The Folly of Cyber War
Cyber War is diplomacy by other means. It is the use by a nation-state of computers and telecommunications networks to harm an opponent. It has been described as a Revolution in Military Affairs (RMA), meaning that its use can have a strategic effect on the outcome of a conflict. Many billions of dollars have been invested by all major nations in development of these war-fighting capabilities. R&D continues today. But in spite of occasional success in information operation attacks here and there, the proxy conflict that has broken out between the United States and Russia in Ukraine shows that cyber has at best a peripheral effect on a war’s outcome. This gap between what is expected of cyber and what actually is delivered is a result of different definitions of cyberwar and how they are expressed in national defense doctrines—some more inclusive than others.
Below, we examine several instances of cyberwar in Ukraine: the Maidan Revolution, the 2014 annexation by Russia of Crimea, the 2015 attack against the electrical power grid, and the current war which started in February 2022. These examples cover a wide range of actions under the broad umbrella of “cyberwar.” What they will show is that cyber is effective in the propaganda and information operations realm. It also is useful in support of police operations having a moderate level of violence. But in real warfare, cyber is not a key factor in determining the outcome. In fact, as war intensifies, the efficacy of cyber rapidly diminishes to zero.
The most specific type of cyberwar is the use by a military during a declared war to sabotage the opponent’s military equipment. For example, during the First Gulf War in 1991, a cyberattack disabled Iraq’s air defense radars, thereby facilitating unrestricted bombing by the United States. Next, cyber may be used to disable or destroy civilian infrastructure. For example, the electrical power grid may be shut down or the national telecommunications networks may be paralyzed. This type of cyberattack harms civil society but prevents elements thereof from supporting the opponent’s military efforts through actions such as providing supplies or handling communications. The “kinetic” equivalent of this would be simply dropping a bomb on the central telephone switching center, a descendent of the World War II concept of “strategic bombing.”[i]
Outside of a state-based war context, cyber may be used by the military to facilitate special operations to enforce international law, such as to prevent nuclear proliferation. For example, Israel’s September 2007 bombing of the North Korean-supplied Al Kibar (Dair Alzour) undeclared nuclear reactor being set up in Syria was enabled with a cyberattack “using standard scrambling tools”[ii] that disabled the capability of the Syrian air defenses to detect the approaching bombers of the Kheil HaAvir, the Israeli air force. In addition, sometime before 2010, the StuxNet malware, the world’s first strategic cyber weapon, was used to destroy centrifuges at the illegal[iii] underground uranium enrichment plant in Natanz, Iran, while remaining undetected by the plant operators.[iv]
Cyber War also is defined more broadly as involving “information warfare,” which is the use by the State to introduce doubt into the population of the opponent regarding the credibility, legitimacy, justness, or wisdom of its government.[v] This sometimes is called “psychological warfare,” typically abbreviated PSYOPS. These operations may be conducted by either the military or other parts of government, such as the clandestine service, sometimes using non-governmental organizations (NGOs) or, in the case of the United States, also by the Department of State under the guise of “public diplomacy.” This type of activity also is defined as Cyber War.
Differences exist in how Russia and the United States incorporate cyber into their national defense doctrines. Russian official doctrine has a broader view of information warfare than does the United States. Apart from standard concerns regarding attacks against information systems, e.g., destruction, modification, theft, or implantation of malware or crooked information, Russia in its military doctrine places relatively more emphasis on the dangers of propaganda in harming national cohesion. Russia also appears to be more narrowly focused institutionally. Russian cyber operations cover both domestic and international domains, and are organized as a unified coordination structure under the Office of the President and the Ministry of Defense. In national defense, the Main Directorate of the General Staff (GRU) directing Russian military intelligence is said to operate several groups of hackers, including Fancy Bear and Sandworm. Unit 26165 attacks political and governmental targets. Unit 54777 handles psychological operations and disinformation. Unit 74455 in June 2017 launched a cyberattack against Ukraine. Russia has opened a number of government-run cyber training schools and operates a national talent identification program to find the most promising cyber warriors. In supporting national defense against a cyberattack, including launching counter-attacks in retaliation, Russia makes extensive use of civil society (volunteers, sub-contractors such as Kaspersky Labs, and temporarily-deputized hackers).[vi] Unlike the United States, the Russian legal environment does not discourage hackers; it is not against the law for a hacker to attack information systems outside of Russia. Use of these civilian hackers in national defense makes government involvement deniable and un-provable. Generally, however, Russia is not as forthcoming as the United States in broadcasting how its military operates.
