The Subversive Trilemma
The Subversive
Trilemma
Why Cyber Operations Fall
Short of Expectations
Lennart Maschmeyer
For
three
decades,
states have engaged in cyber conºict, yet the strategic utility of cyber opera-
tions remains unclear. Strategic utility refers to measurable contributions to-
ward a state’s political goals or shifts in the balance of power.1 Similar to the
1920s–1940s air power debates, scholars have expected new technology to rev-
olutionize conºict and provide independent utility.2 When warplanes ªrst
emerged, some experts predicted the end of conventional warfare because air-
planes were able “to strike mortal blows to the heart of the enemy at lightning
speed.”3 Similarly, when the World Wide Web gained popularity in the 1990s,
some analysts predicted a future of cyberwar in which “neither mass nor mo-
bility but information” would become decisive.4 Subsequent theorizing envi-
sioned strategic cyber strikes similar to strategic aerial attacks, shaping fears of
a “cyber Pearl Harbor.”5 There is, Tuttavia, a key difference between the two.
Lennart Maschmeyer is a senior researcher at the Center for Security Studies at ETH Zürich.
The author thanks Ronald Deibert, Jesse Driscoll, Nadiya Kostyuk, Gabrielle Lim, Jon Lindsay,
Louis Pauly, Irene Poetranto, Max Smeets, Lucan Way, the team at the Citizen Lab at the Univer-
sity of Toronto, the team at the Center for Security Studies at ETH Zürich (especially Alexander
Bollfrass, Myriam Dunn Cavelty, Mauro Gilli, Enzo Nussio, and Andreas Wenger), as well as the
anonymous reviewers for their helpful comments on earlier drafts of this article. He is also grate-
ful to Lesia Bidochko, Daria Goriacheva, Oksana Grechko, and Mariya Green for research assis-
tance. The author is also indebted to Olga Paschuk for her interpretation services in Ukraine.
Finalmente, the author thanks Lisa Maschmeyer for designing ªgure 1. The online appendix for this ar-
ticle is available at doi.org/10.7910/DVN/IZ65MC.
1. Robert A. Pape, Bombing to Win: Air Power and Coercion in War (New York: Cornell University
Press, 1996), P. 57.
2. Vedere, Per esempio, Winn Schwartau, Information Warfare: Cyberterrorism: Protecting Your Personal
Security in the Electronic Age, 2nd ed. (New York: Thunder’s Mouth, 1996); Dima Adamsky and
Kjell Inge Bjerga, “Introduction to the Information-Technology Revolution in Military Affairs,"
Journal of Strategic Studies, Vol. 33, No. 4 (2010), pag. 463–468, doi.org/10.1080/01402390.2010
.489700; Lucas Kello, “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft,” In-
ternational Security, Vol. 38, No. 2 (Autunno 2013), pag. 7–40, doi.org/10.1162/ISEC_a_00138; E
Jacquelyn Schneider, “The Capability/Vulnerability Paradox and Military Revolutions: Implica-
tions for Computing, Cyber, and the Onset of War,” Journal of Strategic Studies, Vol. 42, No. 6 (2019),
pag. 841–863, doi.org/10.1080/01402390.2019.1627209.
3. Giulio Douhet, The Command of the Air, trans. Dino Ferrari (Washington, D.C.: Ofªce of Air
Force History, 1983), P. 15.
4. John Arquilla and David Ronfeldt, “Cyberwar Is Coming!” Comparative Strategy, Vol. 12, No. 2
(1993), pag. 141–165, doi.org/10.1080/01495939308402915.
5. James P. Farwell and Rafal Rohozinski, “Stuxnet and the Future of Cyber War,” Survival, Vol. 53,
No. 1 (2011), pag. 23–40, doi.org/10.1080/00396338.2011.555586; Richard A. Clarke and Robert K.
Knake, Cyber War: The Next Threat to National Security and What to Do about It (New York:
HarperCollins, 2010); and James J. Wirtz, “The Cyber Pearl Harbor,” in Emily O. Goldman and
John Arquilla, eds., Cyber Analogies (Monterey, Calif.: Naval Postgraduate School, 2014).
International Security, Vol. 46, No. 2 (Autunno 2021), pag. 51–90, https://doi.org/10.1162/isec_a_00418
© 2021 by the President and Fellows of Harvard College and the Massachusetts Institute of Technology.
51
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 52
World War II demonstrated the terribly destructive capacity of aerial bombing,
conªrming its combat effectiveness (or the capacity to destroy target sets).6
Consequently, scholarly debate has primarily examined “whether the destruc-
tion of target sets attains political goals.”7 In contrast, “cyber wars” remain hy-
pothetical, the combat effectiveness of cyber operations remains unproven,
and scholars increasingly question their utility in warfare.8
Invece, a new “cyber revolutionary” school of thought asserts that informa-
tion technology revolutionizes conºict short of war by increasing the effective-
ness of nonmilitary instruments. Lucas Kello argues that “the virtual weapon
is expanding the range of possible harm and outcomes between the concepts
of war and peace,” creating a novel strategic state of “unpeace.”9 Despite its
different focus, this new revolutionary thesis rests on remarkably similar as-
sumptions about the operational effectiveness of cyber operations as the cyber-
war theories that preceded it. Operational effectiveness concerns the capacity
to produce desired effects against a target set. As I will show, cyberwar and
cyber revolution scholars expect three key properties of information technolo-
gies to provide superior operational effectiveness: the speed of communica-
zione, the global scope and scale of computer networks, and the ease of online
anonymity.10
Information technology has produced signiªcant economic
efªciencies, and revolutionary scholars expect comparable gains in effective-
ness by employing the technology in conºict. A key instrument of utilizing in-
formation technology in security competition is cyber operations, which I
deªne as the exploitation of vulnerabilities in information and communica-
tions technologies (ICTs) to produce desired outcomes against adversaries.11
Because the revolutionary thesis posits that information technology increases
effectiveness, its adherents expect cyber operations to expand the independent
strategic utility of instruments short of war. As Richard Harknett and Max
6. Pape, Bombing to Win, P. 56.
7. Ibid., P. 57. See also Phil Haun, “Foundation Bias: The Impact of the Air Corps Tactical School
on United States Air Force Doctrine,” Journal of Military History, Vol. 85, No. 2 (April 2021),
pag. 453–474.
8. Erik Gartzke, “The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth,” Inter-
national Security, Vol. 38, No. 2 (Autunno 2013), pag. 41–73, doi.org/10.1162/ISEC_a_00136; Thomas Rid,
Cyber War Will Not Take Place (New York: Oxford University Press, 2013); Brandon Valeriano and
Ryan C. Maness, Cyber War versus Cyber Realities: Cyber Conºict in the International System (Nuovo
York: Oxford University Press, 2015); Jon R. Lindsay, “Restrained by Design: The Political Econ-
omy of Cybersecurity,” Digital Policy, Regulation, and Governance, Vol. 19, No. 6 (2017), pag. 493–514,
doi.org/10.1108/DPRG-05-2017-0023; and Erica D. Borghard and Shawn W. Lonergan, “Cyber Op-
erations as Imperfect Tools of Escalation,” Strategic Studies Quarterly, Vol. 13, No. 3 (Autunno 2019),
pag. 122–145, https://www.jstor.org/stable/26760131.
9. Lucas Kello, The Virtual Weapon and International Order (Nuovo paradiso, Conn.: Yale University
Press, 2017), pag. 75–78.
10. I discuss these assumptions and their origins in detail in this article.
11. Exploitation enables both passive information collection and active effects. This study focuses
on active effects (cioè., manipulation, disruption, or damage of targeted computer systems).
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 53
Smeets conclude, “cyber operations and campaigns can be pivotal in world af-
fairs by independently . . . supporting the maintenance or alteration of the bal-
. without having to resort to military violence.”12 Just
ance of power .
as cyberwars failed to manifest in practice, Tuttavia, empirical evidence for
this cyber revolution remains scarce. On the contrary, a growing body of re-
search shows how cyber operations seem to fall short of their promise, both in
warfare and conºict short of war.13
.
I argue that the reason for this shortfall lies at the operational level of
conºict, whereby actors deploy combinations of tactics to attain strategic
goals.14 Stephen Biddle has shown how operational mechanisms are crucial for
determining the strategic utility of new technologies in conventional war, E
I contend the same applies to cyber conºict.15 Prevailing expectations tend to
focus on the strategic promise of new technology, but they overlook the op-
erational mechanisms required to fulªl it. In questo articolo, I show that the mis-
match between promise and practice is the consequence of the subversive
nature of cyber operations, whose operational trilemma limits strategic utility.
Cyber operations produce outcomes by exploiting vulnerabilities in com-
puter systems and the way they are embedded in modern societies.16 This
mechanism is commonly known as hacking.17 Hacking may appear to be a
novel instrument, yet its primary reliance on exploitation reveals its parallels
to subversion.18
Subversion is an understudied instrument of power used in nonmilitary co-
vert operations. Consequently, the ªeld of international relations lacks a theory
12. Richard J. Harknett and Max Smeets, “Cyber Campaigns and Strategic Outcomes,"Giornale di
Strategic Studies (2020), P. 24, doi.org/10.1080/01402390.2020.1732354.
13. Erica D. Borghard and Shawn W. Lonergan, “Cyber Operations as Imperfect Tools of Escala-
zione,” Strategic Studies Quarterly, Vol. 13, No. 3, (Autunno 2019), pag. 122–145, https://www.airuniversity
.af.edu/Portals/10/SSQ/documents/Volume-13_Issue-3/Borghard.pdf; Jon R. Lindsay, “Stuxnet
and the Limits of Cyber Warfare,” Security Studies, Vol. 22, No. 3 (2013), pag. 365–404, doi.org/
10.1080/09636412.2013.816122; Jason Healey, ed., A Fierce Domain: Conºict in Cyberspace, 1986 A
2012 (Vienna, Va.: Cyber Conºict Studies Association, 2013); and Rebecca Slayton, “What Is the
Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment,” International Security,
Vol. 41, No. 3 (Inverno 2016/17), pag. 72–109, doi.org/10.1162/ISEC_a_00267.
14. Edward N. Luttwak, “The Operational Level of War,” International Security, Vol. 5, No. 3 (Win-
ter 1980/81), P. 61, doi.org/10.2307/2538420.
15. Stephen Biddle, Military Power: Explaining Victory and Defeat in Modern Battle (Princeton, N.J.:
Princeton University Press, 2010).
16. Jon Erickson, Hacking: The Art of Exploitation (San Francisco, Calif.: No Starch, 2003), pag. 115–
116.
17. Franklin Kramer notes that “cyber attacks—hacking of various kinds—are a fact of modern
life.” Kramer, “Cyberpower and National Security: Policy Recommendations for a Strategic
Framework,” in Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz, eds., Cyberpower and Na-
tional Security (Washington, D.C.: Potomac, 2009), P. 15. See also Ben Buchanan, The Hacker and the
State: Cyber Attacks and the New Normal of Geopolitics (Cambridge, Massa.: Stampa dell'Università di Harvard,
2020), P. 3; and David J. Betz and Tim Stevens, Cyberspace and the State: Toward a Strategy for Cyber-
Energia (Abingdon, UK: Routledge, 2011), pag. 26–31.
18. Buchanan, The Hacker and the State.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 54
of subversion. Building on existing work in intelligence studies, this article de-
velops such a theory and shows why cyber operations rely on subversion. It
demonstrates that the deªning characteristic of subversion is its reliance on the
secret exploitation of vulnerabilities in a system of rules. Accordingly, I deªne
subversion as exploiting vulnerabilities to secretly inªltrate a system of rules
and practices in order to control, manipulate, and use the system to produce
detrimental effects against an adversary. In traditional subversion, states target
social systems. Typically, states have used undercover spies to inªltrate groups
and institutions, establish inºuence within the latter, and then use this inºu-
ence to produce desired outcomes against an adversary.19 Although cyber
operations target a different kind of system, I show that the mechanism of ex-
ploitation has the same subversive characteristics.
Subversion’s reliance on exploitation distinguishes it from warfare and
diplomacy, the two classic instruments of power in security competition. Sub-
version holds great strategic promise because of two key properties of exploi-
tazione: its secrecy and indirect reliance on adversary systems. Secrecy can be
either covert (the identity of the actor is obscured) or clandestine (the activity
itself is obscured).20 Existing research identiªes two strategic beneªts of se-
crecy: it lowers states’ escalation risks and reputation costs for intervening in
the affairs of their adversaries.21 The indirect nature of exploitation also lowers
resource costs compared to the use of force. It is indirect because subversive
actors produce effects through exploited systems. Subversion leverages an ad-
versary’s own capabilities against its own systems to produce effects. These
effects range from inºuencing government policies and public opinion to de-
grading material capabilities through sabotage to undermining institutional
efªciency and effectiveness.22 In short, subversion promises a less expensive
and less risky alternative to warfare that states can use to actively interfere in
19. Paul W. Blackstock, The Strategy of Subversion: Manipulating the Politics of Other Nations (Chi-
cago: Quadrangle, 1964); and Lawrence W. Beilenson, Power through Subversion (Washington, D.C.:
Public Affairs, 1972).
20. Michael E. DeVine, Covert Action and Clandestine Activities of the Intelligence Community: Selected
Deªnitions in Brief (Washington, D.C.: Congressional Research Service, Giugno 14, 2019).
21. Austin Carson, Secret Wars: Covert Conºict in International Politics (Princeton, N.J.: Princeton
Stampa universitaria, 2018); and Michael Poznansky, “Feigning Compliance: Covert Action and Inter-
national Law,” International Studies Quarterly, Vol. 63, No. 1 (Marzo 2019), pag. 72–84, doi.org/
10.1093/isq/sqy054.
22. Howard L. Douthit III, “The Use and Effectiveness of Sabotage as a Means of Unconventional
Warfare: An Historical Perspective from World War I through Vietnam,” master’s thesis, Air
Force Institute of Technology, Gennaio 21, 1988, https://apps.dtic.mil/sti/pdfs/ADA188034.pdf;
Beilenson, Power through Subversion, P. 80; Eckard Michels, Guillaume, der spion: Eine deutsch-
deutsche karriere [Giullaume, the spy: A German career] (Berlin: Links Christoph Verlag, 2013); E
Christopher Andrew and Vasili Mitrokhin, The Sword and the Shield: The Mitrokhin Archive and the
Secret History of the KGB (New York: Basic Books, 1999), pag. 364, 473.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 55
their adversaries’ affairs and attempt to shift the balance of power when diplo-
macy falls short. Cyber operations share this promise. Because various social,
political, and physical processes are increasingly computerized, subverting
these computer systems can produce a range of physical, political, and eco-
nomic effects. Cyber revolutionary theory accordingly expects cyber opera-
tions to offer a low-risk and low-cost, yet highly effective, instrument for
conducting sabotage, political interference, and economic disruption.
Yet, I identify an operational trilemma that tends to prevent subversion from
fulªlling this promise, and this article shows why cyber operations also face
this trilemma. The same characteristics that enable the promise of subversion
(cioè., its secret and indirect nature) require signiªcant efforts to establish and
maintain. These efforts constrain operational effectiveness across three key
variables. Primo, they slow operational speed, deªned as the time required from
starting an operation until it produces effects. Secondo, they constrain the inten-
sity of effects, determined by both scope and scale. Scope concerns the severity
of effects against individual targets, and scale comprises the number of targets
affected and thus the scale of societal impact.23 Third, efforts to maintain se-
crecy and exploit systems limit control, deªned as the extent of control over a
targeted system, and over the effects produced through this system.
