Three weeks into Russia’s brutal war in Ukraine, things are clearly not going as planned for the Kremlin. Except for Kherson and Melitopol, the Russian military has not captured any major Ukrainian cities. Russia’s advance into Kyiv has been slowed by logistical failures and resupply problems, and high numbers of casualties appear to be taking a toll on Russian troop morale. Russia’s air force, for its part, has failed to establish air supremacy over Ukraine, a shocking misstep that leaves Russian ground troops exposed to aerial attacks and complicates Russia’s ability to conduct aerial reconnaissance and bomb Ukrainian forces. Moscow is also clearly losing the global information war, as images of heroic Ukrainian resistance fighters and desperate Ukrainian refugees arouse pro-Ukraine sympathy around the world.
Few expected the invasion to unfold in this way—least of all its architects in Moscow. Last week, the Ukrainian military recovered what appear to be planning documents from a tactical division of Russia’s Black Sea Fleet that suggest Moscow aimed to achieve its military objectives within 12 days—or by March 6. If these plans are authentic, and the available evidence suggests they are, then it is fair to say that Russia’s initial invasion has faltered.
Several factors likely account for Moscow’s failures. Russian leaders probably overestimated the capability of their military, which has been hampered by rampant corruption and mismanagement, and underestimated the skill and dedication of the Ukrainian military as well as the willingness of Ukrainian civilians to fight to defend their country. They likely assumed Ukrainian President Volodymyr Zelensky, whose popularity was flagging prior to the invasion, would struggle to rally support in wartime and that many Ukrainians would welcome Russian troops as liberators. All these assumptions have proved false, compounding the Russian military’s tactical mistakes and invigorating the Ukrainian resistance.
But the main reason Russia’s war in Ukraine is going so badly is that, according to sources I have spoken with close to Russia’s Ministry of Defense, Russian President Vladimir Putin appears to have concealed his military plans from even his closest advisers until the last possible moment. Already an unusually paranoid leader, Putin was so obsessed with keeping his intentions secret that he kept many military officials and members of his national security council in the dark about the timing and scope of the invasion. (A report by a well-connected Russian journalist paints a similar picture of Putin’s secrecy in the lead-up to the invasion.) Ill-defined military campaigns are difficult to plan, and now Russia’s national security establishment is playing catch-up.
Unfortunately, the same qualities that led Putin to hide his battle plans from senior leaders in his cabinet make him likely to escalate a conflict that is not going his way. The United States and its allies are in uncharted territory as they attempt to force Putin to back down. Further economic sanctions and even retaliatory cyber-strikes may be necessary if Russia launches cyberattacks against U.S. critical infrastructure, but Washington must not forget that a paranoid and increasingly isolated man rules Russia—one who has already made a series of costly miscalculations.
In the weeks leading up to the invasion, photographs of Putin’s socially distanced meetings with Western leaders and diplomats and his own top officials—featuring the Russian leader sitting alone at the far end of comically long tables to avoid any risk of contracting COVID-19—became objects of fascination and ridicule in the Western media. Yet for all their apparent absurdity, the images were apt visual representations of Putin’s political position within the Kremlin: fearful about the possibility of betrayal, skeptical of his interlocutors, and isolated from even his most trusted allies and advisers.
Putin has always been cagey and mistrustful. A creature of the KGB—and, more specifically, the KGB’s conspiratorial counterintelligence division—he has long seen secret enemies and backstabbing traitors behind every corner. Yet Washington’s attempts in January and February to deter Putin from invading Ukraine likely heightened his congenital paranoia. As Russian troops massed on Ukraine’s border, U.S. intelligence agencies carried out an incredibly successful influence campaign, leaking details of Russia’s military plans and publicly exposing the misinformation the Kremlin planned to use to manufacture a pretext for its invasion. This almost certainly deepened Putin’s suspicion that some in his inner circle were working to undermine him and likely influenced his decision to withhold critical information about his plans for Ukraine from the military and national security officials who needed it most.
Putin’s extreme secrecy helps account for some of the most puzzling aspects of the war. For one, it explains why Russian authorities were unprepared for the tidal wave of economic sanctions that followed the invasion. On the day the first Russian troops crossed the border into Ukraine, Russia’s central bank still had more than half of its assets in overseas accounts where they could be easily frozen—a major strategic oversight that baffled foreign observers and left the Russian economy much more vulnerable to Western sanctions. Had Russia’s economic authorities known that the Kremlin was about to launch a full-scale invasion, surely they would have done more to shield Russian assets from economic retaliation.