The United States has a less unified capability in conducting cyberwar. Under the Department of Defense is the National Security Agency/Central Security Service, which is the largest intelligence organization and in charge of signals intelligence (or eavesdropping) around the world. It also works to protect communications of the U.S. Government. The U.S. Department of Defense in May 2010 stood up Cyber Command, a new military organization designed to handle both cyber offense and defense. It appears that the most powerful offensive cyber weapons are developed within NSA, although under the espionage statutes it is illegal to discuss them. For international information operations, the Department of State in 2011 created the Global Engagement Center which is designed to identify, counter, and censor (or cause to be censored) foreign propaganda. In addition, it funds the National Endowment for Democracy, a channel for supporting groups in foreign nations relaying its information warfare and propaganda—although these activities are not described in those terms. For domestic defense against cyberattacks, the Department of Homeland Security operates the Cybersecurity and Infrastructure Security Agency which works to identify and censor foreign disinformation entering the United States and to coordinate cyber defense of civil society across numerous sectors.
The United States does not give official notice of the use of sub-contractors and para-military or civilian militia support of cyberwar. It does, however, engage in extensive sub-contracting to the private sector, particularly with the nest of companies sprinkled around Washington, D.C., which hosts the world’s largest economic cluster of cybersecurity companies.
In spite of these differences in official doctrine, both countries have commonalities: cyber is recognized as an integral component of war-fighting, and cyber has become a crucial component of psychological and information warfare, including disinformation. The principal difference between the United States and Russia is the integration between the military and civil society. In the United States, coordination with civil society is not formalized and is governed by a complex, frustrating, and captious legal environment, whereas the government in Russia does not have this problem.
During the 2012-2014 Maidan Revolution, both pro-Russian and proWestern forces engaged in hacking and information warfare. In 2012, Ukrainian government websites were defaced by anti-Russian forces using digital graffiti, and in 2013 the RedOctober, NetTraveler, and MiniDuke malware were let loose. As the revolution continued to intensify, in 2014 a number of confidential government documents were leaked. The revealed telephone calls of then-U.S. Assistant Secretary of State for Europe Victoria Nuland with then-U.S. Ambassador Geoffrey Pyatt and then-EU foreign affairs chief Catherine Ashton with the Estonian foreign minister were part of this information warfare operation by the pro-Russian side. These recordings only could have come from intelligence services having the capability of collecting them. Russian and Ukrainian[vii] government operations included wide-scale cyberattacks to disable servers and smartphones. Internet accounts were hacked and manipulated, including outright cancellation and hijacking— identity theft. There was a program of censorship against all information flowing through the Internet. In November of 2013, the mobile telephones of protestors were shut down at the same time they were being attacked by armed police. This stripped the protestors of a means of coordination or evasion. There were more than 100 casualties. Access to social media and other accounts was achieved by seizing mobile phones from protestors. Some persons found that pornography had been uploaded to their social media accounts, whereupon they were prosecuted. In Western Ukraine, the protest was inhibited by shutting down opposition television stations. Websites were either shut down with Distributed Denial-of-Service (DDoS) attacks[viii] or their data corrupted, i.e., damaged or changed. For any institution that was occupied by protestors, all access to the telephone network and the Internet was blocked, thereby eliminating the propaganda appeal usually associated with such protests.
It should be noted that rather than destroying the social and telecommunications networks, instead during Maidan these networks were temporarily neutralized, preserved for hosting information operations, or used to aid in police actions. Results were mixed. Although these pro-Russian cyberattacks were effective in temporarily holding back the swelling tide of rebellion, intensified fighting led to the ouster on February 22, 2014 of Viktor Yanukovych, the pro-Russian president democratically elected in 2010.
