Towards the end of 2021, Russia began a military build-up around Ukraine. Then, after several months unsuccessfully pressuring the Ukrainian government to accede to its demands, Russia invaded Ukraine on 24 February 2022. This post collects and synthesises information and perspectives on the cyber and information technology-related aspects of the conflict thus far, including the cyber operations and tactics of parties both directly and indirectly involved in the conflict, and actions of the technical community and private sector actors relevant to the conflict. It highlights the range of assumptions that are being challenged and precedents that are being set in this regard. It also raises questions about the implications of these assumptions and precedents for crisis management and broader conflict resolution efforts, and for talks at the United Nations and beyond on ICTs in the context of international security.
Over the past two weeks, experts across the United States, Canada and Europe have all tried to explain why we haven’t witnessed major cyber incidents in either the build-up to the invasion or the current phase of combat. In the months preceding Russia’s invasion, many observers predicted that cyber operations would be a key component of Russia’s military strategy, with the media and cyber conflict experts warning of unpredictable, cascading outcomes à la NotPetya. Yet, while Ukraine’s infrastructure (power and telecommunications in particular) has been targeted, the internet is still largely accessible across the country.
The relevance of cyber operations to an armed conflict will always be determined by a combination of factors: the context, the actors involved, their calculations of the value of the cyber capabilities they are able and willing to deploy and what impact those capabilities can have in support of their political and military objectives. These assessments may vary depending on the stage of the conflict. While oft overlapping, these include the period leading up to an armed conflict, the actual combat phase, a temporary cessation of hostilities or ceasefire, peace negotiation talks and the immediate post-conflict and longer-term reconstruction phases.
Cyber operations in Ukraine
Multiple arguments and counter arguments have been put forward explaining the absence of major cyber operations on Russia’s part thus far. For many, the simple explanation is that this is not where the real value of cyber capabilities lies; rather, it’s to be found in their subversive potential. However, the most logical answer at this early stage is that we simply don’t know.
Nonetheless, the following list and accompanying reference document collect a range of theories and assessments put forth so far. Together, they provide interesting insights into expert views on the absence of major cyber activity in the build up to and initial weeks of the conflict.
- We simply don’t know why Russia hasn’t used cyber operations, as we only have access to open source material. Moreover, in contrast to the significant incidents of 2014 and 2017, cybersecurity experts don’t have access to good analytical data, including telemetry and data derived from forensics. Our views are highly dependent on official reports, news coverage and citizen reporting. Moore; Alperovitch Institute/Twitter Space;
- Maybe strategic offensive cyber operations were not prioritised (miscalculation); maybe they were detected (opsec errors); or maybe their effects failed or they under-delivered (operational errors). Moore
- Just because major cyber operations have not been used to date does not mean they will not be used in the theatre of war or beyond in the coming weeks. Healey; Rohozinski; Martin; Cyberlaw Podcast; CSIS/webinar
- Russia is saving its offensive cyber capabilities for the right moment. Willet
- Cyber operations are limited. They will be used to support further aggression – and we should be prepared, but not panicked. Muller
- Russia does not have a tradition of using destructive cyber operations in past conflicts (e.g. Georgia, Ukraine, Syria). It does not have precision cyber strike capabilities and Russian doctrine points to significant cyber operations delivering the most value in peacetime. Willet; Kostyuk and Zhukov
- Cyber operations in wartime are not as useful as bombs and missiles when it comes to inflicting the maximum amount of physical and psychological damage on the enemy. Ridd; Martin
- Once major combat operations begin, cyber operations rarely play more than a supporting or enabling role to the broader military campaign. Lonergan et al; Alperovitch; Corera
- Russia has not integrated tactical-level cyberattacks into its broader military campaigns. Ridd; Cyberlaw Podcast
- The true value of cyber operations is incremental and instrumental. Here, they’re playing a supporting role, on and off the battlefield, in a wider effort to achieve Putin’s objectives. Devanny
- In a combat situation, influence operations and other forms of subversive activity are of much more value than cyber operations. Alperovitch, Moore; Maschmeyer and Kostyuk, Ridd; Martin
- Russia has relied too heavily on criminal proxies, who may not be well suited to targeted attacking. Cyberlaw Podcast
- Russia believed its military would subdue Ukraine quickly with conventional forces and thus saw no strategic value in deploying cyber weapons to seriously damage Ukrainian communications infrastructure (since the country would end up in Russia’s zone of influence). Alperovitch; Rohozinski; Lewis; Cyberlaw Podcast
- Russia’s military depends on Ukrainian communications systems for its own command-and-control (C2) capacity in the country, as well as for intelligence gathering, creating a disincentive to destroy it. Alperovitch Institute/Twitter Space; Rohozinski; Cranny-Evans and Withington
- There has been a lack of coordination between the Russian military and intelligence services and related cyber- and electronic warfare units, potentially due to the secrecy surrounding the invasion. Moore
- Ukrainian cyber defences have been more resilient than expected, due in large part to support it has been receiving since 2014 from the US Cyber Command, NATO and the EU. It has also received support from private sector actors on cyber security, incident management and recovery, as well as material support. Valeriano and Longeran; Martin; Rohozinski; CSIS/webinar.