Putin’s secretive approach to war planning also explains why Russian cyber-operations have been much less extensive and sophisticated than many experts expected. With the exception of an attack that disrupted satellite communications access in Ukraine on the first day of the war, there appear to have been no major cyberattacks—no destructive attacks on Ukraine’s power grid or military infrastructure or major malware attacks. Taken together, these facts suggest that either most of Russia’s sophisticated and well-funded cyber-corps wasn’t read in on the details of the invasion or Putin was so sure he would prevail quickly through conventional military means that he didn’t bother to include extensive cyber-operations as part of his campaign. It is also possible that the Kremlin sought to preserve the vast majority of Ukraine’s cyber-infrastructure in anticipation of gaining control of the country, or that with the invasion underway, it anticipated being able to achieve its objectives using traditional military means. After all, it is easier to take down a computer network by blowing up the building that houses the servers than by carrying out a sophisticated cyberattack.
NOTHING TO LOSE
Putin’s isolation and paranoia don’t just explain why Russia has underperformed on the battlefield; they also suggest that the Russian leader could opt to escalate the conflict rather than end it through a negotiated compromise—even as momentum builds for a settlement. The nearly 70-year-old Russian leader saw the war as an opportunity to reestablish Russian dominance on the global stage. Now that it has done the opposite, he is likely more desperate than ever for a decisive victory. As the United States and its allies attempt to punish and deter Russia, therefore, they must be careful to avoid fueling a pattern of tit-for-tat escalation that in a worst-case scenario could lead to a hot war between the world’s largest nuclear powers.
In response to Russia’s aggression, the United States and its allies have implemented one of the harshest sanctions packages ever put in place against a European country. Although these sanctions are justified by the egregious nature of Moscow’s actions, they are not without risks. One major risk is that Russia, facing a military stalemate, could retaliate against the West with economic actions of its own. For instance, Russia could more aggressively restrict key exports to Western countries—including grain, titanium, palladium, aluminum, nickel, timber, and oil and gas—as it has already done with fertilizer. Since Russia is a vital supplier of many of these resources—it is the largest global exporter of agricultural fertilizer—such restrictions could send shock waves throughout the global economy, destabilizing Western economies and increasing popular support for a more aggressive approach to ending the conflict.
There is also a risk that if Russia feels backed into a corner, it could carry out cyberattacks against targets in the United States and Europe. Just because Moscow has made little use of its cyber-capabilities thus far does not mean it will continue to do so. Faced with near total diplomatic isolation and the possibility of economic collapse, Russia could attempt to use its cyber-arsenal to force Western countries to relax their sanctions. These cyberattacks could take many forms. For instance, Moscow could conduct disruptive attacks against U.S. banks and financial institutions, interrupting financial transactions and sowing uncertainty among U.S. investors. Or it could attack European providers of critical infrastructure, such as electric utilities companies, causing power or energy disruptions in an attempt to divide NATO allies.
If the conflict were to reach this point, Western countries would be entering uncharted waters. U.S. President Joe Biden has said his administration will not launch cyber-operations against Russia unless Moscow targets U.S. companies or critical infrastructure. But in late February, NATO Secretary-General Jens Stoltenberg indicated that a major cyberattack against a NATO country could trigger Article 5 of the alliance’s founding treaty, which obligates all members to consider an attack against one as an attack against all of them. Although there is some question as to what invoking Article 5 would entail in the cyber-realm—it could simply require NATO countries to deploy defensive cybersecurity teams to restore and clean up infected networks—there is a risk that cyber-retaliation could lead to escalation in the physical realm.
Even without a formal invocation of NATO’s Article 5, the United States and its allies may have little choice but to respond to Russian cyberattacks with cyberattacks of their own, especially if by that point they have already exhausted the full menu of viable economic sanctions. It is impossible to know for certain how such a pattern of retaliatory cyber-strikes would unfold, given the largely unprecedented nature of this sort of escalation, but it could very well spill over into the conventional military arena—substantially increasing the risk of a major armed conflict.
These risks underscore the need for extreme caution when considering how to respond to Russian cyberattacks. Before jumping headlong into a potentially dangerous spiral of cyber-escalation, the United States and its allies should first use all of the economic tools at their disposal. For instance, the United States should impose additional sanctions on individual members of Russia’s military and security establishment, which could create internal fissures within the Russian regime and weaken Putin’s grip on power. Washington should also continue to enforce secondary sanctions against entities that do business with U.S.-sanctioned persons or entities—for example, foreign banks that do business with Russian oligarchs.
The United States and its allies are right to impose heavy costs on Moscow for its unprovoked invasion of Ukraine, but they must recognize the potential for retaliation that may be coming soon from Russia. Governments will eventually need to reckon with the fact that cyberthreats are an extension of broader geopolitical challenges—and thus require diplomatic solutions—but it would be unfortunate and extremely dangerous for this reckoning to take place under the looming threat of war between nuclear superpowers. To avoid such a dangerous outcome, the United States and its allies must do everything in their power to avoid fueling a cycle of cyber-escalation that could very well escape the cyber-realm.
* DMITRI ALPEROVITCH is Co-Founder and Chair of Silverado Policy Accelerator and Co-Founder and former Chief Technology Officer of the cybersecurity firm CrowdStrike.