Since the full-scale invasion of Ukraine in 2022, Russia’s cyber operations have amplified a regional reckoning on cyber warfare. Eastern European governments, long hawkish on Russia, are now grappling with a new kind of vulnerability: they are more digitized, more connected, and more exposed than ever before.
Eastern European leaders have warned that Russia will not stop at Ukraine, as I heard from multiple leaders at the NATO Forum in Washington, DC, last summer. Since then, this urgency has only grown further. States are building up their defenses to prepare for this impending threat. In Poland, for example, Donald Tusk plans to provide military training to all male citizens by the end of 2025.
Cyberspace has become another theater of war, and Russia’s military doctrine views it as such. For Eastern European states, many of which were within the former Russian sphere of influence, these aren’t abstract fears. Estonia’s former President Toomas Hendrik Ilves has long warned about the threat of Russia’s digital warfare. In 2017, he claimed at the Atlantic Council in Washington that, “You don’t have to hack the power grid, let alone attack with a division of tanks if you can hack the elections and change the policies of a country.” Romania’s ongoing election drama — with a far-right candidate banned, an entire election re-run, and Russian interference abundant — is a case in point.
The dilemma these states face is as strategic as it is urgent: should they double down on cyber resilience and defense, or invest in offensive capabilities that can push back? Neither path is easy. Both are expensive. But doing nothing, many fear, is no longer an option.
While Russia has used extensive cyberattacks on Ukrainian telecommunications and power companies, as well as government agencies, in parallel with kinetic strikes, cyberspace has not become the dominant front in Russia’s war on Ukraine, as some had anticipated. Cyberspace has instead become “an auxiliary theater — used for disruption and espionage, not decisive military effects,” according to an expert from a leading US think tank, who requested anonymity to speak candidly.
According to the Ukrainian government, in 2024 alone, Ukraine was subjected to 4,315 cyberattacks — a 70% increase from the previous year. The goal has been to damage Ukrainian critical infrastructure, weaken society from within, and supplement a fraught war effort that has dragged on for years. But these cyber barrages have failed to deliver the kind of digital shock and awe many experts once predicted. “Despite Russia’s persistent attempts in this domain, Ukraine’s cyber defenses have proven to be more effective than initially thought in the conflict,” said Taylar Rajic, Associate Fellow for the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS). Ukraine’s defenses — bolstered by partnerships with NATO, the EU, and American cybersecurity companies — have held.
For the broader region as well, the question is no longer whether cyber operations matter in warfare. Most national security and cybersecurity experts agree cyberspace has not become the principal theater of war, nor has Russia succeeded in using cyber power as a strategic tool to “alter other states’ behavior,” as Crowdstrike’s co-founder and national security expert Dmitri Alperovicth noted during his keynote speech at the RSAC conference on cybersecurity this year in San Francisco. The question has become what kind of threat cyberspace represents for Eastern European states — and what kind of statecraft it demands in response.
*
The lessons learned and the resulting policy response have varied across the region. Poland’s cyber posture is shifting from reaction to prevention, and Warsaw has moved fast to boost its cyber posture. The country, already at the forefront of the refugee and military aid effort to Ukraine, now finds itself the most targeted nation by Russian-linked cyber actors. Russia has attempted to target Polish presidential elections and the country’s infrastructure. “There is no other country in the European Union that faces similar threats,” Poland’s top cybersecurity official recently warned. In one example, Poland’s national newswire was hacked and infiltrated by a false story announcing that Prime Minister Donald Tusk was calling for the mobilization of 200,000 Poles, “both ex-military and regular civilians,” to join the fight in Ukraine. Additional Russian cyber attacks have also aimed at generating domestic instability, especially ahead of the Polish presidential elections
In response, the government launched a nearly $800 million “cybershield” initiative. Starting in 2024, Poland allocated roughly $63 million annually to a dedicated cybersecurity fund, which the Ministry of Digital Affairs uses to secure the nation’s IT systems. The country is also investing not just in technical infrastructure, but in building public-private coordination mechanisms, modeled loosely on NATO’s collective defense logic.
Estonia, too, is doubling down, though it has far less catching up to do. This small country has been the most proactive and is often cited as a successful example when it comes to digital transformation of the economy and public services. The strategic shift in cyber policy came after a devastating 2007 Russian cyberattack that crippled the country’s infrastructure and digital systems. Estonia has relied on cyber diplomacy to enhance international coordination on cyber defense. Today, Estonia hosts NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) and has shaped much of NATO’s evolving doctrine on cyber defense.
The real breakthrough in Tallinn’s attitude toward cybersecurity, however, was the jump from discreet incident response to proactive and forceful statecraft through attribution and coordinating cybersecurity assistance to Ukraine. In 2020, Estonia attributed a significant cyberattack against Estonian government services to Russia’s special services — specifically, the GRU Unit 29155. Foreign Minister Margus Tsahkna framed this as essential for “exposing Russia’s hybrid warfare” and strengthening collective security. “The investigation showed that Russia’s aim was to damage national computer systems, obtain sensitive information, and strike a blow against our sense of security,” the Minister said in 2024.
*
If the Baltics and Poland represent the relatively fortified edge of NATO’s Eastern flank in cyberspace, Moldova reveals what happens when those preventive measures to boost cyber resilience are absent, either because the government doesn’t recognize their importance or because it lacks the capacity to implement them.