These constraints pose a trilemma for actors because the three variables (cioè.,
speed, intensity of effects, and control) are negatively correlated—a gain in one
variable tends to produce losses across the other two variables. Per esempio,
the higher the operational speed, the less intensity and control actors tend to
achieve. As mentioned, the revolutionary thesis expects information technol-
ogy to enable high-speed cyber operations with large-scale effects under a
mantle of secrecy. In practice, Tuttavia, the trilemma prevents actors from
achieving these properties all at once. Consequently, in most circumstances
cyber operations fall short of their strategic promise and provide, at best, lim-
ited strategic utility.
I test this theory through an in-depth case study of the ongoing Russo-
Ukrainian conºict. This protracted conºict started in 2013, and it includes ªve
major disruptive cyber operations that attempted election interference, sabo-
tage, and economic dislocation. As a paradigmatic example of cyber-enabled
low-intensity conºict involving one of the world’s leading cyber powers,
Russia, against a much weaker adversary, one would most expect to observe
the utility of cyber operations. With its long duration and multiple cyber oper-
ations in a real-world “test lab” of cyber conºict, the constraints of the
23. This deªnition builds on Herman Kahn’s deªnition of conºict intensity. Kahn, On Escalation:
Metaphors and Scenarios (Westport, Conn.: Greenwood, 1986 [1965]).
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 56
trilemma are least likely to apply.24 Consequently, the Russo-Ukrainian conºict
is a crucial case.25 I introduce and use a systematic framework to measure op-
erational effectiveness across the variables of speed, intensity, and control, E
I triangulate strategic utility. The case study leverages rich original data from
ªeld interviews with experts in Ukraine, leaked Russian documents and
emails, and forensic reports. Evidence from these sources supports my theory
that the subversive trilemma constrains operational effectiveness and limits
strategic utility.
This article makes three main contributions. Primo, it furthers the current de-
bate in cybersecurity between cyber revolutionaries and an emerging rival the-
sis of “cyber evolution,” whose proponents point out the general strategic
continuity between cyber conºict and intelligence contests.26 The theory of the
subversive trilemma clariªes what types of intelligence operations cyber oper-
ations reproduce, and how operational constraints limit their strategic utility.
Secondo, the theory contributes to security studies by clarifying the strategic
role of cyber operations as instruments of subversion that promise an effective
alternative to force yet offer limited utility in practice. The theory of subver-
sion also contributes to international relations, which has neglected the topic.
Third, the article adds rich empirical evidence on the mechanisms, constraints,
and utility of cyber operations that will be useful for both cybersecurity and
international security scholars.
The argument proceeds as follows. Primo,
I outline how expectations
about the strategic utility of cyber operations have evolved. Secondo, I develop
the theory of subversion from which I derive a set of expectations and hypoth-
eses. This section also speciªes the research design and empirical strategy.
Third, I present the case study, which examines the operational effectiveness
and strategic utility of cyber operations in the Russo-Ukrainian conºict. I con-
clude with a discussion of alternate explanations and potential limitations of
the study before laying out the implications for international security.
24. Andy Greenberg, “How an Entire Nation Became Russia’s Test Lab for Cyberwar,” Wired,
Giugno 20, 2017, https://www.wired.com/story/russian-hackers-attack-ukraine/.
25. A “crucial case” is one “in which a theory that passes empirical testing is strongly supported
and one that fails is strongly impugned.” Alexander L. George and Andrew Bennett, Case Studies
and Theory Development in the Social Sciences (Cambridge: Istituto di Tecnologia del Massachussetts
Press, 2005), P. 9.
26. Erik Gartzke and Jon R. Lindsay, “Weaving Tangled Webs: Offense, Defense, and Deception in
Cyberspace,” Security Studies, Vol. 24, No. 2 (2015), pag. 316–348, doi.org/10.1080/09636412.2015
.1038188; Aaron Franklin Brantly, The Decision to Attack: Military and Intelligence Cyber Decision-
Making (Athens: University of Georgia Press, 2016), pag. 43–62, http://muse.jhu.edu/book/45365;
and Joshua Rovner, “Cyber War as an Intelligence Contest,” War on the Rocks blog, settembre 16,
2019, https://warontherocks.com/2019/09/cyber-war-as-an-intelligence-contest/.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 57
Existing Literature on the Strategic Utility of Cyber Operations
Cybersecurity scholars’ expectations concerning the strategic utility of cyber
operations have shifted from warfare to conºict short of war. Initial research
expected cyber operations to provide independent utility in warfare, enabling
strategic cyber strikes and offering an offensive advantage.27 Such cyberwar
theorizing rested on three assumptions about the effectiveness of cyber oper-
ations: information technology enabled unrivaled operational speed compared
to conventional warfare,28 while the Internet’s design facilitates anonymity29
and its global scale allows actors to disrupt or damage targets at massive
scale.30 Accordingly, other scholars assumed that the same three properties
also offered strategic utility as complements to the use of force.31 But scenarios
of cyberwar and escalation did not manifest in practice. Invece, the inten-
sity of cyber conºict has remained below the threshold of war.32
Cyber revolution theory proposes, accordingly, that cyber operations offer
27. Arquilla and Ronfeldt, “Cyberwar Is Coming!"; Kramer, “Cyberpower and National Secu-
rity”; Clarke and Knake, Cyber War; William J. Lynn III, “Defending a New Domain,” Foreign Af-
fairs, September/October 2010, https://www.foreignaffairs.com/articles/united-states/2010-09-
01/defending-new-domain; Joseph S. Nye Jr., “Nuclear Lessons for Cyber Security?” Strategic
Studies Quarterly, Vol. 5, No. 4 (Inverno 2011), pag. 18–38, https://www.jstor.org/stable/26270536;
and Wirtz, “The Cyber Pearl Harbor.”
28. Daniel T. Kuehl, “From Cyberspace to Cyberpower: Deªning the Problem,” in Kramer, Starr,
and Wentz, eds., Cyberpower and National Security, P. 28; Nye, “Nuclear Lessons for Cyber Secu-
rity?” p. 18; Lynn, “Defending a New Domain”; James C. Mulvenon and Gregory J. Rattray, eds.,
Addressing Cyber Instability (Vienna, Va.: Cyber Conºict Studies Association, agosto 2012), P. 23;
Jacquelyn Schneider, “Cyber and Crisis Escalation: Insights from Wargaming,” United States Na-
val War College, 2017, P. 1, https://paxsims.ªles.wordpress.com/2017/01/paper-cyber-and-crisis-
escalation-insights-from-wargaming-schneider.pdf; and Clarke and Knake, Cyber War, P. 34.
29. Martin C. Libicki, Cyberdeterrence and Cyberwar (Santa Monica, Calif.: RAND, 2009), P. 43;
Gregory J. Rattray, “An Environmental Approach to Understanding Cyberpower,” in Kramer,
Starr, and Wentz, eds., Cyberpower and National Security, P. 272; Lynn, “Defending a New Domain”;
Joseph S. Nye Jr., Cyber Power (Cambridge, Massa.: Belfer Center for Science and International
Affairs, Harvard Kennedy School, May 2010), P. 6, https://www.belfercenter.org/sites/default/
ªles/legacy/ªles/cyber-power.pdf; Chris C. Demchak and Peter Dombrowski, “Rise of a Cybered
Westphalian Age,” Strategic Studies Quarterly, Vol. 5, No. 1 (Primavera 2011), pag. 32–61, https://www
.jstor.org/stable/26270509; and Farwell and Rohozinski, “Stuxnet and the Future of Cyber War,"
P. 35.
30. Rattray, “An Environmental Approach to Understanding Cyberpower,” pp. 266–268; Lynn,
“Defending a New Domain,” p. 1; Nye, “Nuclear Lessons for Cyber Security?” p. 21; and Peter
Dombrowski and Chris C. Demchak, “Cyber War, Cybered Conºict, and the Maritime Domain,"
Naval War College Review, Vol. 67, No. 2 (Primavera 2014), P. 73, https://www.jstor.org/stable/
26397758.
31. Libicki, Cyberdeterrence and Cyberwar, P. 139; Max Smeets, “The Strategic Promise of Offensive
Cyber Operations,” Strategic Studies Quarterly, Vol. 12, No. 3 (Autunno 2018), pag. 90–113, https://www
.jstor.org/stable/26481911; and Jon R. Lindsay and Erik Gartzke, “Coercion through Cyberspace:
The Stability-Instability Paradox Revisited,” in Kelly M. Greenhill and Peter Krause, eds., Coercion:
The Power to Hurt in International Politics (New York: Oxford University Press, 2018).
32. Valeriano and Maness, Cyber War versus Cyber Realities.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 58
states a newly effective instrument in competition short of war, revolutioniz-
ing the way states compete.33 Although they consider different types of con-
ºict, revolutionary scholars and cyberwar theorists base their arguments on
remarkably similar assumptions. Cyber revolution scholars emphasize how
information technologies increase the speed,34 scala,35 and relative ease of
anonymity36 of instruments short of war, enhancing their effectiveness and ele-
vating their strategic utility. In particular, Michael Fischerkeller and Richard
Harknett suggest that technological change has expanded the scope and scale
of intelligence operations to such an extent that it constitutes a “difference in
kind” in strategic utility,37 while Michael Warner suggests that information
technology may have “ªxed covert action’s problem of scale.”38 Ben Buchanan
goes as far as proclaiming the advent of a “new form of statecraft,” whereby
“one of the primary ways governments shape geopolitics is by hacking other
countries.”39 The underlying assumptions about the strategic promise of infor-
mation technology continue to be widely shared yet rarely tested empirically.
Inoltre, the scarce empirical work on key cases indicates the limited effec-
tiveness and utility of cyber operations.40
A rival set of scholars argues that cyber operations are merely an evolution
of covert operations.41 While this perspective speciªes the larger strategic
spazio (cioè., intelligence contests), it still lacks a theory about the operational
mechanisms and strategic utility of cyber operations. Intelligence operations
encompass a broad range of activities, from passive information collection to
active interference,42 and cyber operations cannot likely reproduce all of them
equally well. As Loch Johnson has shown, covert operations have been de-
33. Kello, The Virtual Weapon and International Order; Michael Warner, “A Matter of Trust: Co-
vert Action Reconsidered,” Studies in Intelligence, Vol. 63, No. 4 (Dicembre 2019), pag. 33–41,
https://www.cia.gov/static/d61827122b5a1b8023e0f11678c2edce/Covert-Action-Reconsidered
.pdf; Buchanan, The Hacker and the State; Harknett and Smeets, “Cyber Campaigns and Strategic
Outcomes”; and Michael P. Fischerkeller and Richard J. Harknett, Cyber Persistence Theory, Intelli-
gence Contests, and Strategic Competition (Alexandria, Va.: Institute for Defense Analyses, Giugno
2020), https://apps.dtic.mil/sti/pdfs/AD1118679.pdf.
34. Kello, The Virtual Weapon and International Order, P. 2; and Harknett and Smeets, “Cyber Cam-
paigns and Strategic Outcomes,” p. 9.
35. Warner, “A Matter of Trust,” p. 38; and Buchanan, The Hacker and the State, P. 290.
36. Buchanan, The Hacker and the State, P. 1; Kello, The Virtual Weapon and International Order,
P. 154; and Harknett and Smeets, “Cyber Campaigns and Strategic Outcomes,” p. 24.
37. Fischerkeller and Harknett, Cyber Persistence Theory, Intelligence Contests, and Strategic Competi-
zione, P. 10.
38. Warner, “A Matter of Trust,” p. 38.
39. Buchanan, The Hacker and the State, P. 7.
40. Lindsay, “Stuxnet and the Limits of Cyber Warfare”; and Slayton, “What Is the Cyber Offense-
Defense Balance?"
41. Gartzke and Lindsay, “Weaving Tangled Webs”; Rovner, “Cyber War as an Intelligence Con-
test”; and Brantly, The Decision to Attack.
42. Michael Warner, “Wanted: A Deªnition of ‘Intelligence’,” Studies in Intelligence, Vol. 46,
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 59
ployed to produce a wide range of effects, from inºuencing public opinion to
sabotage to full-blown secret wars.43 Importantly, evolution theory does not
clarify which of these effects cyber operations can and cannot produce, E
thus their strategic utility remains unclear. Current scholarship on covert oper-
ations focuses primarily on military operations.44 Yet, the premise of the cur-
rent shift in scholarly attention toward conºict short of war is the emerging
consensus that cyber operations are relatively ineffective and irrelevant in war-
fare.45 Hence, cyber operations are not likely to be useful substitutes for mili-
tary covert operations. Piuttosto, as the next section shows, cyber operations are
nonmilitary instruments of subversion.
Why Cyber Operations are Subversive
In this section, I develop the theory of subversion. I show how both subversion
and cyber operations rely on secret exploitation and face an operational
trilemma that limits their strategic promise. There is no general theory about
subversion, and the scholarly work on the topic is scarce. Existing studies ei-
ther tie their deªnition of subversion to a speciªc goal, the overthrow of gov-
ernments from within,46 or they examine its use in speciªc contexts, ad esempio
using nonstate proxies to undermine state authority47 or great power competi-
tion.48 But Cold War scholar Paul Blackstock identiªed a common operational
mechanism used in subversive operations regardless of speciªc goals or con-
text that offers a foundation for a general theory: the secret exploitation of po-
litical or social vulnerabilities.49 While Cold War subversion primarily targeted
entire political systems, any system of rules and practices is potentially vulner-
No. 3 (2002), https://www.cia.gov/resources/csi/studies-in-intelligence/volume-46-no-3/wanted-
a-deªnition-of-intelligence/.
43. Loch K. Johnson, “On Drawing a Bright Line for Covert Operations,” American Journal of Inter-
national Law, Vol. 86, No. 2 (April 1992), pag. 284–309, doi.org/10.2307/2203235.
44. Austin Carson, “Facing Off and Saving Face: Covert Intervention and Escalation Management
in the Korean War,” International Organization, Vol. 70, No. 1 (Inverno 2016), pag. 103–131, doi.org/
10.1017/S0020818315000284; Poznansky, “Feigning Compliance”; and Rory Cormac and Richard J.
Aldrich, “Grey Is the New Black: Covert Action and Implausible Deniability,” International Affairs,
Vol. 94, No. 3 (May 2018), pag. 477–494, doi.org/10.1093/ia/iiy067.
45. Thomas Rid, “Cyber War Will Not Take Place,” Journal of Strategic Studies, Vol. 35, No. 1 (2012),
pag. 5–32, doi.org/10.1080/01402390.2011.608939; Gartzke, “The Myth of Cyberwar”; E
Borghard and Lonergan, “Cyber Operations as Imperfect Tools of Escalation.”
46. Beilenson, Power through Subversion, P. v; and Frank Kitson, Low Intensity Operations: Subver-
sion, Insurgency, and Peacekeeping (London: Faber and Faber, 1971), P. 3.
47. Melissa M. Lee, Crippling Leviathan: How Foreign Subversion Weakens the State (Ithaca, N.Y.:
Cornell University Press, 2020).
48. William C. Wohlforth, “Realism and Great Power Subversion,” International Relations, Vol. 34,
No. 4 (Dicembre 2020), pag. 459–481, doi.org/10.1177/0047117820968858.
49. Blackstock, The Strategy of Subversion, P. 50.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 60
able to subversion because it contains ºaws that allow subversive actors to
inªltrate and manipulate the system in unexpected ways. The main system of
rules targeted by traditional subversion are institutions, and recent research
has examined the use of subversion against institutions of all kinds.50 If exploi-
tation is successful, subversive actors can use the targeted systems to produce
detrimental effects against an adversary, without revealing either their identity
or the subversive activity itself.51 Subversion is thus covert and clandestine.
