Cyber experts, policymakers, and practitioners are striving to understand how cyber capabilities have been used since the Russian invasion of Ukraine one year ago. These analyses have missed a crucial lesson from fifteen years ago: cyber power requires soft power.
While it is hard to come to firm verdicts about the efficacy of cyber operations related to Ukraine (because cyber operations are often kept secret and cannot be spotted by open-source sleuths), some conclusions appear rather obvious.
For example, Ukraine’s cyber defenses have been remarkably resilient. There are multiple sources of this defensive strength, in particular the savvy, energy, and determination of Ukrainian cyber organizations, who have been adapting to Russian offensive campaigns since at least 2014, has been critical. Kyiv has also been backed by cyber defense assistance from the private sector and offensive and defensive cyber interventions by U.S. Cyber Command.
These advantages were driven in large part by the strength of Ukrainian soft power. Connections to allies, global tech firms, and networks of information security researchers allow states to mobilize defenses unavailable to others.
Estonia and the Earliest Signs of Cyber Soft Power
Ukraine was not the first to mobilize soft power for cyber defense. In 2007, Estonia was able to resist the online onslaught of Russian hacktivists in 2007 largely because it received, as Ukraine is today, help from friends and allies. RIPE, the European network operator group composed of internet service providers and telecommunications firms, happened to be meeting in Tallinn during the attack and rapidly reached back to their home countries to help the Estonians stop distributed denial of service and other cyberattacks.
To help mitigate the massive denial-of-service attacks, a little-known volunteer trust group, Network Service Provider–Security (NSP-SEC), sent in two liaisons. Using NSP-SEC’s trust-based connections with global network service providers (such as AT&T or Deutsche Telecom), the liaisons were able to shut down attackers based on intelligence from the Estonian computer emergency response team.
Toomas Ilves–the native English-speaking, and tech-savvy then-president of Estonia–charmed Estonia’s friends and allies in NATO and the European Union to condemn Russia’s attacks. The attack motivated the Estonians to increase their cybersecurity, and they became renowned for their cybersecurity nous, a reputation Ilves and others skillfully leveraged to build on and further project their soft power. When NATO decided to create a new Cooperative Cyber Defense Center of Excellence (CCDOE), something the Estonians had been pushing for years, it was built in Tallinn, Estonia’s capital.
Ukrainian Soft Power
Harvard professor Joe Nye describes soft power as co-opting and attracting others with an engaging culture, attractive political values, and legitimate policies.
Ukraine–which had an initial reputation as a corrupt state which might fail quickly–rapidly excelled across all three of these areas, fighting back with bravery and distinction. In particular, President Volodymyr Zelenskyy has, similarly to Ilves but far, far greater magnitude, charmed and rallied allies and friends to the Ukrainian cause.
In addition to tanks, Javelins, and artillery ammunition supplied to the Ukrainian military, Ukraine’s allies have also lent technical support to the country. General Paul Nakasone, the commanding general of U.S. Cyber Command, has confirmed his teams “conducted a series of operations across the full spectrum; offensive, defensive, [and] information operations” in support of Ukraine. While this provision of aid is motivated in part by fears over Russian aggression, Ukrainian soft power has played an important role in creating popular support for sustaining high levels of aid.
The private sector has chipped in as well. Groupings like the Cyber Defense Assistance Consortium, co-founded by Greg Rattray and Matthew Murray, have brought together over a dozen companies “to help Ukraine cyber defenders secure networks, hunt for and expel malicious cyber intruders, improve attack surface monitoring, and provide cyber threat intelligence to protect critical infrastructure.” Google and Microsoft have provided extensive free support against DDoS attacks and to better protect the Ukrainian government and critical infrastructure. Ukrainian networks may not have survived without early and free access to Starlink satellite internet equipment.
Of course, other factors have helped to rally support: disgust with Russian war crimes, U.S. soft power, and a desire to see Russia weakened. This may not have been enough if Zelenskyy had been personally corrupt or a dictator.
Ukrainian soft power, and strong resolve on the part of its international partners, enabled the flow of assistance which has bolstered Ukrainian defenses. Tainted by corruption, Ukrainian soft power was low before the war, but expanded because of the fierceness and bravery of Ukrainian defenders in the face of Russian barbarity.
Cyber Soft Power Abroad and at Home
Like all forms of power, soft power is not equally distributed. Some big states, like Russia and China, can only rely on their own companies and a thin set of international allies, few of which bring substantial cyber or technical capabilities. Taiwan has extensive connections to Western technical firms but will be looking at the Ukrainian war for lessons on how it can mobilize international support in case of Chinese cyberattacks.
While America’s reserves of cyber soft power were depleted after the Snowden revelations of extensive surveillance caused a severe rupture between the U.S. government and American tech firms, a decade of hard work has in part restored U.S. soft power.
This has enabled major diplomatic wins like the acceptance by every member of the UN General Assembly of U.S.-backed international norms and the recent election of an American candidate for secretary general of the International Telecommunications Union. U.S. soft power has also allowed the country to create a network of allies, who can work in concert to achieve successes, such as coordinated law enforcement takedowns of malware and disruption of cybercrime groups, partnering on attribution of groups, and combined military "hunt-forward operations” where U.S. cyber soldiers sit side-by-side with allies to find and eject adversaries from sensitive networks.
These relationships will not run on auto pilot, however, and U.S. policy makers should continue to cultivate soft power, through international diplomacy, capacity building, collaboration with the private sector, and humility in understanding the best answer to cyber operations is not just a stronger offense. Whatever the processes, the lesson of Ukraine is clear. It is not enough to have just formal cyber defense organizations: cyber power also relies on attracting and engaging allies, wherever you can find them.
Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs and author of the first history book of cyber conflict, A Fierce Doman: Cyber Conflict, 1986 to 2012. This article is reflects his personal views and not that of any affiliated institutions.