Annexation of Crimea
The U.S. Ambassador to Russia had warned “Ukrainian entry into NATO is the brightest of all red lines” for Russia. Nevertheless, after the Maidan Revolution in 2014, Russian concerns were ignored and “NATO aspirant country” status was awarded to Ukraine. This confirmed to Russia that the Maidan “coup d’état” (its terminology) was a step on the road for Ukraine to join the West—not only with its economy, but also with its military. For years, during numerous negotiations, Russia had expressed its view that membership of Ukraine in NATO would be viewed as an “existential threat.” The term refers to fears that the matter could threaten the existence of Russia or its government. Crimea had been part of Russia for 183 years, from 1783 until 1991. In 1997, a treaty had extended the Russian lease of Sevastopol,[ix] Russia’s only warm water port and the home of its navy’s Black Sea Fleet. The prospect of this cornerstone facility falling into the hands of a NATO country fits this classic definition of an existential threat.
The 2014 annexation of Crimea was a response to the Maidan Revolution. Russian actions fit the textbook example of the information operations side of cyberwar. The extensive use of “Active Measures,”[x] many with a cyber component, was coordinated with military operations and provided essential support. GPS data from mobile telephones was used to locate Ukrainian army units so they could be targeted for liquidation. Even the Russian army was dressed as a civilian force, and gained the nickname “Little Green Men.” The active measures pursued by Russia during the annexation were an important part of Psychological Operations. These included: (a) changing public or government opinion by supplying forged documents or repeating lies; (b) use of front groups such as NGOs to coordinate activities for influence; (c) deploying other political influence operations using in-place agents or recruits in civil society and government; and, in the case of Russia in Ukraine, (d) use of the Russian Orthodox Church.
Much of the cyber-related activity during the Maidan Revolution had been orchestrated by the pro-Russia government in Ukraine, probably in close coordination with Russia, or at a minimum with its assent. In Crimea, it was different. The Russian army quickly seized control of the telephone network. Links to the outside were cut, and all calls were required to be routed through Russian mobile operators. The Ukrainian national satellite platform was commandeered.
Social media was flooded with pro-Russian information, and major changes were made in Wikipedia entries regarding Ukraine and Crimea. Internet filtering was put in place to cut off access to Ukrainian news sites. All local television stations were seized and then forced to transmit Russian channels, with no access to Ukrainian content.
Cyberattacks were used to disable and inhibit crucial communications systems including the communications networks of the Ukrainian military forces, as Russia was able to shut down the mobile phones of Ukrainian officials before its troops entered Crimea and the mobile communications of government officials throughout Crimea, as well as against organizations in other countries that were supporting Ukraine. These attacks against third parties outside of the region represented a more aggressive cyber operation and point to the notion that this cyberwar had become global in nature and was no longer confined within the borders of Ukraine. The technical skills used and the speed of these actions indicate a high degree of preparation.
Throughout the short military part of the annexation process, these actions were crucial in garnering support by the primarily Russian population. The use of alarming and false information was crucial. Citizens living in the Crimea were uniformly convinced that bands of Ukrainian neofascists were marching towards Crimea, on their way raping ethnic Russian women and burning down their houses.
In sum, there was a major difference between pro-Russian cyberwar actions during the Maidan Revolution and during the annexation of Crimea. In Maidan, cyber was used to disrupt society, limit access to communications, and support police enforcement actions. In Crimea, Russia worked not so much to harm the cyber infrastructure, but rather to completely seize control of it so that it could be used for pro-Russian purposes. These actions were not so much cyber operations but instead an operation against cyber and were consistent with Russia’s view of operations in “the information space.” In addition to the cyber operations targeting Crimea, Ukraine as a whole was soon suffering from a barrage of cyber-attacks conducted against the Ministry of Finance, State Treasury, State Pension Fund, State Executive Service, the Volya Internet Service Provider, the Defense Ministry, the national railway system, Ministry of Infrastructure, Sea Port Authority, and Stock Exchange. The most notable attack went after the electrical power grid. These attacks were intended to inhibit Ukrainian government response to the annexation and perform a type of diplomatic signaling.
The 2015 Attack on the Electrical Grid
In 2015, a cyberattack darkened the electrical power grid in Ukraine. Ukraine’s grid is more than 14,230 miles of High Voltage Lines and 135 Substations. In 2015, consumption of electricity was as high as 187 TWh.
The attack started with a Spear Phishing campaign, the sending of emails loaded with attachments that when opened would inject malware into the system. This compromised the workstations in three electricity distribution control centers. Once the hackers were inside, the next step was to harvest the access credentials (login and password information) from the local workstations. “Remote Access” is used when a worker wishes to connect with their workstation from the outside, such as when they are working from home. When the hackers used these credentials, the information system considered them as authorized users. The attackers then installed malware in the SCADA[xi] components, in effect lobotomizing the system. A “wiper” program then erased all of the data on each machine.
