ukraine and other conflicts that may shape the role of cyberspace in war.

Author contributions

Frederik A. H. Pedersen (Conceptualization [equal], Data curation [equal], Formal analysis [equal], Funding acquisition [equal], Investigation [equal], Methodology [equal], Project administration [equal], Resources [equal], Software [equal], Supervision [equal], Validation [equal], Visualization [equal], Writing – original draft [equal], Writing – review & editing [equal]), and Jeppe T. Jacobsen (Conceptualization [equal], Data curation [equal], Formal analysis [equal], Funding acquisition [equal], Investigation [equal], Methodology [equal], Project administration [equal], Resources [equal], Software [equal], Supervision [equal], Validation [equal], Visualization [equal], Writing – original draft [equal], Writing – review & editing [equal])

Conflict of interest

None declared.

Funding

None declared.

References