It is a fallacy to say that cyber has not been a factor in the war in Ukraine. Both sides are using cyber capabilities to pursue their aims. Both sides understand the potential of integrating cyber and information confrontation with their military effort. And both sides know that they are engaged in a struggle for influence and opinion far beyond the immediate battlefield. It is a very modern digital and cyber war, as much as it is a brutal and destructive physical one.

Six months after Russia’s invasion, it is becoming clear how differing physical and virtual approaches have shaped the conflict. Just as with its land invasion, Russia’s initial online plans appear to have fallen short. The country’s use of offensive cyber tools has been irresponsible and indiscriminate.

Their information operations have proven clumsy and have been challenged by the release of intelligence. And Russian military attempts to destroy the digital infrastructure of Ukraine and to sow discord using cyber capabilities have been met with staunch, professional and effective Ukrainian cyber defence.

As the UK’s intelligence, cyber and security agency, gchq has long tracked the threat that Russia poses. With our allies we have an ever-evolving picture of its intelligence and military objectives in cyberspace. We have consistently called out their activities that go beyond responsible behaviour in cyberspace. We have challenged the ways in which the Russian state has turned a blind eye to the powerful criminal cyber groups operating with impunity in the country. And we have worked with industry and our allies, to operate in support of Ukraine, address disinformation and safeguard critical cyber infrastructure.

Although we knew that Russia was capable of playing by different rules, its actions in Ukraine have now shown this to the world. As a result, we are seeing a reshaping of the cyber landscape. There is now much greater co-operation between big tech companies and governments on security than before the war, a polarisation of positions on the use of cyber in war and a renewed effort to redefine cyber norms.

Looking back, we now know that the first shots of Vladimir Putin’s unprovoked invasion of Ukraine were taken in cyberspace before bullets were fired on February 24th. The month before, Russian Military Intelligence deployed WhisperGate malware to destroy and deface Ukrainian government systems. And less than an hour before Russia invaded Ukraine, it targeted ViaSat satellite networks used by Ukrainian military, government and civilians. The attack spilled over into neighbouring countries causing collateral damage across a range of services, from wind farms to internet access.

Secret intelligence allowed us to spot this activity. The private sector spotted it too, and companies were quick to publicise and patch the problem. This partnership, between government and the private sector, which the National Cyber Security Centre (a part of gchq) plays a leading role in, has become increasingly important as Russian efforts to disrupt Ukrainian government and military systems have intensified.

Online disinformation quickly became a major part of Russia’s campaign, to cause confusion and chaos in Ukraine and beyond. Russia has used this playbook before, including in Syria and the Balkans. It aims to sow mistrust in information sources, to misrepresent Ukrainian actions and to promulgate false narratives about the reasons for Russia’s actions. We have taken action to counter these twisted truths. From providing warnings about the onset of war, to the rapid release of intelligence, and working with Western technology platforms to remove lies, we have shone a spotlight on the Russian state’s approach.

Much of this has been successful. So far, President Putin has comprehensively lost the information war in Ukraine and in the West. Although that is cause for celebration, we should not underestimate how Russian disinformation is playing out elsewhere in the world. Many of the most populous countries did not agree to the un motion censuring Russia for its invasion. Public opinion in those places matters and it is influenced already by the information coming out of Russia. This is a new front to the war in Ukraine and its effects will endure at least as long as the conflict does. We must take action to confront organised state disinformation campaigns and to ensure they do not succeed in blunting international outrage over Russia’s actions.

In all of these areas, we have seen the Russian state try to align and co-ordinate cyber capabilities alongside more traditional facets of military power. To date, this hybrid intent has not succeeded; the impact has been less than we (and they) expected.

In part, this is because Ukraine has proved itself to be an extremely effective cyber defender. Since the annexation of Crimea in 2014, it has painstakingly developed a digital fortress. As we have witnessed heroic defence by Ukraine’s military, online we have arguably seen the most effective defensive cyber activity in history. Operating under sustained pressure against a very capable adversary, this team of industry, intelligence, security agencies and in some cases, citizens, has worked side by side to warn, respond and remediate.

These cyber defences proved stronger than Russia anticipated. Somewhat ironically, we’ve seen its military activity compound its problems. Russian strikes took down the very networks they were trying to infect. They forced the Ukrainians to diversify and use alternative forms of communication that were more secure. That actually enhanced Ukrainian resilience.

Thankfully, all of this cyber activity has not resulted in collateral damage outside Ukraine of the scale of the NotPetya attacks in 2017, which disrupted Ukraine’s banks, airports and more. This may be because Russian cyber actors are carefully calibrating to avoid escalation. Afterall, nato has made it clear that a serious cyber-attack against a member country could trigger Article 5, the alliance’s mutual defence clause. The danger of overspill to nato countries is very real—we’ve seen incompetence and carelessness by Russia before.

An important component of our response to this situation may involve the UK’s National Cyber Force (ncf)—a partnership between gchq and the Ministry of Defence. This builds out from our world class cyber defence and resilience, to deliver offensive cyber capabilities. I won’t go into detail about ncf activity—stealth and ambiguity are key attributes of cyber operations.

This secret and important work is conducted in accordance with international law and domestic legislation. It is authorised by ministers and scrutinised by judicial commissioners. It is this ethical, proportionate and legal approach that sets us apart from our adversaries and from Russia’s use of cyber capabilities in this war.

Learning the lessons of these early stages of President Putin’s war, it is hard to overstate the importance of Ukrainian cyber defence to the fight. The country’s experience has shown that online, the defender gets to choose how vulnerable they are to attack. And that we, as allies, show we are serious about the responsible use of cyber power. These are lessons that we and like-minded partners around the world must heed. 

Sir Jeremy Fleming is the Director of gchq, the UK’s Intelligence, Cyber and Security Agency.

Published since September 1843 to take part in “a severe contest between intelligence, which presses forward, and an unworthy, timid ignorance obstructing our progress.”