Corrupt firmware was uploaded and put on the Serial-to-Ethernet gateways in the substations. These are the gateways that take sensing information from equipment and put it on the Ethernet on its way to the operator workstations. Once this poison firmware was installed, the gateways would become useless. Incoming commands would be blocked. It would be impossible for anyone trying later to turn back on the electricity remotely to close the breakers. To “close” a breaker means to connect the circuit allowing electricity to flow. Because the uninterruptible power supply to the control center had been disabled, and the control center itself had no power, this rendered restoration of the system from a backup impossible. The only way to restore power was to send actual repair personnel to the substations to manually close the breakers.
Note should be made of the timing and duration of this cyberattack. It was an extended procedure. After getting access, the hackers did nothing to reveal their presence. Instead, they monitored operations for weeks, learning how the system was operated. Only after becoming thoroughly versed in all procedures did the hackers execute a highly coordinated attack on December 23, 2015, when seven 110 kV substations and twenty-three 35 kV substations associated with the electrical power plant servicing Ivano-Frankivsk[xii] were disconnected. The power in every substation was shut down.
As switches, lines, and transformers were being taken off-line, operators of Ukraine’s grid reported that their mouse cursors were “moving by themselves,” and mysteriously were launching programs to disconnect the power. The control center was flooded with an overwhelming robot-generated barrage of telephone calls seemingly from regional energy operators. The attack had enabled the attackers to disconnect electricity breakers and cut power in regions across Ukraine. They also had locked out the real control room operators from their own software. This cyber-attack left 225,000 Ukrainians without electrical power, although with much work it was possible to restore electricity over the next few days.
Based on circumstantial evidence, experts pointed the finger at the Sandworm group in Russia. It might have been easier for the hackers to have obtained the required training on a parallel testbed, since Ukraine uses primarily Russian equipment for its grid.[xiii]
It was altogether a professional and well-executed cyberattack meant to warn the Government of Ukraine. Cyber had inflicted a devastating but recoverable injury to the grid, rather than destroying it altogether. In a real conflict, one assumes the blackouts would have been much more extensive and longer-lasting. The Ukraine electrical grid attack was among the world’s first cyberattacks against critical infrastructure and used an electrical grid blackout to send a powerful diplomatic signal: “We can hurt you.”
The Hot War
During the hot war that began to intensify in 2022—first the occupation, then the Ukrainian push-back, and lastly the more violent response— Russia used a combination of cyber and then kinetic attacks against the computing and electrical infrastructure of Ukraine’s government-delivered services. Along with destruction of defensive installations, weapons caches, electrical power and telecommunications systems became targets of choice. Electricity is essential for refrigeration, banking, food delivery, lighting, telecommunications, supply of water, treatment of sewage, hospitals, and many other essential services crucial for the war effort. Telecommunications is the backbone of national coordination.
Russian efforts have not been completely successful. Ukrainians rely on apps such as Telegram, which are able to remain on the Internet and communicate with encrypted social media by using the U.S.-built Low Earth Orbit (LEO)[xiv] communications satellite constellation system Starlink. A statement from the Russian Defense Ministry threatened to shoot down the satellites, but Starlink relies on 3,500 moving satellites[xv] with at least ten over Ukraine at any one time, thus making targeting difficult and futile since any destroyed satellite can be replaced quickly by repositioning of another. As the violence has intensified, and the electrical grid remains damaged yet operational, bombing and other forms of kinetic destruction have replaced cyber as the weapon of choice for subjugation of Ukraine.
The Folly of Cyber
What does this disaster in Ukraine tell us about the efficacy of cyber? In the ongoing cyberwar between Ukraine and Russia, the latter has demonstrated some success. Apart from the temporary freezing of the electrical grid in 2015, information warfare, the use of propaganda, and cyberattacks on end-user devices to support police actions were useful in Ukraine during the Maidan Revolution and later the annexation of Crimea. Russia successfully conducted an effective “public diplomacy,” i.e., propaganda war, when it seized control over its former territory in the Crimea, and this was crucial for maintaining domestic public acceptance of the claimed but as yet unrecognized transfer of sovereignty. In addition, Russian attempts to penetrate Ukrainian government computing systems has not stopped the escalation of violence. Thorough monitoring of Ukrainian communications, including social media, has continued to provide intelligence, but for what benefit? The electrical system is damaged but functional.
