Russia’s Cyber War: What’s Next and What the European Union Should Do.

Contrary to widespread expectations, the use of cyberweaponry in the Russian war with Ukraine has so far been limited. To date, the only significant, sophisticated operations with suspected Russian involvement are the attacks on communications giant Viasat’s satellite networks, attempts to install data-wiping malware on Ukrainian government systems, and attacks against two major Ukrainian telecommunications firms. 

There are several reasons that can plausibly explain why cyber operations have remained marginal in the conflict. First, the Ukrainians have done a good job at bolstering their digital defenses, helped in part by their American allies. There are also the inherent limitations of cyberattacks: in an all-out kinetic war, missiles offer a faster and more effective means of achieving strategic objectives than lines of code.  

Last, but certainly not least, it is worth remembering that we are in the early stages of a war that will drag on, potentially for months, leaving plenty of time for new Russian cyber operations. Apparent reluctance to use cyber capabilities beyond limited operational-level hits or disinformation campaigns may well abate as fears of spillover or retaliatory Western cyber responses diminish. The European Union (EU) must act now, while the intensity of cyber conflict outside Ukraine is still relatively low, to bolster its defenses and prepare for the specter of wide-ranging, damaging cyber operations later in the conflict. 

Cyber and information warfare: The cornerstone of Russia’s next move?  

Even if the Russians agree to a truce, cyber and disinformation efforts would be one of the few avenues available to them to inflict damage on Ukraine in the gray zone below the threshold of direct confrontation. As the Russian military shifts its objectives, resources and bandwidth will be freed up to fight from the rear. A cornered Moscow–with few other options left on the table–is likely to resort to the cyber domain, as other pariah states have done, as the ideal vector to circumvent isolation, spy on and disrupt Western defense plans, steal technology and intellectual property it will be cut off from, and heighten its global nuisance with disinformation operations. Recent attacks on a major Ukrainian telecommunications firm, Ukrtelecom, have heightened fears that Russia’s stalling military campaign could cause it to turn to cyber operations as another means of achieving its aims. 

What should the European Union do in the immediate term? 

The EU has adopted new frameworks, including its much vaunted Strategic Compass, which, in the long term, will improve cybersecurity in the bloc, and potentially reduce the risk of catastrophic Russian cyberattacks. However, the EU needs to take more steps in the short term to shore up cyber defenses and mitigate the threat of Russian cyber operations. 

First, the EU should get its own house in order. The revised Network and Information Security (NIS) Directive–better known in Brussels circles as NIS 2–should be finalized in the coming months and will aim to further strengthen the security of supply chains, streamline incident reporting obligations, and introduce more stringent supervisory measures for a large number of operators of essential services and enterprises across the EU. While NIS 2 represents a step in the right direction, the EU still has some way to go in implementing harmonized cybersecurity rules across the bloc’s own institutions.  

Second, the EU and its Member States have a role to play in discouraging and deterring cyberattacks by demonstrating a willingness to act and impose costs on perpetrators. The first-ever operational deployment of the EU’s Cyber Rapid Response Team to Ukraine, alongside similar teams from the United States, was a welcome signal in this respect. One way to impose further costs would be by pushing for coordinated attribution of cyberattacks at the EU-level. On the offensive and deterrent side, the EU should adopt a pooling of capabilities on a voluntary basis. Similar programs already exist among other groups, such as NATO’s Sovereign Cyber Effects Provided Voluntarily by Allies (SCEPVA) program, which the EU could use as a model for its own programs. 

Third, the EU should ensure it is better prepared by leveraging the tools it already has at its disposal. Intelligence sharing and situational awareness have proven vital before and during the war in Ukraine, but the future effectiveness of these strategies in deterring and mitigating cyberattacks will be reliant on Member States willingness to contribute with timely and actionable intelligence. In the short term, the Cyber Crisis Liaison Organisation Network (CyCLONe), a recently created group bringing together the executives of the EU’s twenty seven national cybersecurity authorities, should be used to its full capability and integrated with the rest of the EU cyber ecosystem. CyCLONe, with their wealth of operational-level expertise, should be able to brief political decision-makers in the Council more frequently. On the military side, the EU still lacks a fully fleshed-out cooperation mechanism for military cybersecurity alerts, despite this being an objective since the 2014 EU Cyber Defence Policy Framework. Ensuring cooperation among both civilian and military groups is vital given the specter of Russian cyberattacks. 

Supporting Ukraine is every democracy’s duty. Russia will attempt to undermine this support through cyberattacks and other means. The EU needs to shore up its cyber defenses at home to ensure all Members can continue to aid Ukraine in the future. 

Arthur de Liedekerke is a Project Manager at political advisory Rasmussen Global and a non-resident fellow at the Institute for Security Policy at Kiel University (ISPK), Germany. He has previous experience advising senior officials in the French Ministry for the Armed Forces and the institutions of the European Union (Commission and Parliament) on security and defense matters. He holds two masters' degrees – in international relations from the University of Maastricht and in geopolitics from King’s College London.  

Arthur Laudrain is a DPhil candidate in Cybersecurity at the University of Oxford (Wolfson College), Rotary Scholar for Global Peace, and Fellow at the European Cyber Conflict Research Initiative. His research investigates why and how democracies respond to cyber-enabled foreign electoral interference. He received a masters’ degree from the Department of War Studies at King’s College London and a Master of Laws from Leiden Law School.