Per esempio, a spy might become an employee at an industrial facility and
gain access to machinery that they manipulate to damage the facility and pos-
sibly surrounding areas, but they hide the subversion by making it look like
an accident.
Cyber operations rely on the same mechanism of secret exploitation, Ma
they target computer systems rather than political systems. Exploitation is pos-
sible because the behavior of computer systems is determined by different lay-
ers of code, consisting of logical rules and instructions.52 Hacking, the central
instrument used in cyber operations as commonly deªned, involves secretly
exploiting ºaws in these rules to make computer systems behave in unin-
tended ways.53 In practice, hackers establish undetected and unauthorized
access and control over an adversary’s computer systems, which they manipu-
late to produce detrimental effects against the adversary. Per esempio, hackers
might target computer systems that control physical machinery and manipu-
late their operation in a way that damages or destroys the machinery. IL 2010
Stuxnet operation that sabotaged Iranian nuclear enrichment centrifuges with
a computer virus offers a key example.54 In addition to targeting technical vul-
nerabilities in computer systems, hackers also use “social engineering” to ex-
ploit pathologies in human behavior to get people to unwittingly provide
access to systems.55 Phishing emails are a classic example.56 Cyber operations
50. Jan Olsson, “Subversive Action,” in Subversion in Institutional Change and Stability: A Neglected
Mechanism (London: Palgrave Macmillan, 2016), pag. 39–61, doi.org/10.1057/978-1-349-94922-9_3;
and James Mahoney and Kathleen Thelen, eds., Explaining Institutional Change: Ambiguity, Agency,
and Power (Cambridge: Cambridge University Press, 2010).
51. Blackstock, The Strategy of Subversion, P. 68.
52. Thomas Dullien, “Weird Machines, Exploitability, and Provable Unexploitability,” IEEE Trans-
actions on Emerging Topics in Computing, Vol. 8, No. 2 (April–June 2020), pag. 391–403, doi.org/
10.1109/TETC.2017.2785299.
53. Erickson, Hacking, P. 115.
54. Ralph Langner, To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to
Achieve (Arlington, Va.: Langner Group, novembre 2013), http://www.langner.com/en/wp-
content/uploads/2013/11/To-kill-a-centrifuge.pdf.
55. Pekka Tetri and Jukka Vuorinen, “Dissecting Social Engineering,” Behaviour & Information Tech-
nology, Vol. 32, No. 10 (2013), pag. 1014–1023, doi.org/10.1080/0144929X.2013.763860.
56. Prashanth Rajivan and Cleotilde Gonzalez, “Creative Persuasion: A Study on Adversarial Be-
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 61
Tavolo 1. Key Instruments of Power in International Relations
Warfare
Diplomacy
Subversion
Relation
Interaction Mode
Mechanism
direct
overt/covert
force
direct
overt
persuasion/bargaining
indirect
covert/clandestine
exploitation
thus share the core characteristics of subversion, namely the reliance on secret
exploitation and the indirect use of adversary systems to produce effects.
Accordingly, cyber operations are an instrument of subversion—and technical
experts routinely refer to hacking as subversion.57
The secret and indirect nature of exploitation distinguishes subversion from
the two classic instruments of power in world politics: warfare and diplomacy
(see table 1). In the words of Carl von Clausewitz, war is “the use of physical
force to compel an enemy to one’s will.”58 It shifts the balance of power by de-
stroying adversaries’ material capabilities. Warfare typically involves direct
interaction, but states can also covertly pursue “secret wars.”59 In contrast, di-
plomacy relies on direct and overt forms of communication to exert inºuence
through reasoned discourse, bargaining, or signaling.60 Diplomacy shifts the
balance of power through alliances and international law.61
Strategically, subversion promises a way for states to intervene in adversary
affairs when diplomacy falls short to produce results, and yet at lower risks
and costs than going to war. The secret and indirect nature of exploitation
enables this promise. As discussed, secrecy reduces escalation risks and lowers
reputational costs. The indirect nature of exploitation adds a third beneªt:
haviors and Strategies in Phishing Attacks,” Frontiers in Psychology, Febbraio 21, 2018, doi.org/
10.3389/fpsyg.2018.00135.
57. Vedere, Per esempio, Philip A. Myers, “Subversion: The Neglected Aspect of Computer Security,"
master’s thesis, Naval Postgraduate School, 1980, https://csrc.nist.gov/csrc/media/publications/
conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/
myer80.pdf; and Susan Young and Dave Aitel, The Hacker’s Handbook: The Strategy behind Breaking
into and Defending Networks (Boca Raton, Fla.: CRC, 2004), pag. 15–29.
58. Carl von Clausewitz, On War, abr., ed. Beatrice Heuser, trans. Michael Howard and Peter Paret
(Oxford: Oxford University Press, 2006), P. 13.
59. Carson, Secret Wars.
60. Hedley Bull, The Anarchical Society: A Study of Order in World Politics (New York: Columbia
Stampa universitaria, 1977), P. 163; Thomas Risse, “‘Let’s Argue!’: Communicative Action in World
Politics,” International Organization, Vol. 54, No. 1 (Inverno 2000), pag. 1–39, https://www.jstor.org/
stable/2601316; Thomas C. Schelling, Arms and Inºuence (Nuovo paradiso, Conn.: Yale University
Press, 2008); and Barbara Koremenos, Charles Lipson, and Duncan Snidal, “The Rational Design
of International Institutions,” International Organization, Vol. 55, No. 4 (Autumn 2001), pag. 761–799,
https://www.jstor.org/stable/3078615.
61. Henry Kissinger, Diplomacy (New York: Simon and Schuster, 1995), pag. 17–29.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 62
lower resource costs, since effects are produced through adversary systems,
rather than one’s own material capabilities. Subversion can provide independ-
ent strategic utility by undermining, manipulating, or disrupting the institu-
tions that modern societies depend on, weakening adversaries or inºuencing
their foreign policy. Cyber subversion holds the same promise, as revolution-
ary scholars emphasize.
the subversive trilemma
In practice, subversion tends to fall short of its promise. Blackstock noted in
1964 that scholars and policymakers have “greatly overestimated” the effec-
tiveness and utility of subversion,62 and more recent quantitative studies
document the high failure rate of subversive operations.63 The reason for
this failure, I argue, is a subversive trilemma that constrains effectiveness and
limits strategic utility. As this section shows, cyber subversion faces the
same trilemma.
The indirect and secret nature of exploitation that enable the strategic
promise of subversion require signiªcant efforts to establish and maintain.
Generalmente, secrecy in covert operations requires extra “time, skills, an
money.”64 Subversion requires further efforts because it depends on secrecy
to succeed. Whereas secret warfare operates on a spectrum of secrecy and
can continue even when the cover has been blown,65 discovery of a subver-
sive operation typically means failure. I argue that this constraint applies to
cyber subversion as well. In traditional subversion, the victim can arrest the spy
involved;66 in cyber subversion, victims can delete computer viruses and
“patch” vulnerabilities.67
To fulªl the promise of secret exploitation, I ªnd that actors must meet four
distinct challenges that constrain operational effectiveness. They must identify
suitable vulnerabilities in a system designed by others, exploit them without
being detected, establish access and control over the system without detection,
and maintain control to produce effects through this system that achieve their
desired outcomes. As detailed below, these four challenges constrain opera-
62. Blackstock, The Strategy of Subversion, P. 304.
63. Lindsey A. O’Rourke, Covert Regime Change: America’s Secret Cold War (Ithaca, N.Y.: Cornell
Stampa universitaria, 2018); and Sarah-Jane Corke, US Covert Operations and Cold War Strategy: Truman,
Secret Warfare, and the CIA, 1945–53 (New York: Routledge, 2008).
64. Mark M. Lowenthal, Intelligenza: From Secrets to Policy, 4th ed. (Washington, D.C.: CQ, 2009),
P. 177.
65. Cormac and Aldrich, “Grey Is the New Black.”
66. Beilenson, Power through Subversion, P. 63.
67. Erickson, Hacking, P. 320.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 63
tional effectiveness across three variables: operational speed, intensity of ef-
fects, and control.
Primo, speed is limited because identifying vulnerabilities and developing
means of exploitation requires reconnaissance and learning how target systems
function. Both processes take time. Spies have had to learn new languages or
skills to inªltrate institutions.68 Hackers similarly study how complex computer
systems function and write code to exploit them, which can take months.69
Inoltre, cyber subversion may require more time than traditional subversion
because hackers cannot use force to override logic in programming code if their
means of exploitation fails.70 In contrast, spies can use limited force to gain ac-
cess, such as by blackmailing individuals or forcing open a door.
Secondo, the need to establish access to target systems without detection lim-
its the intensity of effects. Generalmente, only effect types for which suitable target
systems exist are possible. If there are no vulnerable institutions that control
physical machinery within a targeted state, traditional subversion cannot pro-
duce physical effects. This constraint applies to cyber subversion as well,
whereby only those social and physical processes controlled by computers are
within reach. Even for vulnerable targets, the scope and scale of effects that ac-
tors can produce through a target system depend on the scope and scale of
their access to the system. Expanding the scope and scale of access increases
discovery risks, Tuttavia, thus limiting the maximum intensity that can be
achieved without discovery. In traditional subversion, Per esempio, Lindsey
O’Rourke identiªes a resulting dilemma between the scale of an operation and
the need for secrecy.71 I expect the same to apply to cyber subversion. E-
doubtedly, cyber operations facilitate a greater scale of effects compared to
traditional subversion because computer viruses can multiply and spread au-
tomatically.72 This capacity does not negate the dilemma between secrecy and
scala, Tuttavia; the more systems that are affected, the more likely one of the
affected victims will discover the compromise. Inoltre, automated prolifera-
tion may spread beyond its intended targets. Accordingly, the infamous
Stuxnet malware was discovered by a Belarusian antivirus ªrm because it
68. Christopher Andrew and Vasili Mitrokhin, The Mitrokhin Archive: The KGB in Europe and the
West (London: Allen Lane, 1999), pag. 192–193, 220.
69. Lillian Ablon and Andy Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day
Vulnerabilities and Their Exploits (Santa Monica, Calif.: RAND, 2017), https://www.rand.org/pubs/
research_reports/RR1751.html.
70. Libicki, Cyberdeterrence and Cyberwar, P. 16.
71. O’Rourke, Covert Regime Change, P. 8.
72. Jürgen Kraus, “On Self-Reproducing Computer Programs,” trans. and ed. Daniel Bilar and
Eric Filiol, Journal in Computer Virology, Vol. 5 (Febbraio 2009), pag. 9–87, doi.org/10.1007/s11416-
008-0115-z.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 64
spread, apparently accidentally, far beyond the targeted nuclear enrichment
plant in Natanz.73
Third, the need to avoid discovery and the indirect production of effects via
manipulation of a target system limit control, both over the system itself and
the effects produced through it. A subversive actor’s control over a target sys-
tem is never absolute because, as discussed, upon discovery the victim can
neutralize it. Even if it remains undiscovered, Tuttavia, subversive actors
can only establish control over those parts of the system with which they have
become familiar. A spy may be unable to gain access to a targeted organization
or may lack the language skills required for inªltration.74 Likewise, hackers
may be unfamiliar with certain computer systems and ªnd no way to access
them. Most importantly, subversive actors do not have full control over ef-
fects for two reasons. Primo, they may lose control over the subversive agent.
Pressure from undercover work may prompt spies to behave erratically or de-
fect.75 Although they don’t have feelings, computer viruses used in cyber sub-
version may similarly go rogue. The Morris Worm of 1988, Per esempio, era
designed as a harmless network mapping tool, but its automated spread com-
bined with bandwidth-consuming activity caused massive unintended disrup-
tions across the early Internet.76 Finally, because actors have limited control
over target systems, these systems may respond unexpectedly to manipula-
zione, which risks causing the subversion to either fail to produce the desired ef-
fect or create negative and unintended consequences.
Crucially, these constraining variables of speed, intensity, and control are
negatively correlated, producing a subversive trilemma. As illustrated in ªg-
ure 1, holding all else equal, improving one variable tends to produce corre-
sponding losses across the remaining variables. Increasing operational speed
means less time for reconnaissance and development, which increases the risk
of making mistakes and that targets will discover the subversion, both of
which decrease control. Increasing intensity requires actors to expand the
scope or scale of access to systems, which increases discovery risks. Lowering
discovery risks for a given effects intensity tends to increase development time
requirements, which reduces speed. Inoltre, increasing control usually re-
duces speed because hackers need more time for reconnaissance and develop-
73. The anti-virus software vendor VirusBlokAda in Belarus detected the malware used in the
Stuxnet operation on computers in Belarus on June 17, 2010, and initially named it “Rootkit
.TmpHider.” “Rootkit.TmpHider,” VirusBlokAda, http://www.anti-virus.by/en/tempo.shtml.
74. Andrew and Mitrokhin, The Mitrokhin Archive, pag. 200–201.
75. Michael Herman, Intelligence Power in Peace and War (Cambridge: Cambridge University Press,
1996), P. 65.
76. Charles Schmidt and Tom Darby, “The What, Why, and How of the 1988 Internet Worm,"
Snowplow, revised July 2001, https://web.archive.org/web/20051020030056/http://snowplow
.org/tom/worm/worm.html.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 65
Figura 1. The Subversive Trilemma
Speed
Speed
Speed
Intensity
Control
Intensity
Control
Intensity
Control
NOTE: In each diagram, the dotted triangle shows how increasing one of these three vari-
ables tends to decrease the others compared with a given state in which all are balanced,
which is represented by the solid triangle.
ment plus extra efforts to avoid collateral damage by limiting the scale of
effects and, così, intensity.
This subversive trilemma constrains operational effectiveness and thus se-
verely limits the strategic utility that subversion can achieve in practice. Speed,
intensity, and control are essential components of operational effectiveness, yet
each of these variables can lead to mission failure and no more than two can be
maximized at once. Increasing both speed and intensity proportionally “dou-
bly” decreases control, Per esempio, because the more intense the possible
effects are, the more sensitive the target and the more challenging the unde-
tected exploitation is likely to be. Hence, pursuing both maximum intensity
and speed makes it highly likely that an operation either fails to produce a
strategically signiªcant outcome or produces unintended consequences that
impose further costs. Conversely, maximizing both control and speed is likely
to constrain intensity to such a degree that it is extremely unlikely to produce
a strategically signiªcant outcome. Maximizing both intensity and control in
turn tends to reduce speed to a glacial pace. Accordingly, forensic evidence
indicates that the carefully calibrated Stuxnet operation took ªve years to de-
velop.77 In theory, operations that maximize intensity and control are most
likely to produce signiªcant strategic gains, but in practice, their glacial pace
renders them mostly useless in urgent crises and makes premature discovery
probable. If high speed is necessary, such operations are likely unable to go af-
ter the most sensitive targets because they require signiªcant reconnaissance
and development time, and the scope of control that they have over a given
target system is also limited. Nel frattempo, more intense effect types, ad esempio
damage or disruption, involve greater risk of collateral damage or unintended
77. Geoff McDonald et al., “Stuxnet 0.5: The Missing Link,” Symantec Security Response (Mountain
View, Calif.: Symantec Corporation, 2013), https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/
docs/Cyber-088.pdf.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 66
consequences. Maximizing control requires either avoiding such effect types
or restricting use to fewer and less sensitive targets—both of which reduce ef-
fect intensity.