Yet in spite of these successes, cyber has not killed a single soldier. It has not given Russia even a single meter of territory, nor has it prevented the Ukrainians from continuing doggedly to pursue the fight. Influencing a population through cyber-based information operations or disabling cybernetic infrastructure is ephemeral. Systems can be restored, and public opinion can be fickle. Ultimately, bombing of infrastructure is far simpler than sophisticated cyberattacks. In comparison to the attacks on the electrical grid in 2015, which required extensive preparation and weeks of monitoring even after penetration of the cybersecurity barriers, kinetic attacks are standardized, immediate, and longer-lasting in their effects. Accordingly, over time, Russian tactics changed from attempting to influence public opinion in Ukraine simply to the physical destruction anti-Russian forces.
The militaries of both the United States and Russia bought into the incendiary hype, promising a Revolution in Military Affairs—from massive investments building cyberwar technologies to specialized institutions to support them. In a hot war, these promised benefits have failed to materialize. The diplomatic signaling from the warning attacks launched against Ukraine’s power system and data processing centers did nothing to stop the rush to war. Cyber has produced little more than a lukewarm sideshow, at best incidental. Cyber is missing in action. The humanitarian disaster in Ukraine is not the result of cyber but of the ground war—the artillery, the bombing, the grinding up and destruction of soldiers and other human lives and critical infrastructure that will ultimately determine the outcome.
[i] The definitive analysis of strategic bombing was compiled at the order of U.S. President Truman in 1947 and given the name United States Strategic Bombing Survey (USSBS), https://www.loc.gov/rr/scitech/trs/trsbombingsurvey.html. There were more than 300 reports covering details of the strategic bombing of Germany. Strategic bombing had two objectives: to cripple the industrial infrastructure of a country to remove its means to wage war, and to weaken the morale of the population so as to cause dissension or a lessened willingness to fight. Although there was success in destruction of infrastructure, the conclusion was that strategic bombing does not weaken morale, but instead may strengthen it.
[ii] This was reported by David Makovsky, “The Silent Strike: How Israel bombed a Syrian nuclear installation and kept it secret,” The New Yorker, September 10, 2012, https://www.newyorker.com/ magazine/2012/09/17/the-silent-strike. It should be noted that the technical details of how this was done were never revealed. The term “scrambling” here refers to the broadcasting of information on the same radio frequencies as used by the target radar system so as to either over-load the system or otherwise make its output of information unintelligible or erroneous.
[iii] Iran was one of the original 62 signatories to the Non-Proliferation Treaty (NPT).
[iv] This carefully constructed malware containing four Zero-Day Exploits was discovered in June of 2010. A “Zero-Day” exploit is malware that is able to harness unknown vulnerabilities in computing systems. Since the vulnerability is unknown, there is no defense against it.
[v] Examples: “Should we be fighting this war?”, “Why are we placing short-range missiles in Europe when there is a danger of nuclear war?”, “Can we really trust what our government is saying?”; “Why is our government so corrupt?”, “If the majority of citizens do not support war, then why are we fighting one?” This issue was extensively studied in the United States Strategic Bombing Survey, conducted after the Second World War. See p. 96, ¶1.
[vi] This is consistent with the use of the Wagner Group as a Russian national defense formation during the war in Ukraine.
[vii] Attribution of these attacks is vague. Most were done utilizing the cyber infrastructure operated by the government in Ukraine, indicating they were directed by the Russia-allied government. The role of Russia in these attacks is not clear, but notably there was a close security relationship between the two governments.
[viii] A Distributed Denial-of-Service (DDoS) is implemented by having multiple servers issue to a website request for display of a webpage. As the number of requests per second increase, they eventually overwhelm the website, thus blocking it to others.
[ix] Location of the Sevastopol Naval facility: 44°36’28”N 33°31’48”E.
[x] Active measures (Russian: активные мероприятия) is political warfare and includes espionage, propaganda, sabotage, and assassination.
