WASHINGTON — The role cyber plays in military campaigns needs reexamination after Russia’s failure to cripple computer networks during its invasion of Ukraine likely forced it to physically strike the country’s infrastructure instead, according to a senior Pentagon official.
Mieke Eoyang, the deputy assistant secretary of defense for cyber policy, on Nov. 16 said the conflict in Eastern Europe is critically important for the U.S. Department of Defense to understand, noting that day-to-day fighting and devastation are outstripping the consequences of cyberattacks.
“When you think about cybersecurity as a risk-managed exercise, and one of the risks you are trying to manage in the context of that is armed conflict, you have to think very differently about what you are dealing with,” Eoyang said at the Aspen Cyber Summit in New York. “When you think about the cybersecurity of data centers, for example, it is not just about patching and closing those things. It is about the physical security of those data centers. It is about whether or not those data centers are within the range of Russian missiles.”
The number of assaults on Ukrainian networks and critical infrastructure has ballooned since Russia’s invasion in late February. The finance and commercial sectors as well as national and public authorities were among “the major targets for hackers,” according to the State Service of Special Communications and Information Protection of Ukraine. In recent months, electricity and energy resources have come under intense barrage by Russian missiles, leaving huge parts of Ukraine without power or heat as winter approaches.
Microsoft in April reported that cyberattacks were conducted in concert with real-world kinetic attacks, across land, sea and air. Together, the company said, the efforts sought to disrupt and degrade Ukrainian government and military functions and foment public distrust in the institutions.
“What you’re seeing is a cyber-capable adversary bring those capabilities to bear in the context of an armed conflict. And one of the things we’re seeing is the context of the armed conflict dwarfs the cyber impacts of that,” Eoyang said. “When you think about the physical destruction relative to the cyber disruption of what happens here, things the Russians tried to disrupt via cyber did not have the strategic impact that they wanted, and they sought to destroy those things physically.”
Russia, which has historically denied accusations of cyber aggression, is nevertheless blamed for using state-sponsored hacking to advance its political aims.
The U.S. has increasingly invested in cyber and broader security paradigms, such as zero trust, as it attempts to counter the ambitions of China and Russia, the Nos. 1 and 2 security threats, according to the National Defense Strategy. A Defense Department zero-trust strategy is expected to be made public any day now.
The department sought more than $11 billion for cyber in fiscal 2023, some $800 million more than the Biden administration’s previous request. Budget documents previously published by the White House describe cyber spending as a priority.
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.