Because of this trilemma, like traditional subversion, cyber subversion is un-
likely to deliver on its strategic promise except in “unicorn” scenarios in which
hackers are both exceptionally skilled and exceptionally lucky. Otherwise, In
line with the different conªgurations of the trilemma outlined above, cyber
operations will tend to be too slow, too low in intensity, or too unreliable to
provide signiªcant utility.
hypotheses and research design
My theory reªnes cyber evolution theory by specifying a distinct set of opera-
tional characteristics that shape strategic utility. It produces three expectations
and three corresponding hypotheses for the case analysis. Primo, like cyber rev-
olution theory, I expect states to primarily deploy cyber operations independ-
ently from diplomacy and warfare. Unlike cyberwar theories, I expect states
to primarily use cyber operations as part of subversive campaigns against
nonmilitary targets. Secondo, I expect the operational variables of speed, inten-
sity, and control to be negatively correlated. Speciªcally, the different permuta-
tions of this trilemma produce the following hypotheses: increasing speed
tends to decrease intensity and control (H1); increasing intensity tends to de-
crease speed and control (H2); increasing control tends to decrease intensity
and speed (H3); and increasing two variables tends to doubly decrease the
remaining variable (H4). Evidence supporting these hypotheses across differ-
ent cyber operations would support my theory, whereas evidence of opera-
tions scoring high across all three variables, or actors achieving simultaneous
increases across all three variables would support cyber revolution theory
or cyberwar theory (for operations deployed for warfare). Third, I expect most
cyber operations to fall short of providing measurable strategic utility, and I
expect the subversive trilemma to be a key limiting factor.
I test these expectations in a case study of the Russo-Ukrainian conºict,
which started in 2013. The ªve cyber operations within the case provide inter-
nal variation and allow within-case comparison. The Russo-Ukrainian conºict
is a paradigmatic case of cyber-enabled limited conºict that occupies the gray
zone between peace and conventional war, in which cyber revolution theorists
expect cyber operations to provide added utility.78 Four of the cyber operations
78. Oliver Fitton, “Cyber Operations and Gray Zones: Challenges for NATO,” Connections, Vol. 15,
No. 2 (Primavera 2016), P. 109, http://www.jstor.org/stable/26326443; and James J. Wirtz, “Life in the
‘Gray Zone’: Observations for Contemporary Strategists,” Defense & Security Analysis, Vol. 33,
No. 2 (2017), P. 108, doi.org/10.1080/14751798.2017.1310702.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 67
in this case are attributed to Sandworm, which is an advanced hacker group
that is in turn attributed to Russia’s Glavnoye Razvedyvatelnoye Upravlenie
(GRU) intelligence service.79 Russia is a leading cyber power that is known for
having a high tolerance for risk,80 and the Sandworm group is one of the
world’s most skilled and most dangerous hacking groups.81 I expect the con-
straints of the subversive trilemma to be less pronounced in this case for sev-
eral reasons. In addition to the linguistic and cultural similarities between the
two countries, Russian spies have penetrated Ukrainian institutions, E
many Ukrainian industrial facilities rely on Russian technologies.82 Moreover,
Sandworm had seven years to adapt and improve its tradecraft. Hence, IL
conditions render cyber operations most likely to demonstrate their effective-
ness and utility, while the constraints of subversion I identify are least likely to
apply compared to conºicts with less favorable conditions.
I proceed in three steps. Primo, I verify whether and how Russia deployed
cyber operations in coordination with its diplomatic and military efforts. Sez-
ond, I measure relative operational speed, intensity, and control to assess
whether and how the subversive trilemma constrained effectiveness. I base my
measurement for speed on how much time elapses between when the hackers
start to develop the cyber operation and when it concludes. To measure inten-
sity, I track both scope (cioè., degree of intrusiveness) and scale (cioè., number of
affected devices and individuals). I follow Loch Johnson’s escalation ladder
of covert operations, which ranks thirty-eight different types of operations ac-
cording to their intrusiveness (the lower the rank, the higher the intrusiveness)
and groups them according to risk.83 Finally, I use four key indicators to meas-
79. Sandworm is also known as “TeleBots,” “Electrum,” “Quedagh,”and “BlackEnergy.” See the
online resource “APT Groups and Operations,” established by Florian Roth and maintained by
several threat intelligence researchers for further background: https://docs.google.com/spread-
sheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid(cid:2)1636225066.
80. Mark Galeotti, Putin’s Hydra: Inside Russia’s Intelligence Services (London: European Council on
Foreign Relations [ECFR], May 2016), http://www.ecfr.eu/page/-/ECFR_169_-_PUTINS_HY-
DRA_INSIDE_THE_RUSSIAN_INTELLIGENCE_SERVICES_1513.pdf; and “Reckless Campaign
of Cyber Attacks by Russian Military Intelligence Service Exposed,” National Cyber Security Cen-
tre, ottobre 3, 2018, https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-
military-intelligence-service-exposed.
81. Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Danger-
ous Hackers (New York: Doubleday, 2019); and Robert Lemos, “Suspected Russian ‘Sandworm’
Cyber Spies Targeted NATO, Ukraine,” Ars Technica, ottobre 14, 2014, https://arstechnica.com/
security/2014/10/suspected-russian-sandworm-cyber-spies-targeted-nato-ukraine/.
82. Vitalii Usenko and Dmytro Usenko, “30% of Ukrainian SBU Ofªcers Were Russian FSB and
GRU Agents,” ed. Olena Wawryshyn, Euromaidan Press, April 24, 2014, http://euromaidanpress
and Tomila
.com/2014/04/24/30-of-ukrainian-sbu-ofªcers-were-russian-fsb-and-gru-agents/;
Lankina and Alexander Libman, “Soviet Legacies of Economic Development, Oligarchic Rule, E
Electoral Quality in Eastern Europe’s Partial Democracies: The Case of Ukraine,” Comparative Poli-
tic, Vol. 52, No. 1 (ottobre 2019), pag. 127–176, doi.org/10.5129/001041519X15624348215945.
83. Johnson, “On Drawing a Bright Line for Covert Operations.”
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 68
ure control: premature discovery, failure to produce effects, time to neutralize
effects, and collateral damage.
Third, to evaluate strategic utility I analyze whether and how cyber opera-
tions contribute to Russia’s strategic goals and/or cause a shift in the balance
of power. It is challenging to determine strategic utility for conventional weap-
ons let alone for secret cyber operations.84 Indeed, for all ªve cyber operations
Russia has neither publicly acknowledged its involvement nor clearly stated
its goals. To determine the strategic utility of these cyber operations despite
these constraints, I follow established practice in intelligence studies to draw
inferences using triangulation among multiple sources of data.85
In this case study, I use process-tracing86 and leverage mostly original data
from four main primary sources: ªeld interviews with Ukrainian cybersecurity
experts and witnesses,87 leaked documents and emails,88 forensic reporting,
and social media posts and local media reporting.89 I primarily measure utility
through impacts on the balance of power deªned as the distribution of mate-
rial capabilities.90 I also examine whether and how the subversive trilemma
limits the strategic utility of each operation.
Case Study: The Russo-Ukrainian Conºict
The Russo-Ukrainian conºict has its origins in Ukraine’s pursuit of closer re-
lations with the European Union and the West. Despite President Viktor
the Ukrainian
Yanukovych’s close ties with Russia,
in February 2013,
84. James G. Roche and Barry D. Watts, “Choosing Analytic Measures,” Journal of Strategic Studies,
Vol. 14, No. 2 (1991), P. 172, doi.org/10.1080/01402399108437447.
85. Loch K. Johnson, ed., Handbook of Intelligence Studies (New York: Routledge, 2007), P. 81.
86. Jeffrey T. Checkel, “Mechanisms, Process, and the Study of International Institutions,” in
Andrew Bennett and Jeffrey T. Checkel, eds., Process Tracing: From Metaphor to Analytic Tool
(Cambridge: Cambridge University Press, 2014), pag. 74–97, doi.org/10.1017/CBO978113985
8472.006.
87. The author traveled to Ukraine in 2018 to conduct interviews with twenty-three key individu-
COME, while adhering to a strict ethics protocol approved by the University of Toronto’s Research
Ethics Board (Protocol No.: 00034827).
88. Email inboxes of separatist leader Kirill Frolov and Russian advisor Vladimir Surkov provide
unique insights into Russian perceptions and coordination of separatist movements in Ukraine.
Daria Goriacheva, the author’s research assistant and a native Russian speaker, carefully analyzed
and translated these sources. The Ukrainian hacker collective Ukrainian Cyber Alliance obtained
these emails and has made them publicly available at the following links: https://ordilo.org/wp-
content/uploads/2016/12/frolov_moskva@mail.ru.rar (last accessed May 17, 2019) and https://
drive.google.com/drive/folders/0BxCzAWE6sxSfRXVjdm1pV2c3WXc (last accessed July 15,
2021). Henceforth, email citations from this source will include the sender and recipient names,
date, and time.
89. Collected and translated by the author’s research assistant, Daria Goriacheva.
90. Kenneth N. Waltz, Theory of International Politics (Reading, Mass: Addison-Wesley, 1979).
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 69
Parliament voted to commit to an EU-Ukraine Association Agreement.91 This
vote threatened Russian interests of maintaining Ukraine within its sphere of
inºuence. A key part of the Kremlin’s Ukraine strategy has been spreading
“rumour, speculation, half-truth, conspiracy, and outright lie, to obscure the re-
alities of Russian activities.”92 Consequently, the drivers of foreign policy con-
tinue to be hotly debated.93 Yet, even amidst these acrimonious debates, there
is broad consensus that Russia has pursued two complementary strategic
goals.94 It wants to prevent and reverse Ukraine’s realignment toward the
European Union and the West as well as maintain Ukraine within its sphere of
inºuence. Accordingly, Russian scholars highlight Russia’s priority to “stop
the pro-Western Kiev government”95 and explain that “Russia looks at the for-
mer USSR states as creating arcs of safety in Eastern Europe.”96 Public state-
ments by Russia’s leadership warn Ukraine against the “inevitable ªnancial
catastrophe”97 that would result from EU integration, and President Vladimir
Putin has repeatedly emphasized the shared history of Ukraine and Russia
and their “sameness”98 as “one people.”99
To achieve these goals, Russia leveraged diplomacy, (semi-covert) war-
fare, and subversion. Initially, Russia applied increasing diplomatic pressure
on the Yanukovych government while mobilizing a network of subversive
proxy actors, comprised of church organizations such as the “Union of
91. Interfax-Ukraine, “Parliament Passes Statement on Ukraine’s Aspirations for European Inte-
gration,” Kyiv Post, Febbraio 22, 2013, https://www.kyivpost.com/article/content/ukraine-
politics/parliament-passes-statement-on-ukraines-aspirations-for-european-integration-320792
.html.
92. Mark Galeotti, Controlling Chaos: How Russia Manages Its Political War in Europe (Berlin:
ECFR, settembre 2017), P. 6, http://www.ecfr.eu/publications/summary/controlling_chaos_how
_russia_manages_its_political_war_in_europe.
93. Elias Götz, “Russia, the West, and the Ukraine Crisis: Three Contending Perspectives,” Con-
temporary Politics, Vol. 22, No. 3 (2016), pag. 249–266, doi.org/10.1080/13569775.2016.1201313.
94. See section 1 of the online appendix, doi.org/10.7910/DVN/IZ65MC.
95. Vladimir V. Shtol, “Geopoliticheskiye zadachi Rossii na postsovetskom prostranstve”
tasks for Russia in post-Soviet space], Vestnik Moskovskogo Gosudarstvennogo
[Geopolitical
Oblastnogo Universiteta [Moscow National Regional University Press], No. 3S (2014), P. 176.
96. E. Shturba and M. Makhalkina, “Territorial’nyye anklavy byvshego SSSR v kontekste
natsional’noy bezopasnosti sovremennoy Rossii” [Territorial enclaves of the former USSR in a con-
text of national safety of contemporary Russia], Istoricheskaya i sotsial’no-obrazovatel’naya mysl
[Historic and socially-educated thoughts],Vol. 2, No. 1C (2016), P. 26.
97. Shaun Walker, “Ukraine’s EU Trade Deal Will Be Catastrophic, Says Russia,” Guardian, Sep-
tember 22, 2013, https://www.theguardian.com/world/2013/sep/22/ukraine-european-union-
trade-russia.
98. “Putin Says Russia, Ukraine Torn Apart to Prevent Major Rival from Emerging,” TASS, Febru-
ary 21, 2020, https://tass.com/politics/1122727.
99. Vladimir Putin, “Address by President of the Russian Federation: Vladimir Putin Addressed
State Duma Deputies, Federation Council Members, Heads of Russian Regions, and Civil Society
Representatives in the Kremlin,” President of Russia, Marzo 18, 2014, http://en.kremlin.ru/events/
president/news/20603.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 70
Orthodox Citizens” and other separatist groups, to stimulate pro-Russian sen-
timent. A leaked document in 2013 outlines Russia’s goals to “create a network
of Russian inºuence . . . [A] prevent the signing of association agreements be-
tween Ukraine and the EU . . . [E] neutralizethe political and media inºu-
ence of European integrators.”100 This campaign involved some curious
measures, such as a series of rock concerts,101 which unsurprisingly failed to
produce measurable results.102 Russia’s diplomatic efforts, Tuttavia, were suc-
cessful. Following a secret meeting with Putin, Yanukovych unilaterally with-
drew from EU association negotiations in November 2013, prompting tens of
thousands of Ukrainians to gather at Maidan square to protest.103 In February
2014, Yanukovych’s government collapsed. In response, Russia utilized its
subversive proxies to conduct a regime change operation in Crimea. Subse-
quently, Russia’s proxies organized protests around government institutions in
the regional capital Sevastopol, which Russia supported with unmarked mili-
tary forces.104 These proxies then helped organize a referendum, coordinated
from Moscow, deciding secession before Ukraine could react and producing a
fait accompli.105 In the Donbass region, Russia deployed similar tactics, Ma
pockets of local resistance allowed the Ukrainian government to launch a
countercampaign in May 2014.106 Russia and Ukraine remain in a protracted
stalemate with ongoing, signiªcant bloodshed.
Although Russia has (thus far) failed to achieve its two core strategic goals,
100. “O komplekse mer po vovlecheniyu Ukrainy v Yevraziyskiy integratsionnyy protsess”
[About the set of measures to involve Ukraine in the Eurasian integration process], ZN.Ua, Au-
gust 16, 2013, https://zn.ua/internal/o-komplekse-mer-po-vovlecheniyu-ukrainy-v-evraziyskiy-
integracionnyy-process-_.html.
101. Sergey Glazyev, email to Kiril Frolov, settembre 13, 2013, 9:45 a.m.
102. Sanshiro Hosaka, “The Kremlin’s Active Measures Failed in 2013: That’s When Russia Re-
membered Its Last Resort—Crimea,” Demokratizatsiya: The Journal of Post-Soviet Democratization,
Vol. 26, No. 3 (Estate 2018), pag. 321–364, muse.jhu.edu/article/699570.
103. Oksana Grytsenko and Ian Traynor, “Ukraine U-turn on Europe Pact Was Agreed with Vladi-
mir Putin,” Guardian, novembre 26, 2013, https://www.theguardian.com/world/2013/nov/26/
ukraine-u-turn-eu-pact-putin.
104. Michael Kofman et al., Lessons from Russia’s Operations in Crimea and Eastern Ukraine (Santa
Monica, Calif.: RAND, 2017); Dmytro Lisunov, Oleh Baturin, and Serhiy Petrenko, “Why Surkov
Needs Private Army: Union of Donbas Volunteers (UDV) as Reserve of National Guard of Russia,"
InformNapalm English blog, April 30, 2017, https://informnapalm.org/en/surkov-needs-private-
army-union-donbas-volunteers-reserve-russian-guard/; and Alya Shandra, “Glazyev Tapes,
Continued: New Details of Russian Occupation of Crimea and Attempts to Dismember
Ukraine,” Euromaidan Press, May 16, 2019, http://euromaidanpress.com/2019/05/16/glazyev-
tapes-continued-ukraine-presents-new-details-of-russian-takeover-of-crimea-and-ªnancing-of-
separatism/.
