Ukraine, Cyberattacks, and the Lessons for International Law
Russia’s invasion of Ukraine has put to the test theories about how cyberattacks fit into conventional war. Contrary to many expectations, cyber operations appear to have played only a limited role in the initial stages of the invasion, prompting competing theories and rampant speculation about why. Although written while the conflict continues, this essay considers how either of two broad explanations for the limited role of cyberattacks to date—that Russia’s attempted cyberattacks were thwarted or that Russia chose not to deploy them widely—challenges conventional wisdom about cybersecurity. The essay concludes by suggesting that one lesson international lawyers should draw from the current conflict is the urgent need to clarify and enforce international rules not just for the rare high-end destructive or widely disruptive cyber operations, but also for lower-level operations that have proven more consistently problematic, both in Ukraine and elsewhere. Clarifying such rules could help to manage escalation risk now and in the future, even if such rules—like the most venerable international law prohibitions that Russia’s invasion has violated—do not necessarily restrain behavior directly.