Since the invasion of Ukraine, Russian cyberattacks against Moldovan institutions have tripled. Disinformation campaigns have tried to destabilize the country’s pro-European government and sow discord in society. Government websites have been shut down, and ransomware and data loss have resulted in significant economic and financial damage to an already struggling economy. Moldova has long been viewed as another Achilles’ heel in the EU’s eastern neighborhood, where Russia’s destabilization can help Moscow steer attention and resources away from the more critical struggle — Ukraine. A 10-year plan, drawn out by Russia’s infamous state security agency, the FSB, and revealed in 2023 by several media outlets, confirms the Kremlin’s strategy of destabilizing Moldova as part of its broader foreign policy goals.
Moldova’s digital defenses are paper-thin. With help from Estonian and EU officials, the country passed a new cybersecurity law in 2023. It creates a national authority, mandates reporting from critical infrastructure operators, and aligns Moldova’s standards with the EU’s updated cybersecurity directive. But with few trained professionals and a modest budget, Moldova still needs international assistance to meet the challenges it faces in cyberspace, from ransomware to mining of cryptocurrency in Transnistria, the Russian-supported breakaway region internationally recognized as part of Moldova.
But Moldova’s few resources and increased vulnerabilities should come as no surprise. “Small states like Estonia have high state capacity. Moldova, Bosnia, and others? Not so much. They’re ripe targets,” the US think tank expert said.
*
NATO has engaged actively since the beginning of Russia’s invasion of Ukraine, including in helping boost the alliance’s cyber defenses. Exercises like “Cyber Coalition” now involve around 1,000 participants across member and partner states. Lithuania, Romania, and Albania have all implemented national reforms that align with NATO’s cyber doctrine. Romania’s 2023 Law 58 on Cybersecurity is perhaps the boldest: it recognizes a comprehensive cyber defense strategy as a priority, designates the powers and responsibilities of the government agencies, and allows for “proactive” defense measures, which could be interpreted as a green light for developing offensive capabilities.
That, in NATO circles, is still somewhat unusual. “Offense is tricky,” the anonymous US think tank expert said. “It’s not just a capability question — it’s a legal and political one. Who’s allowed to hack back? What if you misattribute an attack?”
The war in Ukraine has made clear that cyber alone won’t win wars. But it can tilt the playing field — sow confusion, paralyze systems, damage entire economies, and manipulate public opinion to create internal chaos.
Some countries in the region have publicly opposed moving toward a more offensive strategy, which seems to be gaining ground in Washington as the Trump administration ramps up its comprehensive measures against China. The idea is that proactive offensive operations against cyber threat actors can deter them in the future. But not everyone in Eastern Europe, composed of small and medium states with limited resources and capabilities, is optimistic about switching to offense as the best defense in cyberspace. Estonia, for example, prioritizes resilience, including by promoting a “cyber-literate” society, instead of offensive operations. Official statements from the Lithuanian government also emphasize resilience and the effective management of cyber incidents.
But cyber resilience — the ability to withstand, recover from, and adapt to cyber threats effectively and quickly while maintaining core operations — has its limits. As Larry Clinton, the CEO of the Internet Security Alliance, a Washington-based nonprofit working on promoting a sounder cybersecurity policy, told me, “The digital age demands a rethink of national defense. Private companies are now front-line actors — but they assess risk differently than governments.” In his view, expecting the private sector to shoulder national defense burdens is impractical and potentially harmful. “If government security mandates are too high, they could make these infrastructures less profitable,” he said. “That dries up the very investment we need.”
This tension — between what’s necessary for national defense and what’s sustainable in the private market — is present through almost every cyber policy discussion in Eastern Europe today — just like in the United States, where Chinese cyber attacks against US critical infrastructure have become the talk of the town in the cybersecurity circles in Washington.
*
Eastern Europe is the region that has been historically dominated by outside powers — most recently by Russia — and that has been the most outspoken in the Western camp when it comes to the level of threat that Russia poses to Europe. Cyberspace has now been part of this equation for a while, and the war in Ukraine has exposed cracks not only in Eastern Europe’s cyber defenses, but in the formulation of a coherent cyber strategy that strikes a balance between hyping the Russian cyber threat for political reasons and preparing the region adequately for the evolving cyber threats of our time. This is particularly urgent as AI rapidly transforms the cyber industry, along with the methods that both defenders and attackers use.
The stakes are rising. The tools are evolving. And the policy choices ahead are increasingly binary. Do states like Poland and Romania build out offensive capabilities to actively deter Russian aggression in cyberspace? Or do they follow Estonia’s model — hardening defenses, deepening NATO integration, and banking on deterrence through resilience?
But even those who doubt what lessons Eastern European countries may have taken away from how cyber warfare has unfolded in Ukraine recognize the unique challenges that these newly digitizing countries face in cyberspace. As Rajic put it, “Irrespective of the war in Ukraine, many states in Eastern Europe, particularly in the Western Balkans, have been struggling with rapid digitalization and are largely unprepared for the growing risk of cyber threats.” Estonia’s 2007 cyber catastrophe was an example of how “highly digitized states” in the region can suffer enormously if they do not take the right preemptive measures.
The war in Ukraine has made clear that cyber alone won’t win wars. But it can tilt the playing field — sow confusion, paralyze systems, damage entire economies, and manipulate public opinion to create internal chaos. And at a time of serious democratic backsliding on the continent and beyond, it is unsurprising that Eastern Europe, where most countries have only recently transitioned to democratic governance, is worried.
And for countries that are high up on Russia’s target list, that’s reason enough to rethink everything when it comes to cyber policy. And the signs that the region’s leaders recognize the need to do more or to do things differently are clearly there. The dilemma now is what to do about it — and whether they will have their Western allies’ backing in cyberspace moving forward.