105. Kremlin, “Podpisan ukaz o priznanii Respubliki Krym” [Decree on recognition of the Repub-
lic of Crimea was signed], Prezident Rossii [President Of Russia], Marzo 17, 2014, http://
kremlin.ru/events/president/news/20596; and David M. Herszenhorn and Andrew E. Kramer,
“Ukraine Plans to Withdraw Troops from Russia-Occupied Crimea,” New York Times, Marzo 19,
2014, https://www.nytimes.com/2014/03/20/world/europe/crimea.html.
106. Vladimir A. Kalamanov, “Ukraina v geopoliticheskom izmerenii sovremennoy mirovoy
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 71
these efforts have produced signiªcant strategic gains. Primo, the balance of
power shifted in Russia’s favor as it expanded its territory into Crimea and
gained partial control over Donbass.107 Despite prevailing conceptualizations
of a cyber-enabled “hybrid war” in Ukraine, Tuttavia, cyber operations played
no role in attaining these gains.108 Existing research shows cyber operations
were irrelevant to military action in the Donbass or Crimea, and there is also
no evidence that any cyber operations attributed to Russia contributed to
the regime change operation in Crimea.109 This absence is particularly surpris-
ing considering that Russian “information warfare” doctrine includes cyber
operations as being relevant to the objectives it pursued in Ukraine.110 Instead,
Russia deployed its cyber operations independently of the warfare effort
as part of a larger subversive campaign targeting the remaining territory
of Ukraine.
evaluating cyber operations in ukraine
The ªnal phase of the Russo-Ukrainian conºict is characterized by slow-paced
Russian efforts to weaken Ukraine. Although cyber operations have remained
irrelevant in the military clashes in Donbass, in Ukraine’s remaining territory,
Russia used election interference, sabotage, disinformation, propaganda, E
sistemy i vozvrashcheniye Rossiyskogo liderstva” [Ukraine in the geopolitical dimension of the
modern world system and the return of Russian leadership], Vestnik Rossiyskogo Universiteta
Druzhby Narodov [Press of Peoples’ Friendship University of Russia], Politologiya [Political Science],
No. 4 (n.d.), P. 14; and Tom McCarthy and Alan Yuhas, “Ukraine Crisis: Kiev Launches ‘Anti-
terror Operation’ in East—Live Updates,” Guardian, April 15, 2014, https://www.theguardian
.com/world/2014/apr/15/ukraine-military-forces-russia-live-blog.
107. Andrew S. Bowen, “Coercive Diplomacy and the Donbas: Explaining Russian Strategy in
Eastern Ukraine,” Journal of Strategic Studies, Vol. 42, No. 3–4 (2019), pag. 312–343, doi.org/10.1080/
01402390.2017.1413550.
108. András Rácz, Russia’s Hybrid War in Ukraine: Breaking the Enemy’s Ability to Resist, FIIA Report
No. 43 (Helsinki: Finnish Institute of International Affairs [FIIA], Giugno 16, 2015), https://www.ªia
.ª/wp-content/uploads/2017/01/ªiareport43.pdf; and Fitton, “Cyber Operations and Gray
Zones.”
109. Nadiya Kostyuk and Yuri M. Zhukov, “Invisible Digital Front: Can Cyber Attacks Shape Bat-
tleªeld Events?” Journal of Conºict Resolution, Vol. 63, No. 2 (Febbraio 2019), pag. 317–347, doi.org/
10.1177/0022002717737138; and Aaron F. Brantly, Nerea M. Cal, and Delvin P. Winkelstein, De-
fending the Borderland: Ukrainian Military Experiences with IO, Cyber, and EW (West Point, N.Y.: Army
Cyber Institute, Dicembre 1, 2017), https://vtechworks.lib.vt.edu/handle/10919/81979. See also
section 2 of the online appendix, doi.org/10.7910/DVN/IZ65MC.
110. Keir Giles and William Hagestad II, “Divided by a Common Language: Cyber Deªnitions in
Chinese, Russian, and English,” paper presented at the 5th International Conference on Cyber
Conºict, Tallinn, Estonia, June 4–7, 2013, https://ieeexplore.ieee.org/document/6568390; E
Sergei Chekinov and Sergei Bogdanov, “Vliyanie nepriamykh deistvii na kharakter sovremennoi
voiny” [The inºuence of indirect actions on the nature of modern warfare], Voennaya Mysl [Mili-
tary Thought], No. 6 (2011), pag. 3–4, quoted and translated in Mark Galeotti, “Hybrid, Ambigu-
ous, and Non-linear? How New Is Russia’s ‘New Way of War’?” Small Wars & Insurgencies, Vol. 27,
No. 2 (Marzo 2016), P. 288, doi.org/10.1080/09592318.2015.1129170.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 72
Tavolo 2. A Comparison of Five Cyber Operations
Speed
Intensity Control
election
interference
(2014)
3 months
low
scala,
high
scope
power grid I
(2015)
power
grid II
(2016)
19 months high
scala,
high
scope
31 months high
“NotPetya”
(2017)
6 months
Strategic
Utility
negligible
negligible
• no premature discovery
• disruptive effect on target partially
produced
• disruptive effect neutralized within
20 hours, preventing impact
• premature discovery
• disruptive effect on target
produced
• disruptive effect neutralized within
6 hours
• premature discovery
• disruptive effect on target partially
negligible
scala,
highest
scope
highest
scala,
medium
scope
produced
• disruptive effect neutralized within
75 minutes
• premature discovery
• disruptive effect on targets
produced
• lasting effect (cioè., dati
destruction)
• collateral damage and unintended
consequences
measurable,
signiªcant
impact on
balance of
power
negligible
“BadRabbit”
(2017)
12 months
low
scala,
low
scope
• no premature discovery
• disruptive effects on target
produced
• controlled proliferation
economic warfare to conduct a long-term, slow-burning subversive campaign
to weaken Ukraine and keep it within its sphere of inºuence.111 Five major
cyber operations attributed to Russian-sponsored actors contributed to this
campaign, and the analysis in this section examines their operational mecha-
nisms and strategic utility. Tavolo 2 summarizes key ªndings.
election interference (2014). The ªrst cyber operation attempted to dis-
rupt Ukraine’s 2014 presidential elections by sabotaging the computer systems
of the Central Elections Commission (CEC). It moved fast and pursued intense
effects by disrupting a core political process in democracies, yet it failed to
inºuence the elections because the hackers missed a security measure that the
111. Alya Shandra and Robert Seely, “The Surkov Leaks: The Inner Workings of Russia’s Hybrid
War in Ukraine” (London: Royal United Service Institute [RUSI], Luglio 2019), https://static.rusi
.org/201907_op_surkov_leaks_web_ªnal.pdf.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 73
CEC used to neutralize the compromise. This outcome provides support
for the subversive trilemma and is congruent with H4. Consequently, as I ex-
pect, the operation provided Russia—whose military intelligence agency GRU
most likely sponsored it—with little measurable strategic utility. Inoltre,
I ªnd circumstantial evidence that Russia deployed this cyber operation as
part of its larger subversive campaign rather than to support its diplomatic
and military initiatives.112 This ªnding conªrms the expected independent
strategic role of cyber operations.
The group behind this cyber operation to sabotage the CEC’s computers
developed it within only two months, which is very fast compared with the
ªve years it took to develop Stuxnet.113 The hackers had to work quickly
because Ukraine’s elections announcement in March 2014 was unexpected.
Forensic evidence indicates the initial compromise of Ukraine’s CEC occurred
shortly after.114 Although the vulnerability and means of exploitation remain
unknown, on May 21 the hackers deployed malware (cioè., a computer virus)
that disrupted the CEC’s computer systems for at least several hours.115 The
CEC successfully restored service before election day on May 25.116
The hackers moved fast while pursuing intense effects that were low in scale
yet high in scope because they aimed to disrupt a core democratic process.117
Yet, as predicted by the trilemma, they had insufªcient control over the CEC’s
computer system. The intended effect of the cyber operation became clear on
May 23, when the hacker collective Cyber Berkut boasted to have “destroyed
PC and network infrastructure of the Ukrainian CEC,” and challenged the
elections’ legitimacy as being under “total U.S. control.”118 Cyber Berkut is a
front organization for GRU119 and is likely linked to high-proªle threat actor
112. See section 3 in the online appendix, doi.org/10.7910/DVN/IZ65MC.
113. McDonald et al., “Stuxnet 0.5.”
114. Author interview with Victor Zhora, Kyiv, April 7, 2018; and Nikolay Koval, “Revolution
Hacking,” in Kenneth Geers, ed., Cyber War in Perspective: Russian Aggression against Ukraine
(Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence, 2015), P. 57, https://
ccdcoe.org/library/publications/cyber-war-in-perspective-russian-aggression-against-ukraine/.
115. Nikolay Koval, then head of Ukraine’s Computer Emergency Response Team (CERT), indi-
cates the outage lasted around twenty hours. Koval, “Revolution Hacking,” p. 57. Cybersecurity
expert Victor Zhora, who was personally involved in the mitigation efforts, noted that the outage
lasted only “a few” hours; personal correspondence with the author via online messaging service,
May 19, 2019.
116. Author interview with Zhora, 2018.
117. According to Johnson’s escalation ladder, election interference is a “high risk option” (rung
18 Di 38). Johnson, “On Drawing a Bright Line for Covert Operations,” pp. 286–288.
118. “The Ministry of Finance of Ukraine Is Cracked: In the Country There Were Only Debts,"
CyberBerkut, May 23, 2015, http://www.cyber-berkut.ru/en/index_02.php.
119. “Reckless Campaign of Cyber Attacks by Russian Military Intelligence Service Exposed,"
ottobre 3, 2018.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 74
APT 28.120 Contrary to its claims, Tuttavia, the vote counting remained unaf-
fected because the hacker’s reconnaissance overlooked the fact that the CEC
could use its backups to restore service.121 This evidence supports H4. Conse-
quently, the cyber operation failed to help Russia disrupt Ukraine’s election or
to shift the balance of power. The elections proceeded unhindered, and their
integrity was widely accepted.122
power grid i
(2015). The second Russian-sponsored cyber operation
sabotaged equipment by the energy providers Prykarpattyaoblenergo,
Chernovtsoblenergo, and Kievoblenergo, causing a power outage in Western
Ukraine on December 23, 2015, that affected 230,000 people and lasted six
hours. These highly intense effects featured both high scope and scale and re-
quired substantial time to develop, yet the hackers failed to produce strategi-
cally signiªcant lasting effects because they had insufªcient control over the
targeted systems. Although the hackers successfully exploited the power grid
infrastructure, ultimately the companies used a simple switch to neutralize the
disruption. The outage affected less than 1 percent of Ukraine’s population
and comprised only about 0.015 percent of Ukraine’s daily energy consump-
tion.123 According to a senior advisor to the Ukrainian government, its short
duration and timing on the day before Christmas caused minimal economic
disruption.124 In contrast to sensationalist Western coverage naming this an
“act of cyberwar,”125 only a few local Ukrainian outlets covered it, and none on
the front page.126 This outcome supports the subversive trilemma (speciªcally
H2) and its constraining inºuence on strategic utility.
120. Koval, “Revolution Hacking,” p. 58.
121. Author interview with Zhora, 2018.
122. Organization for Security and Co-operation in Europe (OSCE) et al., International Election Ob-
servation Mission: Ukraine—Early Presidential Election, 25 May 2014: Statement of Preliminary Findings
and Conclusions (Kyiv: OSCE, May 26, 2014), https://www.osce.org/odihr/elections/ukraine/
119078?download(cid:2)VERO.
123. Sych, “Zillya! Antivirus provela analiz kiberatak na infrastrukturnyye obyekti Ukrainy”
[Zillya! Antivirus has analyzed cyber attacks on infrastructure facilities in Ukraine], Zillya!
Antivirus, Febbraio 17, 2016, https://zillya.ua/ru/zillya-antivirus-provela-analiz-kiberatak-na-
infrastrukturnye-obekti-ukrainy.
124. Author interview with senior Ukrainian government advisor, Kyiv, April 5, 2018. The ofªcial
has asked to remain anonymous.
125. Jose Pagliery, “Scary Questions in Ukraine Energy Grid Hack,” CNN, Gennaio 18, 2016, https://
money.cnn.com/2016/01/18/technology/ukraine-hack-russia/index.html; Kim Zetter, “Inside
the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” Wired, Marzo 3, 2016, https://
www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/; and Elias
Groll, “Did Russia Knock Out Ukraine’s Power Grid?” Foreign Policy, Gennaio 8, 2016, https://
foreignpolicy.com/2016/01/08/did-russia-knock-out-ukraines-power-grid/.
126. “SBU predupredila khakerskuyu ataku Rossiyskikh Spetssluzhb na energoob’yekty
Ukrainy—112 Ukraina” [SBU prevented hacker attack of Russian Special Services on
power facilities of Ukraine—112 Ukraine], 112.Ua, https://112.ua/kriminal/sbu-predupredila-
hakerskuyu-ataku-rossiyskih-specsluzhb-na-energoobekty-ukrainy-281811.html; “Pislya kibera-
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 75
I also ªnd no evidence that this cyber operation was linked to Russia’s mili-
tary or diplomatic efforts at the time. Military clashes continued throughout
Dicembre 2015 despite a truce.127 There were no major diplomatic events. È
plausible, as some have argued, that this cyber operation was retaliation for
sabotage to Crimea’s power supply in November 2015 that destroyed the
power lines linking it to the mainland, but there is no conclusive evidence.128
This sabotage operation against the power grid was more intense than the ef-
fort to disrupt the CEC’s computer systems. A power blackout can cause both
physical damage and possibly death, particularly in winter.129 As the subver-
sive trilemma would predict, this relative increase in intensity correlated
with a signiªcant decrease in speed (see table 2). On May 12, 2014, one day af-
ter the Donbass referendum, Sandworm used a Portuguese university’s com-
promised server130 to send phishing emails to employees of the targeted
energy ªrms.131 Curiously, the sender address was a Portuguese univer-
sity, and these emails contained general information on Ukraine’s railway sys-
tem.132 This cyber operation therefore relied on the unlikely scenario of the
victims being sufªciently interested in Ukraine’s railway system to click on
the malicious attachment. Somebody did, Anche se, providing Sandworm access
to corporate systems.133
Forensic evidence indicates that hackers needed another ªve months to ac-
cess the physical control systems in order to exploit its technical vulnerabili-
taky na ‘Prykarpattyaoblenerho’ v SSHA perehlyanut’ zakhyst enerhomerezh” [After the cyber-
attack on Prykarpattyaoblenerho,
the protection of power grids will be reviewed in the
stati Uniti], Obozrevatel, https://www.obozrevatel.com/ukr/news/58420-pislya-kiberataki-na-
and Sergey Martynets,
prikarpattyaoblenergo-v-ssha-pereglyanut-zahist-energomerezh.htm;
“SSHA pidozryuyut? Rosiyu u prychetnosti do kiberatak na ukrayins’ki elektromerezhi” [IL
United States suspects Russia of involvement in cyberattacks on Ukrainian power grids], Ukrai-
nian National News (UNN), Gennaio 7, 2016, https://www.unn.com.ua/uk/news/1536191-ssha-
pidozryuyut-rosiyu-u-prichetnosti-do-kiberatak-na-ukrayinski-elektromerezhi.
127. “Deadly Clashes in Ukraine despite Holiday Truce,” RadioFreeEurope/RadioLiberty, Decem-
ber 27, 2015, https://www.rferl.org/a/deadly-clashes-in-ukraine-despite-holiday-truce/27452015
html.
