Russian cyber forces have “underperformed” in their attempts to cripple Ukrainian networks, which has forced them to fall back on destroying the country’s critical infrastructure through kinetic means, which makes data centers both a digital and physical target, a top Defense Department (DoD) cyber official said last week.
“When you think about the cybersecurity of data centers, for example, it’s not just about patching and closing those things – it is about the physical security of those data centers,” said Mieke Eoyang, DoD’s Deputy Assistant Secretary of Defense for Cyber Policy. “It is about whether or not those data centers are within the range of Russian missiles.”
Eoyang said at the Nov. 16 Aspen Cyber Summit in New York City that Russians did not have the “strategic impact they wanted” when it came to cyber warfare, so “they sought to destroy those things physically.”
Since the beginning of Russia’s invasion in Ukraine nine months ago, attacks on networks and critical infrastructure have ballooned – particularly with intense missile and artillery barrages against the country’s energy and electricity grids.
Eoyang said DoD’s prior assumptions about Russian attack capabilities have proven to be inaccurate.
“We were expecting much more significant impacts than what we saw, and I think it’s safe to say that Russian cyber forces – as well as their traditional military forces – underperformed expectations,” she said.
Eoyang attributed Russia’s failure to a degree of unpreparedness, noting that Russians did not believe the conflict would drag out this long.
Russia waging war against Ukraine is a “really important conflict” for Eoyang’s department to understand and learn from, she said, because it is the first time they’re “seeing a really cyber- capable adversary bring those capabilities to bear in the context of an armed conflict.”
DoD has observed over the last nine months that Russia’s ability to generate kinetic power has “dwarfed” its cyber-generated impact during the war.
“It has had an impact on a lot of people when you think about cybersecurity as a risk managed exercise. And one of the risks you are trying to manage in the context of that is armed conflict,” Eoyang said.
“Ukrainian colleagues I had the privilege of meeting with had a very different physical and visceral reaction to data centers that were above ground than I think they would have had prior to the conflict,” she continued, “You have to think very differently about what you are dealing with.”