[xi] Supervisory control and data acquisition (SCADA) equipment integrates signals from all electromechanical systems in a power system, e.g., switches, sensors, temperature, etc. The hackers employed a variety of attacks. Backdoor access to the system was accomplished by installation of Remote Access Trojans (RATs). The KillDisk malware made it possible to overwrite most files upon command of the attacker, thus rendering the system un-bootable. Capturing the Virtual Private Network (VPN) credentials allowed the hackers to have remote access into control room systems without having to be inside the facility.
[xii] Location: 48°55’ 22”N 24°42’ 38”E.
[xiii] The nature of the cyberattack tells us something about the attackers. It is clear that detailed thought was given into not only turning off the power, but also on making it difficult for the operators to restore the system. In order to conduct this operation, the attackers would have had to know the restoration procedures, and perhaps have gamed out the attack at a test facility. The remote attacker posing as a legitimate operator would by necessity have been trained on operation of the system. They would need to know how to read the display and be fluent in issuing commands to control the grid.
[xiv] The United States supplies its own telecommunications network for military purposes. A low Earth orbit (LEO) is an orbit around Earth with a period of 128 minutes or less (making at least 11.25 orbits per day) and an eccentricity less than 0.25. Each satellite is approximately 2,000 km from the Earth. For comparison of different satellite systems, see EOS, “EOS Data Analytics,” https://eos.com/ blog/types-of-satellites/.
[xv] Starlink uses 10.7-12.7 GHz and 37.5-42.5 GHz for the transmission of data from satellites to the customer’s terminal on the ground. Separate frequencies are used for communication from satellites to ground-based gateways that connect to the Internet, from ground back up to the satellites, and two channels for telemetry.
 This is paraphrased from the statement by Carl Philipp Gottfried von Clausewitz (1780-1831), the Prussian military theorist who wrote Vom Kriege. He said that “War is diplomacy by other means.”
 Norman Davis, “An Information-Based Revolution in Military Affairs,” Strategic Review, Vol. 24, No. 1, Winter 1996, pp. 43-53, U.S. Strategic Institute. See also David Jablonsky, “US Military Doctrine and the Revolution in Military Affairs,” The US Army War College Quarterly: Parameters 1, no. (1994). These earlier works triggered the discussion of how information technology and telecommunications (“cyber”) was changing the nature of how wars can be fought. See also Stephen J. Blank, “Preparing for the Next War: Reflections on the Revolution in Military Affairs,” in In Athena’s Camp: Preparing for Conflict in the Information Age (Santa Monica: RAND Corporation, 1997).
 The annual budget for the National Security Agency was $65.7 billion per year in FY 2022, while the Biden Administration is asking for $26.2 billion in cyber funding for FY 2024. See “U.S. government provides cyber budget specifics,” The Washington Post, March 14, 2023, https://www.washingtonpost.com/politics/2023/03/14/us-government-provides-cyber-budget-specifics/.
 There also were extensive cyberattacks against Ukraine during the 2019 election. See Kenneth Geers, ed. “Cyber War in Perspective,” in Introduction to Cyber War in Perspective: Russian Aggression against Ukraine, NATO CCDCOE Publications, December 2015, https://ccdcoe.org/uploads/2018/10/CyberWarinPerspective_full_book.pdf. Regarding the leaked documents, see Nikolay Koval, “Revolution Hacking,” CCDCOE, 2015, https://ccdcoe.org/uploads/2018/10/Ch06_CyberWarinPerspective_Koval.pdf.
 See Edward M. Roche, “Cyber-Attacking Electric Power Grids: A New Strategic Weapon” in Peter Vincent Pry, Ed., Blackout Warfare: Attacking The U.S. Electric Power Grid: A Revolution in Military Affairs, (Washington, DC: EMP Task Force on National and Homeland Security, 2021), 41–73.
 See Michael Connell and Sarah Vogler, Russia’s Approach to Cyber Warfare (Arlington: Center for Naval Analysis, 2016).
 See Российская газета - Федеральный выпуск No 298(6570), Военная доктрина Российской Федерации, Дата подписания 25 декабря 2014 г., Опубликован 30 декабря 2014 г. The doctrine Part II §13(a) discusses [hostile] activities aimed at changing by force the constitutional system of the Russian Federation; destabilizing the domestic political and social situation; Part II §13(c) highlights subversive information activities against the population, especially young citizens of the State, aimed at undermining historical, spiritual and patriotic traditions related to the defense of the Motherland. Since this is a defense doctrine, it is intended to cope with hostile forces from outside Russia, but in practice could also come from within Russia, such as from a foreign-sponsored NGO. In the United States, many of these types of communications theoretically are covered by the First Amendment guaranteeing Freedom of Speech, and thus are left out of any official discussion in U.S. military doctrine.