128. Kim Zetter, “Everything We Know about Ukraine’s Power Plant Hack,” Wired, Janu-
ary 20, 2016, https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-
hack/; Ivan Nechepurenko and Neil MacFarquhar, “As Sabotage Blacks Out Crimea, Tatars Pre-
vent Repairs,” New York Times, novembre 23, 2015, https://www.nytimes.com/2015/11/24/
world/europe/crimea-tatar-power-lines-ukraine.html.
129. Johnson’s ladder does not include critical infrastructure sabotage, but the scope of effects
places it within the riskiest, “extreme options.” Johnson, “On Drawing a Bright Line for Covert
Operations,” pp. 286, 292.
130. “Kyberuhroza BlackEnergy2/3” [Cyber threat BlackEnergy2/3], CysCentrum, Gennaio 16,
2016, https://cys-centrum.com/ru/news/black_energy_2_3.
131. Ibid.
132. Oleg Sych, “Zillya! Antivirus provela analiz kiberatak na infrastrukturnyye obyekti
Ukrainy.”
133. “Kyberuhroza BlackEnergy2/3,” CysCentrum.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 76
ties. In October 2014, threat intelligence vendor iSight reported that Sandworm
was exploiting a “zero-day” vulnerability (a previously unknown vulner-
ability about which the software vendor is unaware) in Microsoft Windows
to target energy providers.134 Subsequent analysis showed that the hackers
had identiªed a vulnerability in an industrial control system that estab-
lishes an interface for human-machine interaction (HMI).135 HMI systems
themselves, Tuttavia, cannot cause physical effects (cioè., disrupting the power
supply).136 The hackers needed another fourteen months to learn how to oper-
ate a power plant.137 At 3:30 p.m. on December 2015, Sandworm operatives
manually entered commands that caused the temporary blackout, using built-
in functionality to cause an unexpected outcome.138
The cyber operation disrupted power service by remotely disconnecting
approximately thirty power substations and delayed restoration by simulta-
neously inundating phone support centers with calls.139 Ninety minutes later,
the hackers attempted to prevent the power companies from restoring service
by deleting all data on the affected computers.140 Yet, employees at these
Soviet-era power plants neutralized the disruption and restored power within
six hours by switching to manual control.141 Although it later became clear
that all the affected utility providers discovered the compromise months be-
fore Sandworm attempted to disconnect the power substations, none of the
victims reported or acted upon the premature discovery.142 It was primarily
134. Stephen Ward, “iSIGHT Discovers Zero-Day Vulnerability CVE-2014-4114 Used in Russian
Cyber-Espionage Campaign,” iSight Partners blog, ottobre 14, 2014, https://web.archive.org/
web/20141015001101/https://www.isightpartners.com/2014/10/cve-2014-4114/.
135. Kyle Wilhoit and Jim Gogolinski, “Sandworm to Blacken: The SCADA Connection,” Trend
Micro: Security Intelligence Blog, ottobre 16, 2014, https://blog.trendmicro.com/trendlabs-security-
intelligence/sandworm-to-blacken-the-scada-connection/.
136. Dragos, Crashoverride: Analysis of the Threat to Electric Grid Operations (Hanover, Md.: Dragos,
2017), P. 10, https://dragos.com/blog/crashoverride/CrashOverride-01.pdf.
137. As Dragos explains, access to an HMI enabled the hackers to “learn the industrial process
and gain the graphical representation of that ICS [industrial control system] through the HMI.”
Dragos, Crashoverride, P. 10.
138. Robert M. Lee, Michael J. Assante, and Tim Conway, Analysis of the Cyber Attack on the Ukrai-
nian Power Grid (Washington, D.C.: Electricity Information Sharing and Analysis Center, Marzo 18,
2016), https://africautc.org/wp-content/uploads/2018/05/E-ISAC_SANS_Ukraine_DUC_5.pdf;
and Dragos, Crashoverride, P. 10.
139. Sych, “Zillya! Antivirus provela analiz kiberatak na infrastrukturnyye obyekti Ukrainy”; E
Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.”
140. “Kiberugroza BlackEnergy2/3,” CysCentrum; Sych, “Zillya! Antivirus provela analiz
kiberatak na infrastrukturnyye obyekti Ukrainy”; and Zetter, “Inside the Cunning, Unprecedented
Hack of Ukraine’s Power Grid.”
141. Sych, “Zillya! Antivirus provela analiz kiberatak na infrastrukturnyye obyekti Ukrainy”; E
Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.”
142. “Kiberugroza BlackEnergy2/3,” CysCentrum.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 77
luck rather than stealth that enabled the hackers to control the system long
enough to attempt to produce effects.
power grid ii (2016). One year after it disrupted power substations in
Western Ukraine, Sandworm targeted the power grid in Kyiv, Ukraine’s capi-
tal. The hackers had developed an advanced technique capable of more
intense effects than its predecessor, which could, in theory, inºict lasting dam-
age to Ukrenergo’s power plant machinery.143 But this capability failed, E
Ukrenergo was able to neutralize the outage even faster than before. Maxi-
mizing intensity correlates with reduced speed and control—conªrming H2.
Like its predecessor in 2015, there is no evidence linking this cyber operation
to Russia’s ongoing military and diplomatic efforts in Ukraine. The key mili-
tary events in October 2016 were inªghting among the pro-Russian rebels
in the Donbass region and the assassination of rebel leader Arsen “Motorola”
Sergeyevich Pavlov.144 Given the timing of this sabotage operation (days be-
fore Christmas), a Ukrainian government ofªcial speculated that its primary
purpose was to inºict psychological distress rather than to advance Russia’s
military or diplomatic agenda.145
Sandworm required an additional twelve months (thirty-one months total)
to develop this cyber operation compared with its 2015 predecessor. The hack-
ers used this time to deepen their knowledge about power substations and to
develop a more advanced and, theoretically, more effective malware. Ac-
cording to industrial cybersecurity experts Dragos, the hackers attempted
to trigger an automated protective system that would take targeted substa-
tions ofºine (cioè., “islanding”) by rapidly activating and deactivating power
circuits.146 This malware was theoretically capable of “coordinated targeting of
multiple electric sites and could result in a few days of outages.”147 Forensic
analysis revealed that the malware could cause lasting physical damage by
deactivating Siemens’s protective relays.148
The additional time that it took Sandworm to develop this sabotage opera-
tion against the power grid in Kyiv correlates with an increased potential in-
143. Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.”
144. Jack Losh, “Ukrainian Rebel Leaders Divided by Bitter Purge,” Washington Post, ottobre 3,
2016, https://www.washingtonpost.com/world/europe/ukrainian-rebel-leaders-divided-by-bitter-
purge/2016/10/03/2e0076ac-8429-11e6-b57d-dd49277af02f_story.html; and Andrew E. Kramer,
“Bomb Kills Pro-Russian Rebel Commander in Eastern Ukraine,” New York Times, ottobre 17,
2016, https://www.nytimes.com/2016/10/18/world/europe/ukraine-rebel-arsen-pavlov-motorola-
killed.html.
145. Author interview with an anonymous government advisor, Kyiv, April 21, 2018.
146. Dragos, Crashoverride, P. 23.
147. Ibid., P. 23.
148. Ibid., P. 24.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 78
tensity of effects, conªrming expectations of the subversive trilemma. Questo
cyber operation qualiªes as an “extreme option” in Johnson’s escalation
ladder, given its potential physical damage.149 At 11:53 p.m. on December 17,
2016, Sandworm’s malware deenergized the Severyana power substation
near Kyiv, resulting in a loss of 202.9 megawatts—enough to power around
600,000 Ukrainian households according to average consumption statistics by
the International Energy Agency.150 Ukrenergo had learned from the 2015 sab-
otage, Tuttavia, and swiftly switched to manual control, so that “within an
hour and ªfteen minutes, power was restored in full.”151 In practice, this oper-
ation thus achieved less intense effects than its predecessor.
Dragos’s analysis of this cyber operation underlined that deploying the ad-
vanced technique to damage targets “would be very difªcult to do at scale.”152
Yet, the hackers never got that far. The networking protocol of the targeted in-
dustrial control systems reversed Internet protocol (IP) addresses when exe-
cuting commands, but Sandworm had missed this and entered the wrong
addresses, which resulted in “nonsensical communication.”153 When I inter-
viewed Volodymyr Styran, a cybersecurity expert at Berezha Security, he con-
cluded that Sandworm hackers are “just people” who “screwed it up at some
point, as they did in previous incidents.”154 The triangulation of evidence indi-
cates that this cyber operation neither contributed to Russia’s strategic goals
nor achieved a shift in the balance of power, which conªrms my expectations.
The economic and psychological impacts of this second sabotage operation
149. Johnson, “On Drawing a Bright Line for Covert Operations,” p. 186.
150. “Prichinoy obestochivaniya chasti Kiyeva mozhet byt’ ataka khakerov” [The reason for the
blackout in part of Kiev may be an attack by hackers], Fakty.ua, Dicembre 18, 2016, https://
fakty.ua/227538-prichinoj-obestochivaniya-chasti-kieva-mozhet-byt-ataka-hakerov. In the United
States, one megawatt typically provides enough power for about 750 households. California En-
ergy Commission, “California ISO Glossary,” https://www.energy.ca.gov/resources/energy-
glossary. Hence, an outage of 202.9 megawatts would equal power loss for 152,175 standard U.S.
households. In 2016, IEA data shows average energy consumption per capita in Ukraine was only
approximately one quarter of that in the United States (3.2MWh vs 12.8MWh), and thus the num-
ber of households affected would be up to 608,700. For data on electricity consumption per capita
per country, see “Electricity,” IEA, accessed August 21, 2021, https://www.iea.org/fuels-and-
technologies/electricity.
151. Vsevolod Kovalchuk, “Tsiyeyi nochi na pidstantsiyi ‘pivnichna’ vidbuvsya zbiy—Vsevolod
Kovalchuk” [That night at the northern substation a failure has been—Vsevolod Kovalchuk],
Facebook, Dicembre 18, 2016, https://www.facebook.com/permalink.php?story_fbid(cid:2)17980823
13797621&id(cid:2)100007876094707.
152. Dragos, Crashoverride, P. 25.
153. Joe Slowik, Crashoverride: Reassessing the 2016 Ukraine Electric Power Event as a Protection-
Focused Attack (Hanover, Md.: Dragos, 2019), P. 11, https://dragos.com/wp-content/uploads/
CRASHOVERRIDE.pdf.
154. Author interview with Volodymyr Styran, Kyiv, April 19, 2018. The incident that Styran re-
fers to is Sandworm’s 2015 attempt to compromise the media ªrm Starlight Entertainment, during
which it committed a similar basic error. See section 4 of the online appendix, doi.org/10.7910/
DVN/IZ65MC.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 79
against Ukraine’s power infrastructure were even less signiªcant than in 2015.
The outage occurred overnight when most businesses were closed and most
people were asleep. Although some U.S. media outlets covered the event, IL
incident barely registered in Ukrainian media.155 Accordingly, security re-
searcher Marina Kratoªl concluded that the operation “should not have long
and serious consequences.”156
notpetya (2017). Sandworm’s fourth operation, NotPetya, used data-
destroying self-proliferating malware to cause a massive disruption that mea-
surably affected Ukraine’s GDP. The hackers took much less time to prepare
this operation (see table 2), opting to reduce the scope of the effects in order to
maximize scale. Although at ªrst glance NotPetya appears to provide evidence
that supports cyber revolution theory about the scale advantage of cyber oper-
ations, I argue that NotPetya’s scale resulted from a loss of control. Infatti,
NotPetya’s collateral damage and follow-on costs highlight the operational
perils of maximizing scale, providing further evidence of the subversive
trilemma and H4.
There is no evidence suggesting that Russia orchestrated the NotPetya cyber
operation in coordination with its military and diplomatic efforts. On the
diplomatic front, Ukrainian President Petro Poroshenko banned several high-
proªle Russian websites in May 2017,157 while military clashes continued
between Russia and Ukraine despite agreeing to another ceaseªre agree-
ment on June 24.158 There is no indication that NotPetya was linked to any of
these events.
Sandworm started to develop NotPetya in December 2016, when it released
155. “Prychynoy obestochyvanyya chasty Kyeva mozhet byt’ ataka khakerov” December 18, 2016;
“V ‘Ukrenerho’ ne vyklyuchayut’ kiberataku na pidstantsiyu ‘Pivnichna’, cherez yaku chastynu
Kyyevu bulo znestrumleno” [Ukrenergo does not rule out a cyberattack on the Pivnichna substa-
zione, because of which part of Kyiv was de-energized], UNN, Dicembre 18, 2016, https://
www.unn.com.ua/uk/news/1628435-v-ukrenergo-ne-viklyuchayut-kiberataku-na-pidstantsiyu-
pivnichna-cherez-yaku-chastinu-kiyevu-bulo-znestrumleno; and Informatsiyne ahentstvo
Ukrayins’ki Natsional’ni Novyny (UNN) [Ukrainian National News (UNN) news agency re-
ported], Vsi onlayn novyny dnya v Ukrayini za s’ohodni—naysvizhishi, ostanni, holovni [All on-
line news of the day in Ukraine for today—the latest, latest, main], https://www.unn.com.ua/uk/
news/1628435-v-ukrenergo-ne-viklyuchayut-kiberataku-na-pidstantsiyu-pivnichna-cherez-yaku-
chastinu-kiyevu-bulo-znestrumleno.
156. “Vidklyuchennya elektroenerhiyi v Ukrayini bulo khakers’koyu atakoyu—eksperty” [Energia
outage in Ukraine was a hacker attack—experts], Hromadske, Gennaio 11, 2017, https://hromadske
.ua/posts/vidkliuchennia-elektroenerhii-v-ukraini-bulo-khakerskoiu-atakoiu.
157. Cassandra Allen, “Mapping Media Freedom: Ukrainian Journalists Subjected to Malicious
Cyber-Attacks,” Index on Censorship blog, Luglio 11, 2017, https://www.indexoncensorship.org/
2017/07/journalists-ukraine-cyber-attacks/.
158. Patrice Hill, “Monitor Says Ukraine Cease-Fire, Weapons Withdrawal Not Being Hon-
ored,” RadioFreeEurope/RadioLiberty, Febbraio 22, 2017, https://www.rferl.org/a/monitor-osce-
says-ukraine-cease-ªre-heavy-weapons-withdrawal-not-honored/28324012.html.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 80
the “Moonraker worm,” which could self-proliferate across networks and dis-
rupt systems through data encryption.159 It took Sandworm only six months to
adapt the generic “Green Petya” malware upon which NotPetya was based.160
Between January and March 2017, Sandworm targeted two unnamed ªnancial
institutions to test a new supply-chain malware propagation mechanism with
a new malware called Python/TeleBot.A.161 NotPetya used a similar supply-
chain mechanism as the hackers compromised the software update server of a
popular accounting software provider and hid malware within automated up-
dates that would be sent to customers. This server update thus automatically
spread the malware to its entire user population. According to Styran,
NotPetya was “technically simple,” but the hackers showed a spark of “ge-
nius” by exploiting the victims’ trust in the automated server update.162
By May 2017, Sandworm had ªgured out how to compromise its key target,
the Ukrainian software ªrm Intellect Services, which produces the popular
M.E.Doc accounting software.163 Ukrainian hacker Sean Townsend noticed
that at least one of the ªrm’s servers had not been updated since 2012,164 E
Ukrainian authorities conªrmed that the last update occurred in February
2013.165 Before deploying NotPetya, Sandworm propagated another newly de-
veloped piece of malware called “Xdata” through this server. XData infected
134 victims and caused some minor disruptions, but it did not signiªcantly af-
fect Ukraine.166 Ukrainian cybersecurity expert Victor Zhora speculates that
XData was a “proof of concept” aimed to “map the network” of victimized
ªrms.167 Sandworm ªnally deployed NotPetya, propagated it to M.E.Doc cli-
ents via a compromised software update on June 22, and activated it across all
159. Anton Cherepanov, GreyEnergy: A Successor to BlackEngergy, GreyEnergy White Paper (Bratis-
lava, Slovakia: ESET, ottobre 2018), https://www.welivesecurity.com/wp-content/uploads/
2018/10/ESET_GreyEnergy.pdf.
