power lines at dusk

Hacking Power Grids: New Tactic of War or Wave of the Future?

November 03, 2017
Nadiya Kostyuk

According to U.S. cybersecurity company Symantec, a hacking campaign dubbed Dragonfly 2.0 successfully infiltrated U.S. power plants over the past two years. The latest spate of incidents has been particularly alarming because the hackers appear to have accessed control systems at a handful of U.S. facilities. Symantec’s report speculates about the hack’s “potential for sabotage” and “disruptive purposes,” but doesn’t identify the hackers’ origins, saying only that they are “clearly an accomplished attack group.” Other researchers believe the culprits are linked to the Russian government, dovetailing with Ukraine’s allegations that Moscow was behind hacks against its power grids in 2015 and again in 2016.

With Russia now under scrutiny in the U.S. for its reportedly sophisticated use of cyber technology to weaken Washington, it’s fair to ask: If the U.S. and Russia were to go to war, what role would cyber “weapons” be likely to play in such an armed conflict? My recent research on cyberattacks used by warring sides in eastern Ukraine and in Syria’s civil war—conducted jointly with Prof. Yuri Zhukov and published in the latest issue of the Journal of Conflict Resolution—suggests that cyberattacks have not yet become a force multiplier to conventional military tools in wartime. In other words, they had little or no impact on actual fighting. But this may very well change in coming years, since cyber operations are a powerful, relatively low-cost technology for countries to invest in.

Consider this comparison: Coordination between cyberattacks and military operations today is roughly on the same level as that between air power and ground operations in World War I. Back then, armies were increasingly using aircraft for reconnaissance and surveillance on the front, but were not yet able to fully exploit their potential for ground combat support and strategic bombing. Some 25 years later, in World War II, air campaigns’ role in lethal violence had grown much more direct, to devastating effect.

The cases of Ukraine and Syria are illuminating since they are among the first in history when both sides in a conflict extensively deployed cyberattacks alongside traditional tools of war. In the past decade, cyberspace has started playing a highly visible role in armed conflict, specifically in facilitating strategic communication between civilian and military leadership, disabling or degrading key infrastructure and exploiting or hijacking government computer systems, while also serving as a tool for propaganda. Insofar as Ukraine’s and Syria’s experiences can help understand the implications of using cyberspace to coerce one’s opponent in military conflict, they may be helpful, too, in designing more effective policy responses.

Research Shows Disconnect Between Cyber and Kinetic Ops

During the conflict in Ukraine we observed a wide variety of cyber activities, tactics and procedures, but our research focused on disruption attacks aimed at directly sabotaging opponents’ ability to operate in the physical or electronic realm. (While the importance attached by both sides to online propaganda was evident—in part from the time and resources spent by pro-Kiev fighters on updating Wikipedia and by pro-separatist groups on creating and running dedicated YouTube channels and social media accounts—those activities do not aspire to directly influence military operations in the short term.)

Since our main goal was to evaluate whether and how cyber actions affect physical violence in war, we compared two datasets: the first with 1,841 unique, mostly low-level cyberattacks from Aug. 27, 2013, to Feb. 29, 2016. and the second with 26,289 violent events from Ukraine’s Donbas region, recorded between Feb. 28, 2014, and Feb. 29, 2016. Thanks to the sophistication of hackers on both sides, the public nature of many attacks and an abundance of data, we were able to observe the short-term coercive impact of cyberattacks in the Ukrainian conflict. We then used analogous event data on Syria to evaluate the generalizability of our results.

Our findings in both conflicts demonstrate that there is a strong escalatory dynamic between kinetic operations by both sides of the conflict (in other words, attacks beget counterattacks), but the relationship between cyber and kinetic operations is far weaker than that between rebel and government violence on the ground. Perhaps most surprisingly, we found little strategic interaction between “cyber warriors” on each side of the conflict: There was no reciprocity in cyber actions; the two warring cyber campaigns unfolded independently of each other and independently of events on the ground.