 See Figure 1: “The VIO’s Possible Command Structure,” p. 10 of Gavin Wilde, “Cyber Operations in Ukraine: Russia’s Unmet Expectations,” CEIP Working Paper, 2022, https://carnegieendowment.org/ files/202212-Wilde_Russia-Hypotheses-v2.pdf.
 Credited by Greenberg with the Ukraine electrical grid attack. See Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers (New York: Doubleday, 2019). It should be noted that attribution in cyber is notoriously difficult.
 See “Russian Cyber Units,” In Focus, Congressional Research Service, February 2, 2022. It should be noted that CRS writes of Unit 74455 as being distinct from “Sandworm,” though it is not clear how attribution was established for the attack on Ukraine.
 For a brief history of the development of cyber capabilities including the role of educational institutions, see Andrei Soldatov and Irina Borogan, “Russian Cyberwarfare: Unpacking the Kremlin’s Capabilities,” Center for European Policy Analysis, September 8, 2022, https://cepa.org/comprehensivereports/russian-cyberwarfare-unpacking-the-kremlins-capabilities/.
 National Security Agency, “Mission & Combat Support,” https://www.nsa.gov/About/MissionCombat-Support/.
 U.S. Cyber Command, “Our Mission and Vision,” https://www.cybercom.mil/About/Mission-andVision/.
 See Cyber Command, “Achieve and Maintain Cyberspace Superiority Command Vision for US Cyber Command," 2018, https://nsarchive.gwu.edu/document/16477-united-states-cyber-command-achieve-and-maintain.
 For the espionage statutes, see 18 U.S. Code §798 - Disclosure of classified information. The Central Intelligence Agency also develops cyber offensive capabilities, but its work is secret. In 2017, some of its cyber espionage tools were leaked. See Benjamin C. Dean, “Vault 7: The CIA’s cyber capabilities escape from the lab,” Center for Democracy and Technology, March 9, 2017, https://cdt.org/insights/vault-7-thecias-cyber-capabilities-escape-from-the-lab/. In April 2017, a group called the Shadow Brokers leaked a number of NSA tools. These leaks confirm the role of the CIA and NSA in creating offensive cyber weapons. There is extensive coverage of the NSA leak in James Bamford, Spy Fail: Foreign Spies, Miles, Saboteurs, and the Collapse of America’s Counterintelligence (New York: Twelve, 2023), chapter 6, “The Man in the Mirror,” 41-50. See also Dan Goodin, “Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak,” ARS Technica, May 7, 2019, https://arstechnica.com/information-technology/2019/05/stolen-nsa-hacking-tools-were-used-in-the-wild-14-months-before-shadow-brokers-leak/.
 U.S. Department of State, “About Us – Global Engagement Centre,” https://www.state.gov/about-us-global-engagement-center-2/.
 NED, “Homepage,” National Endowment for Democracy, https://www.ned.org/.
 See, for example, Krzysztof Izdebski, “The Digital Battlefield for Democratic Principles,” in The Digitalization Of Democracy: How Technology is Changing Government Accountability (Washington, D.C.: National Endowment for Democracy, 2023), https://www.ned.org/wp-content/uploads/2023/03/NED_ FORUM-The-Digitalization-of-Democracy-Essay-Collection-2.pdf.
 CISA, “Homepage,” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/.
 See Erran Carmel and Edward M. Roche, “The Dominant Cybersecurity Industry Clusters: Evolution and Sustainment,” Industry & Innovation, December 12, 2022, https://www.tandfonline.com/doi/full/10. 1080/13662716.2022.2145938.
 See Ladislav Bittman, The KGB and Soviet Disinformation: An Insider’s View (Washington, D.C.: Pergamon-Brassey’s, 1985. The book covers such actions as forgeries, black propaganda, front organizations, recruitment of agents, penetration of Western institutions, terrorism, assassinations, and aid to revolutionaries. See also Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare (New York: Farrar, Straus and Giroux, 2020), which divides “active measures” into four historical phases. “Disinformation” is likely derived from the Russian word дезинформация.
