For years, military commanders and civilian commentators warned of the danger of cyber attacks.
They used the language of the battlefield, talking about offensive cyber operations, cyber weapons and cyber warfare.
Now we have a war, started by what is widely recognised as one of the most advanced cyber powers in the world, yet so far cyber has played little part in the fighting.
In the early days of Russia’s invasion, Ukrainian banks and government websites claimed to have been hit by distributed denial of service attacks, and Ukrainian organisations were affected by “wiper” malware which destroys data on infected machines.
But overall, the impact of Russian cyber has been decidedly muted, leaving even the best-informed observers puzzled.
Russia accused of ‘genocide’ in key city without water, food and power – latest Ukraine updates
Ciaran Martin, who set up and then led the UK’s National Cyber Security Centre, said he was “surprised” by “just how little cyber operations have featured in the early part of the invasion”.
Dmitri Alperovitch, co-founder of Crowdstrike, the cybersecurity firm which discovered the Russian hack on the Democratic National Committee in 2016, agreed.
“I expected them to shut down cell networks and internet and try to prevent some of the horrible videos and photos from getting out,” Mr Alperovitch wrote on the second day of the invasion.
“This just hasn’t been the shock and awe campaign that the Russians had capacity to execute.”
First step in Russian campaign to undermine people’s will to fight
Since then, the Russians have taken steps to damage Ukrainian communications, albeit in more direct fashion. On 1 March, Kyiv’s main radio and TV tower was hit by a missile, taking local television channels temporarily off the air.
Ukrainian government ministers believe this is the first step in an influence campaign designed to undermine their people’s will to fight, for instance by telling them that the leadership has agreed to surrender, a move that could be combined with other cyber operations.
“Cyber is used to degrade public trust in state institutions and military, it’s used to sow doubt,” says James Sullivan, director of cyber research at the defence and security think tank RUSI.
“Arguably that’s been going on in Ukraine much longer than the moment of invasion. We’ve seen attacks on power grids, financial systems, media outlets, emergency services, the electoral commission, but in a low-level way, so there’s always plausible deniability.”
In key developments:
• Macron says Putin wants to seize all of Ukraine and ‘worse is to come’
• International Criminal Court opens investigation into possible war crimes
• Napoleon and Hitler referenced by Russia in latest attempt to justify invasion
• Ukraine minister claims Russia could be about to attack itself in ‘false flag’ operation
Still, this kind of campaign falls far behind the expectation of “cyber war”, and the attack on the TV tower suggests a reason why: when it comes to destruction, computer code lags far behind conventional weapons.
“It is much easier to bomb something,” says Mr Sullivan. “Russia was never going to install a new government in Ukraine through cyber attacks alone.”
It’s not just that cyber capabilities are not as powerful as most conventional weapons; crucially, they are not as usable. Hacking into a system is complicated, time-consuming and comes with no guarantees of success.
A hoodie-clad hacker cracking an enemy system in minutes might make a good scene in an action film, but in the real world these things need plenty of luck and lots of time.
Even if you do manage to access an opponent’s system, you’ll most likely be limited in what you can do. The idea of pulling trains off tracks or sending missiles awry is a Hollywood myth: you might be able to subvert, but you’re unlikely to be able to destroy, and very unlikely to be able to cause physical harm.
Then once you’re discovered, you’re back to square one. Guns and bombs can be used again and again in the same way, with roughly the same effects. Digital exploits cannot.
For this reason, many experts have long been uncomfortable with the language around cyber. The terminology of war, they believe, is neither accurate nor helpful for understanding.
As cybersecurity researcher Dr Lennart Maschmeyer put it in a recent essay, cyber conflict “is not war.”
“Rather than a military offensive where actors deploy troops to overpower an adversary and compel them to their will through force,” Dr Maschmeyer wrote, “cyber operations produce outcomes by sneaking into systems by exploiting flaws in their design to make these systems do things neither their designers nor users intended or anticipate.”
In other words, cyber is closer to the sort of thing an intelligence agency might do, rather than an army, navy or airforce. It might well be going on in Ukraine right now, but as a supplement to the military offensive, not a replacement.
Taking on this point of view means downgrading our fear of a catastrophic cyber attack, while simultaneously increasing our wariness about the possibility of cyber disruption in our own backyard – for if cyber is primarily relevant in activities short of war, the risk of it being used by Russia on European and NATO countries is undoubtedly high.
Unfortunately, increasing our wariness is not easy, because it is not a purely technical matter. Cyber attacks take aim at vulnerabilities in societies as well as in computer systems, and at private companies as well as government entities. To defend against them, therefore, involves improving the resilience of society as a whole.
Or, at least, we think it does – because there is still so much about cyber that we do not know. This field is evolving rapidly, often in secret, and our experience of it is tiny compared to conventional weapons. Our best theories about it are little more than educated guesses.
Read more: Could Russia turn to cryptocurrency and cyber crime to dodge sanctions?
That is why observers such as Mr Sullivan of RUSI warn that we shouldn’t read too much into the events of the last week. Russia has not shown its hand in cyber. There may well be more to come.
“I still think Russia is a cyber power,” says Mr Sullivan. “It’s a reckless cyber power. That remains.
“We still have to be very mindful that Russia, with the right strategic objective and the right amount of resources, would no doubt focus on Western infrastructure if that was going to give it an advantage.”