Explanations for the Weak Link

Our interviews with Russian and Ukrainian cybersecurity experts highlighted five potential explanations for the apparent failure of cyber coercion in the case of Ukraine:

  1. First is a lack of resources and capabilities, particularly for the Ukrainian government. It is possible that, with adequate resources, capabilities and human capital, the Ukrainian cyber campaign against Russia and its allies on the ground might have been more effective. Resource constraints, however, do not explain coercive failure on the pro-Russian side, where investment in cyber capabilities is more robust.
  2. Second is a lack of government coordination with hackers due to either the illegality of the latter’s activities or the low priority of cyber operations. Yet, again, the first half of this explanation is less plausible on the pro-Russian side, where the Kremlin has cultivated extensive ties with non-state hackers.  
  3. Third was a lack of targets—an explanation challenged by the 2015 and 2016 hacks of Ukraine’s power grids.
  4. Fourth is a lack of “audience” due to the peculiarities of the Ukrainian online population, who pay more attention to purely propagandistic campaigns than disruptive ones.
  5. Last is a lack of effort by the Russian government, which may be carrying out cyber espionage campaigns and may already have considerable access to Ukraine’s information and telecommunications networks, especially those that rely on Russian hardware and software. Sometimes gathering information and spreading propaganda or misinformation are more important for achieving one’s goals than is disrupting an adversary’s actions.

What This Would Mean for a US-Russia Standoff

Our findings directly apply to a potential Russia-U.S. scenario, despite the many ways in which such a clash would differ from the conflicts in eastern Ukraine and Syria: Both so-called cyber powers have the resources, capabilities and human capital to execute a cyber campaign that targets the other side’s critical infrastructure; today, this arsenal may not be ready for deployment in direct support of military operations, but this could change relatively quickly.

One major difference for Moscow in a face-off with the U.S. is that Russia would no longer be the strongest cyber player on the field. In America Moscow would face a formidable opponent—including 133 teams of the Pentagon’s Cyber Command. Fears of possible retaliation from such a powerful foe may keep Russia from aggressively pursuing militarized cyberattacks despite a few seeming advantages (discussed immediately below).

U.S. infrastructure is particularly vulnerable as much of it lacks adequate cybersecurity measures and heavily relies on the internet. An abundance of targets, ranging from healthcare providers (as in the case of WannaCry) to banks and dams, makes the U.S. an easy and suitable target if Russia decides to act, for example by exploiting access to the American power grid. In contrast, only a small portion of Russia’s critical infrastructure relies strongly on the internet. Moreover, the U.S. would be vastly less adept at using propaganda than Russia with its troll factories, extensive message-shaping experience on state-run TV and alleged prowess on social media.

For these reasons, and due to the challenges of force synchronization during conflict, both countries would be better off duking it out on a conventional battlefield. Hackers—especially those not integrated with military forces—may not observe battlefield events on a tactically relevant timeline. Even if they did, the lead time required to plan and implement a successful attack—studying the target system, collecting intelligence on its vulnerabilities and writing code that exploits them—can make these efforts difficult to synchronize with conventional operations.

That said, well planned, highly precise cyberattacks on adversaries can be extremely effective (take, for example, Stuxnet) and it is no wonder that both Russia and the U.S. want to enhance their capabilities in this arena. This summer President Donald Trump elevated the status of CyberCom, while Russia, as of last year, planned to “significantly strengthen its cyber-offensive capabilities,” reportedly investing $200 million to $250 million annually on activities like “the development and delivery of malicious programs” able “to destroy the command and control systems of enemy armed forces” and “elements of their critical infrastructure.” Some analysts argue that long before Russia tried to interfere in the 2016 U.S. presidential elections, it had been developing offensive cyber capabilities “against possible future targets—what strategists sometimes refer to as holding targets at risk.” Those efforts are likely to grow in intensity before they ebb.

Author

Nadiya Kostyuk is a doctoral candidate in political science and public policy at the University of Michigan, Ann Arbor, and a pre-doctoral fellow at the Cyber Security Project of Harvard Kennedy School's Belfer Center for Science and International Affairs.

Photo credit: Flickr photo by Ian Muttoo shared under a CC BY-SA 2.0 license.