 See “Cyber War in Perspective,” in Geers, ed., Introduction to Cyber War in Perspective; regarding the leaked documents, see Koval, “Revolution Hacking.”
 For further analysis see Rid, Active Measures, 348, ¶4. N.B.: Rid [note 26] characterizes the release of the intercepted phone conversation as “disinformation,” indicating that the term applies to true authentic information, not only to falsifications. According to Rid, disinformation is characterized by a leak of true information in which important falsifications are mixed in.
 Glib Pakharenko, “Cyber Operations at Maidan: A First-Hand Account” in Geers ed., Cyber War in Perspective.
 Pakharenko, “Cyber Operations at Maidan.”
 Cable of Ambassador William Burns to Secretary of State Condoleezza Rice (2008), quoted in Robert Wright, “Why Biden didn’t negotiate seriously with Putin,” Nonzero Newsletter, February 21, 2022, https://nonzero.substack.com/p/why-biden-didnt-negotiate-seriously?utm_source=url&s=r.
 See Vladimir Putin, Remarks at the 43rd Munich Security Conference, February 10, 2007.
 Vitaly Shevchenko, “Little green men” or “Russian invaders?” BBC News, March 11, 2014, https:// www.bbc.com/news/world-europe-26532154; and p. 7 of Christopher Paul and Miriam Matthews, “The Russian ‘Firehose of Falsehood’ Propaganda Model,” Perspective, RAND Corporation, 2016, https://www. rand.org/content/dam/rand/pubs/perspectives/PE100/PE198/RAND_PE198.pdf.
 See Annex 1, p. 34, of Elīna Lange-Ionatamišvili et al., “Analysis of Russia’s Information Campaign Against Ukraine,” NATO StratCom Centre of Excellence, 2015, https://stratcomcoe.org/cuploads/pfiles/ russian_information_campaign_public_12012016fin.pdf.
 Pakharenko, “Cyber Operations at Maidan.”
 Emilio J. Iasiello, “Russia’s Improved Information Operations: From Georgia to Crimea,” The US Army War College Quarterly: Parameters 47, no. 2 (Summer 2017): 54.
 Iasiello, “Russia’s Improved Information Operations,” 28.
 Hanna Kozlowska, “The Fascists are coming, the Fascists are coming!” Foreign Policy, June 2014, https://foreignpolicy.com/2014/06/02/the-fascists-are-coming-the-fascists-are-coming/; see also Iasiello, “Russia’s Improved Information Operations.”
 Timothy Thomas, “Russia’s 21st Century Information War: Working to Undermine and Destabilize Populations,” Defence Strategic Communications, NATO Strategic Communications Centre of Excellence 1, no. 1 (2015), 12.
 For a supplementary account, see Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” Wired, March 3, 2016, https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/.
 Data from Kyivoblenergo. This name is an abbreviation for “Kiev Region Energy Organization” (Kiev Oblast Energia Organizatsi).
 For attribution to Russia see Greenberg, Sandworm. See also Andy Greenberg, “ ‘Crash Override’: The Malware That Took Down a Power Grid,” Wired, June 12, 2017, https://www.wired.com/story/crashoverride-malware/ and CCDCOE, “Power grid cyberattack in Ukraine (2015),” https://cyberlaw.ccdcoe. org/wiki/Power_grid_cyberattack_in_Ukraine_(2015). The “Interactive Cyber Law: Interactive Toolkit,” https://ccdcoe.org/news/2019/interactive-cyber-law-toolkit-now-online/, posted on June 24, 2019, contains links to numerous documents regarding the electrical grid attack.
 For a review of Russian cyberattacks against Ukraine in 2022, see James A. Lewis, “Cyber War and Ukraine,” Center for Strategic and International Studies, June 2022, https://csis-websiteprod.s3.amazonaws.com/s3fs-public/publication/220616_Lewis_Cyber_War.pdf?VersionId=S.iEKeom79InugnYWlcZL4r3Ljuq.ash.
 Utility Dive, “After months of Russian attacks, Ukraine’s grid resumes electricity exports to EU. How did it survive?,” April 12, 2023, https://www.utilitydive.com/news/after-months-of-russian-attacks-ukraines-grid-resumes-electricity-exports/647359/.