Several experts suggest that the focus on decisive or strategic cyber operations is drowning out efforts to understand more discreet cyber activity aiming for more tactical effects. To the extent that information is available, early activity involved web defacement campaigns and DDoS attacks and phishing campaigns (Ghostwriter, FancyBear/APT28, Sunseed) targeting the public sector, military and media in Ukraine as well as, apparently, European actors managing refugee logistics outside of Ukraine. Malware attacks (e.g. HermeticWizard, IsaacWiper, CaddyWiper) targeting Ukrainian organisations have also been detected. There haven’t been reports of majorly significant impacts from any of this activity. Rather, it represents the usual noise or distractions to be expected in the run-up to a combat situation in 21st century warfare.
Conversely, the more recent ViaSat malware hack, apparently timed to the beginning of the invasion (but not to be confused with the satellite jamming incidents that have been detected), is reported to have affected high-value communications of the Ukrainian military, police and intelligence. The attack has also had collateral effects on wind turbines in Germany and thousands of modems across France, Greece, Poland, Italy and Hungary. While there is still a lack of clarity surrounding the attack, its effects do suggest some level of planning and coordination, even if it wasn’t pegged to a specific military campaign. This attack may also confirm reports of US military intelligence statements warning that cyber activity in Ukraine merited ‘careful attention’. Reports of the Ukrainian government’s preparations to secure government-stored data and systems by moving them to safer sites – or out of the country if necessary – may be another indicator of the hack’s impact. However, the data and systems are just as much, if not more, at risk from bombing than from an actual cyberattack.
Many also posit that Ukraine was prepared for a cyber onslaught, thanks to the support it has been receiving from the EU, the US and private companies since 2014. The past weeks have seen increasing pressure on NATO and the EU to increase support to Ukraine and bolster its defences, including via cyber means, resulting in the Ukrainian government receiving support from the US Cyber Command, the UK National Cyber Force, NATO, the EU, and the cyber forces or units of individual EU Member States. For several of these entities, it is the first time they have deployed this kind of support in a live conflict situation. As with other forms of support, it is likely bounded to avoid escalation, although it is unclear that it will be interpreted in that manner.
Despite their differences, most experts acknowledge that the absence of a major incident (or series of incidents) to date does not suggest that Russia will not deploy more destructive cyber operations as the conflict continues. As the pain of economic sanctions takes effect in Russia and tensions continue to dangerously rise, it is likely that we will see more activity targeting Ukraine, NATO and EU countries. Experts have made reference to ‘strategically ambiguous dual-use’ activity by ransomware groups targeting ports, oil and gas infrastructure and a defence industrial base transport company in the US in October 2021, which may (or may not) be an indicator of what is to come. Given the strong position the EU has taken on the conflict, it’s assumed that EU institutions and Member States may eventually become targets of Russian retaliatory attacks. Recognising this, EU telecoms ministers have been discussing a ‘cybersecurity emergency response fund to counter large-scale cyberattacks’, including spill-over effects from attacks targeting Ukraine’s infrastructure. The uptick in alerts and advisories issued by cybersecurity agencies in the EU, the UK and the US also point in this direction, as does the recent decision by a group of cybersecurity firms in the US to provide comprehensive and free cybersecurity support to hospitals and water and power utilities.
