What's hidden in Ukraine? Dutch intelligence says cyber attacks "not yet" public knowledge
Statement illustrates poorly understood aspect of cyber warfare
The Dutch military and foreign intelligence services wrote in a public assessment, summarized by The Record, that many cyber attacks during the 2022-23 period of the Russo-Ukrainian War have not been made public1.
There are many reasons this may be true.
The public, including most - but not all - commercial cyber intelligence providers, can’t adequately assess war-time cyber-enabled operations. There are numerous reasons the public may not be aware of ongoing activities and definitive statements attempting to comprehensively catalogue cyber warfare incidents since 24 February 2022 are unlikely to capture a full story.
War-time cyber activities don’t advertise
Foremost, operations may be covert2 and deniable, or clandestine3. Sabotage to military hardware capabilities, attacks on critical infrastructure to disrupt operations and degrade will. Cyber operations in this realm need not be claimed by the perpetrator and details may never be revealed. Credible commercial sector analysts rightly shy away from trying to "prove a negative.” Speculation regarding whether an event was affected - or effected - by covert activity is rarely helpful.
Relatable analogues may include claims the US conducted cyber operations to sabotage North Korean missile launches4, which is deniable and difficult to prove without an operational failure or “leakage” reminiscent of Stuxnet. This type of claim lives primarily or exclusively in US media reporting which, while sometimes conducted by stellar investigative journalists with access to credible sources, should not be taken as a wholly unassailable record of events - as anyone with experience seeing classified operations and responsibilities inaccurately written about in media can attest.
Combined operations give “cyber-exclusive” specialists tunnel vision
Secondly, the activity may be part of a broader strategic objective set involving cyber-enabled activity, traditional sabotage means, or both/neither. Cyber operations don’t always operate in a vacuum. Commercial analysts and public observers have divided expert consensus on geopolitical objectives, and generally only extrapolated insight into foreign intelligence services’ intelligence requirements and priorities. Per above, active non-technical or non cyber-enabled operations conducted by major powers are also commonly by nature concealed from the public. This means cyber activities ostensibly conducted in isolation may be conducted in tandem with other activities as part of the same operation plan, constraining observers from building a whole picture of a mission set and misleading them into believing isolated cyber-enabled activities - when detected - indicate strategic objectives more limited or less effective than reality.
This limitation applies anywhere. Examples may include speculation in the US regarding February 2023 train derailments in Ohio, chemical fires at industrial facilities, or other such events - e.g., if hypothetically we saw ostensibly infrastructure sabotage in a NATO country.
We can’t know without evidence whether events like these are organic, sponsored by bad actors, part of a broader strategy, or none of those things.
We can know the effect is degraded trust in infrastructure among the regional population (and beyond) and increased perception of US decline.
Given a cyber incident targeting regional infrastructure providers disrupting operations, we would still not know whether such events were related unless provided additional insight into the attacker(s) or more certainty into the causes fully traced back to origin chain.
The same applies to an even greater extent to active combat zones like Ukraine, where “incidents” obviously occur all the time without reliable attribution or root cause, but with significant target effects.
Disabled military materiel may almost always have attributable root causes, but in such cases where it is less clear or with increasingly computerized hardware with onboard chips subject to human-enabled manipulation (i.e., networking with the public internet is not required), undetected sabotage is possible. To this end, Thomas Rid and others have written or spoken about command and control infrastructure attacks detected only because of errors by the perpetrators.
While it’s unlikely events like these are widespread, or common (in this author’s opinion), they evoke what the public might be “missing out on.”
Targeted institutions don’t advertise during war-time either
Finally, the low-hanging fruit: It’s not strategically advantageous for targeted entities to reveal successful compromise or attack. While there’s some debate regarding the information advantage of exaggerating vs. under-stating one’s capabilities (see the missile gap for provocative ideating), Western media and allies seem disinclined to present Ukrainian force and institutional disposition as battered or defeated.
As the Dutch intelligence services wrote, it is in targeted institutions’ nature to remain secretive about such incidents - particularly during war-time. It offers the attacker a propaganda victory and morale boost.
What comes later
None of this is to comment on Russia’s cyber capabilities or sophistication. These principles apply to most national powers driven by political and military objectives (diplomatic and economic objectives more typically additionally include clandestine and overt activity beyond the scope of this write-up). Observers and public sphere analysts, however, should remain cautious in judging the volume of cyber-enabled activity in Ukraine over the last year. There is much that can’t be known.
Like Stuxnet before it, there may later be one or two revelations in media while many more operations are never uncovered. Near-term uncertainty may be dissatisfying, but it is far less an agitation to say what is unknown than to assign cyber combat power to insights derived from light through a pinprick.
Dutch, emphasis added: “Russische inlichtingen- en veiligheidsdiensten hebben zich voor en tijdens de oorlog op grote schaal schuldig gemaakt aan digitale spionage, sabotage en beïnvloeding tegen Oekraïne en NAVO-bondgenoten. Het tempo van Russische cyberoperaties ligt hoog en veel van deze pogingen zijn nog niet openbaar bekend geworden. De Oekraïense en westerse digitale verdediging heeft tot nu toe de impact van voortdurende Russische aanvalspogingen kunnen beperken. Gedurende de oorlog is ook gebleken dat Rusland moeite heeft om cyberoperaties te synchroniseren met andere militaire operaties, zoals luchtaanvallen.”
Not to be confused with clandestine. US interpretation of covert activity in layperson terms means roughly, "The event occurred, but it wasn't necessarily [the sponsor]" or “[the sponsor] wasn’t there.” Covert activity is often attached to claims of plausible deniability. Clandestine means roughly, “[the sponsor] may have been there, but that event didn’t necessarily happen,” or may also not be revealed at all. Covert conceals the identity of the sponsor, clandestine conceals the event.
Operations may also be clandestine - see previous footnote - which needn’t be outlined here because the purpose of this article isn’t to discuss covert vs. clandestine operations. Russia has conducted a clandestine war against the West and Ukraine through intelligence collection and espionage for decades.
A counter to the New York Times piece came out in WIRED, claiming sabotage is implausible because the North Korean military is not connected to the public internet. While I offer no opinion on the veracity or likelihood of David Sanger’s piece, this displays a poor understanding of nation-state military/intelligence operations and capabilities.