160. Ibid.
161. Anton Cherepanov, “TeleBots Are Back: Supply-Chain Attacks against Ukraine,"
WeLiveSecurity blog, ESET, Giugno 30, 2017, https://www.welivesecurity.com/2017/06/30/telebots-
back-supply-chain-attacks-against-ukraine/.
162. Author correspondence with Volodymyr Styran via online messaging service, May 14, 2019.
163. Jack Stubbs and Pavel Polityuk, “Family Firm in Ukraine Says It Was Not Responsible for
Cyber Attack,” Reuters, Luglio 3, 2017, https://www.reuters.com/article/us-cyber-attack-ukraine-
software-idUSKBN19O2DK.
164. Author interview with Sean Townsend, Kyiv, April 15, 2018.
165. Catalin Cimpanu, “M.E.Doc Software Was Backdoored 3 Times, Servers Left without Up-
dates since 2013,” BleepingComputer, Luglio 6, 2017, https://www.bleepingcomputer.com/news/
security/m-e-doc-software-was-backdoored-3-times-servers-left-without-updates-since-2013/.
166. MalwareHunterTeam (@malwarehunterteam), “Here is an IDR based heatmap for past 24
hours of XData ransomware. 91% of victims from Ukraine, (cid:3)3% from RU. @BleepinComputer
@demonslay335,” Twitter, May 19, 2017, 1:56 p.m., https://twitter.com/malwrhunterteam/status/
865627306794008578.
167. Author interview with Zhora, 2018.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 81
infected machines on June 27. NotPetya self-proliferated across networks from
all affected machines before executing a disk encryption program that ir-
reversibly destroyed all data on targeted computers. The ransom demand
that NotPetya displayed on hacked computers turned out to be deception,
because neither the bitcoin address it listed for payments nor the decryption
key existed.168
NotPetya’s economic disruption ranks in the middle of Johnson’s escalation
ladder (rung nineteen of thirty-eight).169 It achieved massive scale, Tuttavia,
disabling an estimated 500,000 computers in Ukraine alone.170 Its automated
proliferation ultimately affected organizations across sixty-ªve countries,171 In-
cluding targets in Russia such as the state-owned oil company Rosneft.172
NotPetya’s speed and apparent success in producing intense effects sug-
gest that Sandworm successfully bypassed the subversive trilemma. But I
show that this cyber operation conªrms H4, because the increase in speed and
intensity of effects correlate with a decrease in control. The hackers could nei-
ther predict nor control NotPetya once they had set it in motion. Days before
NotPetya’s automated proliferation and encryption was activated on infected
computers, M.E.Doc had sent another clean update to its customers, Quale
Anton Cherepanov suggests was “an unexpected event for the attackers.”173 It
is exceedingly unlikely that Sandworm could map the near-instantaneous
spread of NotPetya across hundreds of thousands of systems just a few weeks
later.174 Forensic evidence indicates that Sandworm had “underestimated the
malware’s spreading capabilities,” which then “went out of control.”175 The re-
sult was signiªcant collateral damage.
NotPetya’s economic disruption decreased Ukraine’s gross domestic prod-
uct (GDP) by approximately 0.5 percent in 2017, which shifted the balance of
168. David Maynor et al., “The MeDoc Connection,” Talos blog, Cisco, Luglio 5, 2017, http://
blog.talosintelligence.com/2017/07/the-medoc-connection.html; and Anton Ivanov and Orkhan
Mamedov, “ExPetr/Petya/NotPetya Is a Wiper, Not Ransomware,” Securelist blog, AO Kaspersky
Lab,
Giugno 28, 2017, https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/
78902/.
169. Johnson, “On Drawing a Bright Line for Covert Operations,” p. 286.
170. This estimate by an anonymous expert at a leading cybersecurity vendor in Ukraine is based
on the number of compromises he observed personally while involved in mitigation efforts at
multiple large enterprises in Ukraine. Author interview with anonymous cybersecurity expert,
Kyiv, April 19, 2018.
171. Author interview with anonymous government advisor.
172. “Maersk, Rosneft Hit by Cyberattack,” Offshore Energy, Giugno 28, 2017, https://www.offshore-
energy.biz/report-maersk-rosneft-hit-by-cyberattack/.
173. Anton Cherepanov, “Analysis of TeleBots’ Cunning Backdoor,” WeLiveSecurity blog,
ESET, Luglio 4, 2017, https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-
backdoor/.
174. Greenberg, “How an Entire Nation Became Russia’s Test Lab for Cyberwar.”
175. Cherepanov, “TeleBots Are Back.”
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 82
power in Russia’s favor and provided it with independent strategic utility.176
Unlike Sandworm’s previous cyber operations, NotPetya was prominently re-
ported in Ukrainian media.177 Leaders from Ukraine, the United States, IL
United Kingdom, and Australia condemned Russia for the destructive cyber
operation, underlining its signiªcance.178 Yet, I argue that NotPetya’s loss of
control indicates the scale of its impact was accidental and produced unin-
tended consequences. The United States imposed sanctions against Russia,
particularly the GRU leadership. The U.S. Department of Justice subsequently
indicted six GRU ofªcers for deploying destructive malware.179 These sig-
niªcant unforeseen costs reduce NotPetya’s overall strategic utility and
conªrm the expected constraining inºuence of the subversive trilemma. More
importantly, despite its scale, NotPetya did not measurably contribute to
Russia’s goals: Ukraine maintained its pro-EU course.
they added efforts to control
badrabbit (2017). When developing NotPetya’s successor, BadRabbit,
Sandworm used the same technique of disabling targets through encryption,
Ma
its spread and effects. Consequently,
it achieved no measurable strategic utility. As predicted by H3, the increase
in control decreased intensity and speed. Inoltre, I argue that BadRabbit
offered little, if any, strategic utility to Russia because the cyber operation
only spread to a small number of targets. Its strategic irrelevance provides
further support for my hypothesis that the subversive trilemma is a limit-
ing factor.
176. Igor Burdiga, “‘Chornyy vivtorok’ ukrayins’koho IT: yakykh zbytkiv zavdala kiberataka, ta
khto yiyi vchynyv” [“Black Tuesday” of Ukrainian IT: What damage was caused by the
cyberattack, and who committed it], Hromadske, Luglio 8, 2017, https://hromadske.ua/posts/
naslidki-kiberataki.
177. “SBU predupredyla khakerskuyu ataku Rossyyskykh Spetssluzhb na énerhoob’ekty
Ukrayny—112 Ukrayna” [SBU prevented hacker attack of Russian Special Services on power
facilities of Ukraine—112 Ukraine], 112.ua, Dicembre 28, 2015, https://web.archive.org/web/
20160303172015/https://112.ua/kriminal/sbu-predupredila-hakerskuyu-ataku-rossiyskih-
specsluzhb-na-energoobekty-ukrainy-281811.html; “Ochil’nyk SBU rozpoviv pro motyv khakeriv,
yaki atakuvaly Ukrayinu virusom Petya” [The head of the SBU spoke about the motive of the
hackers who attacked Ukraine with the Petya virus], TSN, Luglio 4, 2017, https://tsn.ua/ukrayina/
ochilnik-sbu-rozpoviv-pro-motiv-hakeriv-yaki-atakuvali-ukrayinu-virusom-petya-955817.html;
and “Pidsumky 2017 roku: Nayhuchnishi vbyvstva v Ukrayini” [Results of 2017: The loudest mur-
ders in Ukraine], 24tv.ua, Dicembre 5, 2017, https://24tv.ua/news/showNews.do?pidsumki
_2017_roku_v_ukrayini_vbivstva_2017&objectId(cid:2)895499.
178. Mark Landler and Scott Shane, “U.S. Condemns Russia for Cyberattack, Showing Split in
Stance on Putin,” New York Times, Febbraio 15, 2018, https://www.nytimes.com/2018/02/15/us/
politics/russia-cyberattack.html; and “Treasury Sanctions Russian Cyber Actors for Interference
with the 2016 NOI. Elections and Malicious Cyber-Attacks,” U.S. Department of the Treasury,
Marzo 15, 2018, https://home.treasury.gov/news/press-releases/sm0312.
179. NOI. Department of Justice (DOJ) Ofªce of Public Affairs, Six Russian GRU Ofªcers Charged in
Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in
Cyberspace (Washington, D.C.: DOJ, ottobre 19, 2020), https://www.justice.gov/opa/pr/six-
russian-gru-ofªcers-charged-connection-worldwide-deployment-destructive-malware-and.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 83
BadRabbit does not appear to be linked to Russia’s diplomatic or military
initiatives, providing further evidence of the expected independent strategic
role of cyber operations. Prior to BadRabbit, the EU-Ukraine Association
Agreement entered into full force on September 1, 2017, marking Russia’s fail-
ure to reverse Ukraine’s foreign policy course. Forensic evidence indicates that
Sandworm started to develop BadRabbit around September 2016.180 Come il
subversive trilemma would predict, increasing control affected BadRabbit’s
operational speed. Hackers took twelve months to develop BadRabbit com-
pared with only six months for NotPetya. BadRabbit and NotPetya used
largely the same code and both cyber operations encrypted data on affected
systems before displaying a ransom demand.181 But Sandworm attempted to
“improve upon previous mistakes” by making encryption reversible on
BadRabbit and using a manually rather than automatically spreading mecha-
nism.182 Victims who visited compromised websites (so-called watering holes)
manually clicked on “OK/install” when the site offered users fake Adobe
Flash Player updates that contained malware.183
BadRabbit pursued the same effect type (cioè., economic disruption, or rung
nineteen on Johnson’s escalation ladder) as NotPetya, but at a fraction of the
scale and signiªcantly less intensity. Like NotPetya, it appears that BadRabbit
mostly targeted businesses’ computer systems, especially banks and media
ªrms but also transport providers. When BadRabbit encrypted compromised
systems on October 24, 2017, Tuttavia, it only affected approximately 200 tar-
gets in Russia, Ukraine, Turkey, and Germany.184 Curiously, most victims
(65 per cento) were in Russia,185 whereas 75 percent of NotPetya’s targets were
in Ukraine.186 Yet, Sandworm only targeted Ukraine’s critical infrastructure.
180. Yonathan Klijnsma, “Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long
Ongoing Campaign of Target Selection,” RiskIQ, ottobre 25, 2017, https://www.riskiq.com/blog/
labs/badrabbit/.
181. John Leyden, “Hop On, Average Rabbit: Latest Extortionware Menace Flopped,” Register,
ottobre 26, 2017, https://www.theregister.co.uk/2017/10/26/bad_rabbit_post_mortem/; E
Orkhan Mamedov, Fedor Sinitsyn, and Anton Ivanov, “Bad Rabbit Ransomware,” Securelist blog,
AO Kaspersky Lab, ottobre 24, 2017 (updated October 27, 2017), https://securelist.com/bad-
rabbit-ransomware/82851/.
182. Hasherezade, “BadRabbit: A Closer Look at the New Version of Petya/NotPetya,” Malware-
bytes Labs, ottobre 24, 2017 (updated July 16, 2021), https://blog.malwarebytes.com/threat-
analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/.
183. Maynor et al., “The MeDoc Connection”; and Eduard Kovacs, “Bad Rabbit Linked to
NotPetya, but Not as Widespread,” SecurityWeek, ottobre 25, 2017, https://www.securityweek
.com/bad-rabbit-linked-notpetya-not-widespread.
184. Mamedov, Sinitsyn, and Ivanov, “Bad Rabbit Ransomware.”
185. Marc-Etienne M.Léveillé, “Bad Rabbit: Not-Petya Is Back with Improved Ransomware,"
WeLiveSecurity blog, ESET, ottobre 24, 2017, https://www.welivesecurity.com/2017/10/24/bad-
rabbit-not-petya-back/.
186. Burdiga, “Chornyy vivtorok ukrayins’koho IT.”
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 84
More importantly, forensic evidence shows that critical infrastructure targets
indicating that
were not
Sandworm “already had a foot inside their [Ukrainian targets] network and
launched the watering hole attack at the same time as a decoy.”187
infected through the malicious Flash Player,
Consistent with the subversive trilemma, BadRabbit’s improved control
over the spread of the malware and its effects came at the cost of low speed
and low intensity. There are no indications of premature discovery, nor of prior
operational missteps that could have compromised the effects. BadRabbit nei-
ther auto-proliferated nor produced any signiªcant collateral damage.188 The
available evidence suggests that BadRabbit caused temporary, reversible, E
inconsequential disruptions.189 It received minimal media coverage both
within Ukraine and abroad, while Ukraine’s newly established “cyberpolice”
attributed the operation to “criminals” rather than political operatives.190 Con-
sequently, BadRabbit neither contributed toward Russia’s strategic goals nor
shifted the balance of power. Tellingly, since BadRabbit, Sandworm has
abandoned any attempts at active effects cyber operations against Ukraine, Rif-
turning to a focus on pure espionage.191
Alternate Explanations for the Lack of Strategic Utility
Because the decision-making processes of the Kremlin and the Russian intelli-
gence agencies who almost certainly sponsored the cyber operations discussed
remain inaccessible, alternate interpretations concerning the intentions behind
their use abound. This section addresses two alternative interpretations: sig-
naling and experimentation.
The ªrst alternative interpretation holds that Russia deployed cyber opera-
tions primarily as signaling tools. Signaling is the core mechanism in coercive
diplomacy, in which actors demonstrate and deploy capabilities to signal re-
187. M.Léveillé, “Bad Rabbit.”
188. Eduard Kovacs, “Files Encrypted by Bad Rabbit Recoverable without Paying Ransom,"
SecurityWeek, ottobre 27, 2017, https://www.securityweek.com/ªles-encrypted-bad-rabbit-
recoverable-without-paying-ransom.
189. Leyden, “Hop On, Average Rabbit”; and “Kiev Metro Hit with a New Variant of the Infa-
mous Diskcoder Ransomware,” WeLiveSecurity blog, ESET, ottobre 24, 2017, https://www
.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/.
190. Cyberpolice of Ukraine, “Kiberpolitsiya rozpovila podrobytsi diyi virusu-shyfruval’nyka
‘BadRabbit’ (FOTO)—Departament Kiberpolitsiyi” [Cyberpolice tells details of BadRabbit encryp-
tion virus (PHOTOS)—Cyberpolice Department], ottobre 25, 2017, https://cyberpolice.gov.ua/
news/kiberpolicziya-rozpovila-podrobyczi-diyi-virusu-shyfruvalnyka-badrabbit-foto-2732/.
