WASHINGTON — At the Aspen Security Forum this summer, a top Biden administration official said there are “any number of theories for what we saw and what, frankly, we didn’t see” regarding Russian employment of cyberattacks tied to its war against Ukraine.

“Some argue for the deterrence the U.S. has put in place,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said at the time, pointing to President Joe Biden’s meeting with Russian President Vladimir Putin following the Colonial Pipeline ransomware attack. “Some argue that it was the result of the extensive cybersecurity preparations Ukraine did, supported by allies and partners.”

“And,” she added, “some argue that we don’t quite know.”

Three months later, in late October, Gen. Paul Nakasone, the chief of both the National Security Agency and U.S. Cyber Command, proffered his own opinion, in harmony with Neuberger’s second point: Among the many moving parts and influences, overseas preparations made by the U.S. military helped blunt Russia’s effectiveness in the digital domain.

“First lesson learned? Presence matters. We learned that again,” Nakasone said Oct. 12 at a Council on Foreign Relations event. “While I would certainly not say that’s the key reason, I think it’s a contributing factor.”

Headed east

The U.S. dispatched a group of cyber experts to Ukraine at the end of 2021, amid rising international tensions and predictions of virtual destruction.

The so-called hunt-forward operation — a defensive and cooperative measure, undertaken at the invitation of a foreign government — was designed to root out malicious actors, identify network weaknesses and gain a better understanding of the tools hackers use.

“We sent a team on Dec. 2, led by a Marine Corps major, and her guidance was this: Go help them, and make sure they’re ready, in terms of anything that may occur,” Nakasone said. “She called back within the first two weeks and said, ‘Instead of coming home for the holidays, we’re going to be here for awhile.’”

Having the right people in the right room at the right time, the four-star general said, is invaluable. And “being able to understand the tradecraft of an adversary? Presence matters. Real presence matters.”

Hunt-forward endeavors are part of CYBERCOM’s persistent engagement strategy, a means of being in constant contact with adversaries and ensuring proactive, not reactive, moves are made. The command, tasked with guarding Department of Defense information networks and coordinating cyberspace operations, has conducted dozens of such missions across a range of countries in recent years.

Cyber specialists were previously sent to Croatia, Estonia, Lithuania, Montenegro and North Macedonia. While some deployments were tied to the 2018 midterm elections in the U.S., efforts in Lithuania, specifically, were connected to the Russian onslaught.

The work in Lithuania lasted three months, beginning before Russia invaded Ukraine in late February, and concluded in May. It was the first shared operation between Lithuania’s cyber forces and U.S. experts in the country. Lithuania’s vice minister of national defense, Margiris Abukevicius, in a statement at the time applauded the endeavor for generating a “wealth of intelligence and skills.”

In Croatia, U.S. personnel worked hand-in-glove with the Croatian Security and Intelligence Agency’s Cyber Security Centre experts. Together, they hunted on “networks of national significance,” according to CYBERCOM.

“Since 2018, we have done 37 operations, 20 nations, on 55 different networks,” Nakasone said in October. “This is an opportunity for us to help our partners. It’s also a way that we think about, ‘How do we secure the United States?’”

The Pentagon sought $11.2 billion for cyber in fiscal 2023, $800 million, or nearly 8%, over the Biden administration’s previous ask.

Months of anticipation

Nakasone in April told lawmakers the Russian war machine was leveraging “a range of cyber capabilities,” including “espionage, influence and attack units,” to buttress its invasion and shape worldwide sentiment.

His testimony, before the Senate Armed Services Committee, came on the heels of a warning from Biden that Russia may unleash cyberattacks on U.S. critical infrastructure, such as the energy and medical sectors, and private businesses.

But such large-scale, stateside attacks have yet to materialize, according to Rep. Jim Langevin, a Rhode Island Democrat and cofounder of the congressional cybersecurity caucus.

“What we haven’t seen is the massive cyberattacks that, perhaps, we had expected, or the blowback here against the United States that could have happened because of our involvement and support of Ukraine and the work we’ve done, that President Biden has done, to really rally the international community behind Ukraine,” Langevin said Oct. 19 during a Washington Post Live appearance.

Smaller attacks, like those that paralyze and vandalize websites, hamper command and control, or cripple internet access, have unfolded. Ukraine’s government has logged more than 1,100 cyberattacks since the onset of the war.

“Russia has significant cyber capabilities and could use them against us or our allies,” Langevin said. “We haven’t seen, as I said earlier, that level of cyber action or cyberattacks that we had expected. But we’re not out of the woods.”

CISA this year issued a rolling “Shields Up” notice, a cybersecurity bulletin that was quickly circulated throughout the defense industry, a prime target for hackers. CISA, NSA and the FBI earlier this year said they observed regular targeting of defense contractors from January 2020 through February 2022, with Russian state-sponsored hackers absconding with information that grants “significant insight” into weapons development, communications infrastructure and information technologies.

Moscow has historically denied such claims.

The Shields Up advisory instructed organizations to prepare for disruptions, intrusions and irregularities stemming from the Russia-Ukraine war. CISA further suggested Russia’s invasion of Ukraine could head west along virtual avenues.

“We are not at a place where we should be putting our shields down,” CISA Director Jen Easterly said Oct. 12, sharing the stage with Nakasone. “The environment is very difficult. The Russians are very unpredictable, their back is against the wall. We’ve seen these horrific kinetic attacks against civilian infrastructure, and we may be seeing a lot worse coming.”

A prolonged conflict may make Russia more cyber aggressive, according to Neal Higgins, the deputy national cyber director for national cybersecurity. The CyberPeace Institute, a Switzerland-based nongovernmental organization, has cataloged more than 50 discrete cyberattacks on critical infrastructure and civilian systems this year alone.

CISA and its Ukrainian analogue, the State Service of Special Communications and Information Protection, deepened its relationship this year, promising to exchange best practices, study critical infrastructure protection and establish joint cybersecurity projects and exercises.

“We need to ensure that we are prepared for threats, for incursions against our critical infrastructure, whether it’s state supported actors, criminally aligned ransomware groups, or even the cascading attacks, with attacks in Ukraine that could bleed over to Russia or could bleed over to the U.S., as we saw NotPetya in 2017,” Easterly said.

NotPetya malware incapacitated critical systems the world over, resulting in enormous financial loses. Russia was blamed for the devastation, which initially unfolded in Ukraine.

Colin Demarest was a reporter at C4ISRNET, where he covered military networks, cyber and IT. Colin had previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.

More In Cyber