NATO must ‘contingency campaign’ in cyberspace

In spring 2022, northwest of Kyiv, Major Dmytro Zaretsky was using WhatsApp while his soldiers watched YouTube. They were also in the middle of a crucial battle: Russia had invaded Ukraine, aiming to encircle Kyiv, decapitate the government, and seize control of the country. Russia had deployed tanks and elite air assault troops, jammed radars, and disrupted military communications, blinding Zaretsky’s troops. They watched videos, urgently learning to use new equipment, and called in artillery strikes on a Russian convoy with the Meta messaging app. Where cell phone reception remained, residents provided intelligence to target Russian forces. Russia failed to swiftly take Kyiv and abandoned the attempt after a month. Ukrainian cyber operations and activities before and during the invasion helped transform Russia’s expected ten-day victory into an enduring war of attrition. 

Ukraine’s behaviour exemplified contingency campaigning in cyberspace – a novel construct from our new manuscript Cyber Persistence and Campaigning: The Logic and Art of Securing Cyberspace. NATO is learning from Ukraine’s experiences but may repeat what one Ukrainian official described as their ‘big mistake’ – neglecting to create a cyber operational unit to proactively set and structure operational conditions that would place adversaries on the back foot before a clash of conventional forces.  

Contingency campaigning

‘Cyber contingency campaigning’ is an extension of the logic of ‘initiative persistence’ – the idea that cybersecurity depends on an actor operating persistently to set the conditions of cyberspace in their favour – described in our Cyber Persistence Theory: Rethinking National Security in Cyberspace.  The concept of initiative persistence has been applied to strategic competition in the 2017 Department of Defense Cyber Strategy and the US Cyber Command’s operational approach of ‘persistent engagement’. Now, we have extended that logic to militarised crises and armed conflict.

Cyber contingency campaigning refers to linked cyber operations and activities conducted below the use-of-force threshold that create a favourable operational environment to prevent a future contingency or prevail if one occurs. It entails setting favourable conditions for oneself, structuring unfavourable circumstances for an adversary, and managing potential third-party influences. Done well, contingency campaigning can affect the occurrence, timing, initial course, or outcome of a crisis or armed conflict.

Ukrainian campaigning

After Russia annexed Crimea in 2014, Ukraine took steps in anticipation of a future large-scale Russian attack to manage third-party influences and to set favourable conditions. Ukraine sustained these efforts during the war. Observers have lauded Ukrainian resilience in the opening weeks of the war. We contend this success was a product of Ukrainian contingency campaigning. 

Third-party influences are actors that can impact armed conflict without being direct participants. These include allies, non-aligned states, non-state actors, international institutions, and the private sector. In late 2021, Ukraine invited British and American cyber experts to help it prepare for a potential Russian cyberattack. A US Cyber Command in-country team hunted for Russian malware on Ukrainian networks from November 2021 to January 2022 and provided remote support thereafter. Their efforts helped derail many Russian cyber operations.

Two days after Russia disabled Viasat satellite internet services on 24 February 2022, Ukraine’s deputy prime minister urged Elon Musk to provide Starlink terminals. Ten hours later, Starlink service was available; by 1 March, the military was using it to operate command centres. 

Ukraine also urged Twitter, Meta, and YouTube to crack down on Russian disinformation. Google disabled some Google Maps features and numerous antivirus and information security providers departed Russia by mid-March, leaving Russian cybersecurity defences severely overextended.

One effort by Ukraine to set favourable conditions for a conflict with Russia stands out: ensuring a functioning telecommunications infrastructure. Before the war, consultations with Kyivstar, Vodafone, and Lifecell telecom providers set the stage. After the invasion, regulators coordinated with these service providers and Ukrtelecom to increase capacity, halt suspension of accounts without funds, and implement national internet roaming.

Despite Russian kinetic and electronic warfare, Ukraine’s government, military, and citizens could communicate. They used mobile messaging applications to pass targeting data to battle management and fire control platforms like Delta, GIS Arta, and Kropyva, which  were functional because Ukraine had secured Starlink service. Collectively, these activities had strategic impact. Ukraine overcame the massive ground force and artillery advantage Russia held when attacking Kyiv.

Operational successes in the battles for Kyiv 

A senior adviser to the Commander-in-Chief of the Armed Forces of Ukraine at the time of Russia’s invasion claimed ‘what killed them was our artillery.’ Russia made mistakes – including overly stringent operational security and a lack of reversionary courses of action – but, given their exceptional advantage, those errors cannot fully account for their failures. As Ukraine’s head of military intelligence explained, ‘On the first days … we used their foolish mistakes to our advantage.’ Ukraine’s continually functioning telecommunications infrastructure increased the lethality of their artillery forces. 

During those first days, Ukrainian troops north and northwest of Kyiv reportedly relied on WhatsApp and other encrypted messenger apps to communicate with artillery batteries. Around a strategic airport in Hostomel, Ukrainian paratroopers and assault forces used smartphone messages to direct artillery attacks against Russian positions. Northeast of Kyiv, the commander of the 72nd Mechanised Brigade’s 3rd battalion knew precisely when a Russian column was heading its way as villagers were sending updates by phone and to a chatbot created by Ukraine’s State Security Service. The Ukrainians defended their capital using every tool available.

On 25 March, Russia announced its initial aims had been completed – a positive spin on an unforeseen withdrawal, likely the result of Ukraine’s operational successes west and east of Kyiv. Moscow’s pre-war strategy had failed.

Lessons identified and not identified

Ukraine’s contingency campaigning changed the strategic course of war from a limited-aims invasion to an attrition war, even though Ukraine lacked the cyber capacity to create unfavourable circumstances for Russia. Had Ukraine possessed that capacity, might it have affected Russia’s decision to invade or enabled outright Russian defeat? 

If, for example, cyber actions against Russia’s Zapad 2021 military exercise had degraded its observed performance or organisational efficiency, Putin’s confidence in the success of a large-scale conventional operation might have been eroded and with it, the option to invade.  

Likewise, pre-war Russian intelligence had assessed that Ukraine would not put up much resistance to the invasion. Could cyber contingency campaigning have altered that assessment, and thus Putin’s decision to invade? Could the invasion have been comprehensively prevented?

One of us argued in 2023 that NATO should create a proactive cyber operational element in anticipation of increased Russian aggression against the alliance. No action has yet been taken, and a gaping hole remains in NATO’s ability to contingency campaign. NATO is repeating Ukraine’s ‘big mistake’ in the face of mounting Russian aggression in cyberspace (and beyond).

Ukraine’s experience provides NATO with valuable insights on how to seize the initiative in cyberspace against physical aggressors. To delay or defeat aggression and avoid an attrition conflict, the alliance should create a cyber capability and proactively employ it to structure unfavourable circumstances for Russia before it attacks, while sustaining favourable conditions in its own networks and managing key tech relations with critical third parties.