191. Sandworm’s last recorded activity in Ukraine was in October 2018. Anton Cherepanov and
Robert Lipovsky, “New TeleBots Backdoor: First Evidence Linking Industroyer to NotPetya,"
WeLiveSecurity blog, ESET, ottobre 11, 2018, https://www.welivesecurity.com/2018/10/11/new-
telebots-backdoor-linking-industroyer-notpetya/.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 85
solve and induce adversary actions.192 Effective signals have a clear recipient
and content, neither of which is the case regarding the ªve cyber operations
that I examine in this article. Per esempio, one interpretation of the two power
grid sabotage cyber operations holds that, “Russia is using cyber intrusions to
signal the risk of escalation in a crisis” to its rivals (cioè., the United States and
NATO).193 Joseph S. Nye Jr., in contrast, speculates that Russia is signaling to
Ukraine, “reminding Ukraine of its vulnerability in a hybrid war with a differ-
ent level of plausible deniability.”194 Similarly, one interpretation of NotPetya
suggests it was “designed to send a political message: if you do business in
Ukraine, bad things are going to happen to you.”195 A second interpretation
sees Russia “demonstrating its ability to disrupt faith in public institutions.”196
These interpretations are plausible, and so are many others, yet there is little
tangible evidence to support them.197 Ultimately, the existence of multiple
interpretations indicates that the signal is unclear. More importantly, even if
signaling was the intent, it does not challenge my ªndings on the limiting role
of the subversive trilemma.
The second alternate explanation suggests that Russia deployed cyber oper-
ations primarily to test and develop its capabilities. A Dragos report about the
power grid sabotage operation in 2016 noted that it was “more of a proof of
concept than what was fully capable.”198 Ben Buchanan picks up this point,
suggesting that Sandworm perhaps wanted to “see how the code worked in
practice so they could reªne it for future use,” and he quotes Dragos’s CEO
Robert M. Lee warning of the potential threat to critical infrastructure around
the world.199 There are three key issues with this interpretation. Primo, it is
highly unlikely that an actor will spend years developing a capability and de-
ploy it without pursuing any strategic gains. Inoltre, doing so risks losing
the capability by allowing potential future victims to remove the vulnerabili-
192. Schelling, Arms and Inºuence.
193. Benjamin Jensen and J.D. Work, “Cyber Civil-Military Relations: Balancing Interests on the
Digital Frontier,” War on the Rocks blog, settembre 4, 2018, https://warontherocks.com/2018/09/
cyber-civil-military-relations-balancing-interests-on-the-digital-frontier/.
194. Joseph S. Nye Jr., “Deterrence and Dissuasion in Cyberspace,” International Security, Vol. 41,
No. 3 (Inverno 2016/17), P. 49, doi.org/10.1162/ISEC_a_00266.
195. Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in His-
tory,” Wired, agosto 22, 2010, https://www.wired.com/story/notpetya-cyberattack-ukraine-
russia-code-crashed-the-world/.
196. Brandon Valeriano, Ryan C. Maness, and Benjamin Jensen, “Cyberwarfare Has Taken a New
Turn. Yes, It’s Time to Worry,” Monkey Cage blog, Washington Post, Luglio 13, 2017, https://www
.washingtonpost.com/news/monkey-cage/wp/2017/07/13/cyber-warfare-has-taken-a-new-
turn-yes-its-time-to-worry/.
197. See section 5 of the online appendix, doi.org/10.7910/DVN/IZ65MC.
198. Dragos, Crashoverride, P. 11.
199. Buchanan, The Hacker and the State, pag. 204–205.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 86
ties it exploits. In the words of Lee, “it would be extraordinarily weird to stage
an entire attack as just a proof of concept.”200 Second, there is no empirical evi-
dence supporting this interpretation. Sandworm has not used this toolset
Ancora, nor has it pursued other critical infrastructure sabotage using similar
metodi. Signiªcantly, forensic analysis by Symantec showed that the 2017 In-
trusions in the U.S. energy grid attributed to Russia were the work of a differ-
ent actor and shared no tools or techniques.201 Third, the “proof of concept”
interpretation ultimately suggests that cyber operations are instruments of fu-
ture higher-stakes conºict. Yet as the analysis shows, despite multiple years of
experimentation and testing, Sandworm did not overcome the subversive
trilemma.
Conclusione
This article has argued that cyber operations are an instrument of subversion
whose operational effectiveness is constrained by a subversive trilemma. IL
demands of the mechanism of secret exploitation that cyber operations rely
upon result in actors facing trade-offs between improving either speed, inten-
sity, or control of operations. Increasing the effectiveness of one variable tends
to decrease the others. In most circumstances, cyber operations thus tend to be
too slow, too low in intensity, or too unreliable to contribute to political goals
or shift the balance of power. Consequently, cyber operations tend to fall short
of their strategic promise and deliver limited utility. The case study of the
Russo-Ukrainian conºict provides strong support for this theory. All ªve cyber
operations that I examine in this article showed clear evidence of the con-
straining role of the trilemma.
This theory has several implications for the study of cyber conºict. Most im-
portantly, the subversive trilemma signiªcantly hinders the ability of cyber op-
erations to successfully produce independent strategic utility. Success requires
alleviating the trilemma without raising costs above those of potential diplo-
matic or military alternatives. Speciªcally, effects must be sufªciently intense
to contribute to a given goal, while the operation must produce these effects
within a timeframe that is short enough to avoid discovery but long enough to
increase the likelihood of both achieving the intended effects and avoiding un-
200. Author communication with Robert Lee via online messaging service, Febbraio 25, 2021.
201. Threat Hunter Team, “Dragonºy: Western Energy Sector Targeted by Sophisticated Attack
Group,” Broadcom blog, Symantec Enterprise Blogs: Threat Intelligence, ottobre 20, 2017, https://
www.symantec.com/blogs/threat-intelligence/dragonºy-energy-sector-cyber-attacks; and Andy
Greenberg, “Your Guide to Russia’s Infrastructure Hacking Teams,” Wired, Luglio 12, 2017, https://
www.wired.com/story/russian-hacking-teams-infrastructure/.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 87
intended consequences. Inoltre, it requires conditions for success that are
rarely present: the availability of systems that control social, economic, O
physical processes of strategic signiªcance, yet also contain vulnerabilities that
operators can exploit without premature detection. Finalmente, long development
time involving highly skilled operators is expensive; the more intense, physi-
cal effects an operation pursues, the less favorable the cost-beneªt ratio is
likely to be.202 Moreover, even under ideal conditions, the potential effect on
the balance of power is still likely marginal.
Cyber operations are most likely to deliver on their strategic promise in two
scenarios. The ªrst scenario is long-term, low-stakes competition between
adversaries with a signiªcant power differential. Although most of the condi-
tions above are present in Ukraine, the deployment of multiple cyber oper-
ations did not measurably contribute to Russia’s strategic goals. Hence, Esso
likely requires decades to develop a successful cyber operation, which makes
it difªcult to isolate the operation’s inºuence in order to measure its effects.
Importantly, the most signiªcant power shift that traditional subversion can
achieve is regime change. Cyber operations alone are likely incapable of such
effects. Accordingly, cyber operations are most likely to deliver utility if they
are integrated with traditional subversion.203
The second scenario is high-stakes competition among nuclear-armed peer
competitors that expect eventual military confrontation. The tensions between
the United States and China are a key example. Potential nuclear escalation
renders the risks and costs of using conventional force unacceptably high. Al-
though the subversive trilemma suggests an unfavorable cost-beneªt ratio for
cyber operations that pursue highly intense effects at the operational level,
strategic beneªts may still outweigh these costs. The party in a “domain of
losses” is especially likely to be more risk-accepting, and thus more likely to
accept the limits of control.204 If states use cyber operations to target military
assets for sabotage, cross-domain effects indicate potential inadvertent escala-
tion risks.205 Because cyber operations can likely achieve only marginal
changes to the balance of power over longer-term competition, they are only
likely to make a difference when both actors are closely matched and neither
side exhibits exponential growth rates.
202. Slayton, “What Is the Cyber Offense-Defense Balance?"
203. The Grugq, “A Short Course in Cyber Warfare,” keynote at Black Hat Asia 2018 conference,
Marina Bay Sands, Singapore, YouTube, April 10, 2018, https://www.youtube.com/watch?v
(cid:2)gvS4efEakpY.
204. Amos Tversky and Daniel Kahneman, “The Framing of Decisions and the Psychology of
Choice,” Science, Gennaio 30, 1981, P. 453.
205. Erik Gartzke and Jon R. Lindsay, “Thermonuclear Cyberwar,” Journal of Cybersecurity, Vol. 3,
No. 1 (Marzo 2017), pag. 37–48, doi.org/10.1093/cybsec/tyw017.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 88
In lower stakes, nonnuclear dyads, capable states can be expected to regu-
larly employ cyber operations even though they have a high failure rate, COME
has been the case historically with traditional subversion.206 For the same rea-
figlio, Tuttavia, their impact on security competition should not be overesti-
mated because their strategic utility remains limited, barring “unicorn”
scenarios in which all favorable conditions align and the subverting actor is
extremely lucky.
Three major policy implications follow from this argument. Primo, it conªrms
the current shift away from a strategy of cyber deterrence rooted in theories of
warfare, whose aim is to avoid costly engagements.207 Second, alternative
emerging strategies of “persistent engagement” and “defend forward” that
guide U.S. posture should consider the subversive trilemma as a limiting fac-
tor to avoid unintended consequences.208 These new strategies build on as-
sumptions of cyber revolution theory, and they aim to maximize the utility of
cyber operations as instruments of low-intensity strategic competition while
minimizing risks by participating in “agreed competition” that adheres to a set
of tacit rules of engagement.209 The ªndings of this study, Tuttavia, suggest
that the subversive trilemma is the more likely explanation for the observed
low intensity of competition. By pursuing more aggressive engagement, IL
United States may shift adversary cost-beneªt calculi toward more risk-taking,
such as increasing effects intensity at the cost of control, which inadvertently
intensiªes cyber competition.210 Finally, persistence is a key requirement for
actors to succeed in exploiting targets. Yet, long-term planning, reconnais-
sance, and stealth as well as space for creative development are just as if not
more important to maximize effectiveness and utility of cyber operations.
Privileging persistence, as the current strategy does, risks neglecting these re-
quirements for success. Conversely, defenders in cyber conºict can beneªt
from exploiting the trilemma and exacerbating its constraining role on adver-
206. O’Rourke, Covert Regime Change, P. 8.
207. Achieve and Maintain Cyberspace Superiority: Command Vision for US Cyber Command (Fort
George G. Meade, Md.: NOI. Cyber Command, 2018), https://www.cybercom.mil/Portals/56/
Documents/USCYBERCOM%20Vision%20April%202018.pdf?ver(cid:2)2018-06-14-152556-010.
208. Michael P. Fischerkeller and Richard J. Harknett, “Persistent Engagement, Agreed Competi-
zione, and Cyberspace Interaction Dynamics and Escalation,” Cyber Defense Review (2019), pag. 267–
287, https://www.jstor.org/stable/26846132; and Paul M. Nakasone, “A Cyber Force for Persistent
Operations,” Joint Force Quarterly, Vol. 92, No. 1 (2019), pag. 10–14, https://ndupress.ndu.edu/
Portals/68/Documents/jfq/jfq-92/jfq-92_10-14_Nakasone.pdf.
209. Michael P. Fischerkeller and Richard J. Harknett, “Through Persistent Engagement, the U.S.
Can Inºuence ‘Agreed Competition,’” Lawfare blog, April 15, 2019, https://www.lawfareblog
.com/through-persistent-engagement-us-can-inºuence-agreed-competition.
210. Lennart Maschmeyer, “Persistent Engagement Neglects Secrecy at Its Peril,” Lawfare blog,
Marzo 4, 2020, https://www.lawfareblog.com/persistent-engagement-neglects-secrecy-its-peril.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
The Subversive Trilemma 89
sary operations. Defensive strategies should prioritize the capacity to detect
and neutralize intrusions. If immediate neutralization is impossible, defensive
measures should aim to slow adversary speed, limit their control, and maxi-
mize the barriers that adversaries must overcome to achieve or intensify ef-
fects. The same principles should guide systems design, as well as security
rules and practices. Existing counterintelligence strategies provide a useful ba-
sis to develop such strategies.
Inoltre, while this study has focused on the utility of cyber operations as
independent strategic instruments, its ªndings also apply to their use as com-
plements to other instruments of power. Just like traditional subversive opera-
tions have been deployed to contribute to military goals, such as undermining
command structures, so can cyber operations.211 Regardless of strategic context,
any cyber operation that produces effects through hacking relies on the subver-
sive mechanism and is thus bound by its trilemma.212 Consequently, the tri-
lemma can be expected to apply across multiple strategic contexts.
To verify this theory, further research tracking evidence of the subversive
trilemma in varying strategic contexts and by different actors is required. Find-
ings from this study supported H2, H3, and H4, but the cases examined did
not produce the conªguration of the trilemma predicted by H1. Quantitative
research verifying the predicted correlations across a larger universe of cases
will be especially useful. Secondo, historical comparative research is needed to
verify the proposition that the quality of subversion has not changed despite
the technological advances of the information revolution. In this regard, the in-
tegration of cyber operations with traditional subversion is a key topic of inter-
est. While this study has focused on hacking, assessing the impact of new
technology on effectiveness and utility requires more empirical examinations
of another key instrument of subversion: inºuence operations that use disin-
formation and propaganda.
Finalmente, looking ahead, changes in design features of ICTs may alter the sub-
versive trilemma. The most likely change is simpliªcation and standardization
in cyber-physical systems213 and the rise of the Internet of Things (IoT),214
211. Miklós Kun, Prague Spring, Prague Fall: Blank Spots of 1968, trans. Hajnal Csatorday (Budapest:
Akadémiai Kiadó, 1999), P. 151.
212. There are some exceptions, such as Distributed Denial of Service attacks or Ransomware, yet
these are of low relevance in interstate competition.
213. Borja Bordel et al., “Cyber-Physical Systems: Extending Pervasive Sensing from Control The-
ory to the Internet of Things,” Pervasive and Mobile Computing, Vol. 40 (settembre 2017), pag. 156–
184, doi.org/10.1016/j.pmcj.2017.06.011.
214. IoT refers to physical devices that have sensors that are linked to the Internet. Philip N.
Howard, Pax Technica: How the Internet of Things May Set Us Free or Lock Us Up (Nuovo paradiso, Conn.:
Stampa dell'Università di Yale, 2015).
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
International Security 46:2 90
which could make it easier for cyber operations to produce physical effects at
scala. This change could increase cyber operations’ intensity and potential to
affect the balance of power, but the perils of losing control over an operation
would still exist. Allo stesso modo, advances in artiªcial intelligence may improve
control over scale-maximizing operations by facilitating computer network
mapping and command-and-control functions.215 Defenders in cyber conºict
(cioè., administrators of computer systems being targeted by cyber operations),
Tuttavia, would likely beneªt as well because artiªcial intelligence promises
superior means of detecting exploitation.216 Consequently, the trilemma will
likely remain relevant.
l
D
o
w
N
o
UN
D
e
D
F
R
o
M
H
T
T
P
:
/
/
D
io
R
e
C
T
.
M
io
T
.
e
D
tu
/
io
S
e
C
/
UN
R
T
io
C
e
–
P
D
l
F
/
/
/
/
4
6
2
5
1
2
0
7
9
9
4
2
/
io
S
e
C
_
UN
_
0
0
4
1
8
P
D
.
F
B
sì
G
tu
e
S
T
T
o
N
0
8
S
e
P
e
M
B
e
R
2
0
2
3
215. Vedere, Per esempio, Zhong Liu et al., “Cyber-Physical-Social Systems for Command and Con-
trol,” IEEE Intelligent Systems, Vol. 26, No. 4 (July/August 2011), pag. 92–96, doi.org/10.1109/
MIS.2011.69.
216. Fan Liang et al., “Machine Learning for Security and the Internet of Things: The Good, IL
Bad, and the Ugly,” IEEE Access, Vol. 7 (2019), pag. 158126–158147, doi.org/10.1109/ACCESS
.2019.2948912.
