You can’t predict a surprise. But, the degree of surprise often varies. Some, like the attack on Pearl Harbor, are deep strategic surprises (for the classic analysis, I recommend Roberta Wohlstetter’s “Pearl Harbor: Warning and Decision.”) The 9/11 attacks were similarly disorienting. Others, like the Bengals victory over the Chiefs in the NFL playoffs, are surprising in one sense (since the Chiefs were favored), but not so utterly unanticipated that they are deeply disruptive.
As the Russian-Ukraine crisis moves forward it might be useful to think about surprise in that context—particularly with respect to cybersecurity matters.
Governments and the private sector will, of course, expect the normal level of surprise. There will be denial of service attacks and the surprise will only be where and when. Likewise, we can expect disinformation campaigns, false flag operations, and even disruptions to Ukrainian critical infrastructure.
As Jason Healy has put it, the possibilities of surprise in cyberspace are almost limitless. But if the defenders have done their jobs well, their responses will be as good as they can, in practice, be. That may or may not be sufficient to the task—but the surprise factor will be only a small component of the overall success or failure.
What then, of the bigger strategic surprise. Here, of course, we drift into rank speculation. But I recently polled some of my information security colleagues and asked them to put on their “blue sky thinking” caps and give me their worst-case scenarios. Here of some of them:
What if Ukraine’s weapons don’t work? It’s possible that many of the more sophisticated weapons rely on computer systems that can be disabled. If the gun doesn’t fire, is it really a gun at all?
Will deep fakes play a role in the upcoming conflict? What, for example, might happen if a video of Ukrainian President Zelenskyy surfaced in which he abdicated his office? One can imagine an almost infinite number of possibilities—I understand, for example, that the head of the Ukrainian Greek Catholic Church, Major Archbishop Sviatoslav Shevchuk, is highly influential. What if he “changed sides” in a video release that was faked?
What if Russia decides to expand the cyber battlefield? What is the Western response if, say, Putin decides to punish Lithuania for providing support to Ukraine? We might see disruption efforts against non-Ukrainian targets (in the U.S. or in NATO) though perhaps this surprise will be at the tactical level, rather than the strategic.
What if Russia decides to hold at risk critical international initiatives? In this time of pandemic response, for example, the supply chain for vaccine production and distribution is both extremely important and extremely fragile. Think of how badly the NotPetya ransomware disrupted Maersk shipping and multiply that 10-fold, and you get the idea.
Some of the ideas I’ve heard are so off-the-wall that, candidly, I don’t want to publish them. But this gives you a sense of the problem. The three critical characteristics of the cyber domain that differentiate it from the kinetic are that it is: connected across the globe; pervasive in the economic life-blood of the world; and asymmetric in its ability to enable power projection. Never before has the world faced a kinetic war with that background of baseline vulnerability.
And that’s a scary prospect. We are about to see what war in the cyber era really looks like and, truthfully, nobody can tell you what will happen next.