Cyber activity targeting Russia
While there has been significant discussion on cyber activity aimed at Ukraine, four weeks into the conflict, there has been less analysis of major cyber activity targeting Russia, whether in combat areas or on Russian soil. That likely reflects the limited visibility we have into what is happening in Russia. Experts continue to debate and assess the type of response that would be engendered by US or NATO cyber activity targeting Russian military forces in Ukraine or Russian national infrastructure. They have also discussed Putin’s decision to place Russia’s strategic deterrence on high alert, and the very hypothetical question of whether cyber operations might serve as a ‘last line of defence in the event of a catastrophic [nuclear] escalation’.
We also know that Ukraine has assembled an online international ‘IT Army’. Its volunteers use social media – particularly Telegram – to set disruptive tasks for its more than 300,000 subscribers. These tasks have included targeting Russian government websites, systems and networks. While there have been suggestions that Ukrainian ministers have some degree of control over what the IT Army does, there are initial rumblings about the strategic, ethical and legal implications of the activities of its members, particularly those who are neither belligerents nor physically located in Ukraine or Russia.
Other, more decentralised, forms of disruptive cyber activity have also been reported, including, for instance, the ‘hack and breach’ at the start of the invasion which revealed the personal details of thousands of Russian soldiers, or the ‘protestware’ actions of open-source software projects. The latter have mostly centred on simply displaying anti-war or pro-Ukrainian messages when their code is run on computers in Russia and Belarus, although one case reportedly included malicious code tooled to wipe computers and has prompted significant criticism. Additional disruptive activities include those conducted by Belarusian cyber partisans and attacks by the Anonymous group, which declared ‘cyber war on Russia’ and proceeded to take down or hack into multiple Russian websites and systems, including the site of the Ministry of Defence.
Russian groups are hitting back. One early indication was the ransomware group Conti’s statement of full support for Russia’s invasion, accompanied by threats to retaliate hard against ‘American cyber aggression’. This bravado boomeranged on the group when a Ukrainian security researcher (who may or may not have been a member of Conti) used Twitter to leak reams of data relevant to the group, using the rallying cry ‘Glory to Ukraine’.
Meanwhile, a Russian hacker group called Killnet reported that it had disabled Anonymous’ servers. Given increased attention to this activity and that of the aforementioned IT Army, many of those who participated in these hacking forays have since gone quiet. In the meantime, splits within ransomware and other cybercrime groups – often along national lines à la Conti – continue to attract attention and raise questions about the future direction of their operations.
Influence and information operations
Influence or information operations (IOs) are a fundamental aspect of modern conflict, right alongside cyber-enabled sabotage and other types of covert action. Undoubtedly, they are playing significant roles in the conflict, with parties directly and indirectly involved in the fighting actively trying to shape narratives in Ukraine, Russia and the rest of the world to their own benefit.
Contrary to general expectations, Russia failed to dominate the narrative from the outset of the invasion. Described as a ‘massive strategic error’, this misstep left Russia flailing on several fronts. For one, the US’s leveraging of intelligence in the build-up to the invasion has been lauded as particularly successful in countering Russian disinformation operations tooled to justify the invasion. Ukraine has since held the upper hand where IOs and propaganda are concerned, pushing out information critical to its political and military aims and using IOs to rally support for military and humanitarian action and to contest Russian narratives. The government’s coordinated response to the first deepfake to figure in the conflict also indicates significant preparedness. Russia is nonetheless catching up, targeting Ukrainian information warfare units while tweeting about its military advances, including captures of Ukrainian soldiers and equipment. Its bioweapons research disinformation campaign at the UN and elsewhere also made an impact in terms of how it was echoed or misconstrued in other countries.
Their decentralised nature and the sheer number of actors involved in IOs often make it difficult to understand what’s really happening on the ground, although a number of technology experts and NGOs are attempting to shed some light on developments. As with other conflicts, social media companies are at the eye of the IO storm, with Facebook’s ‘spirit-of-the-policy allowance’ garnering significant attention. The temporary exception to Facebook’s content policy allows users in Ukraine and several nearby countries to post anti-Russian sentiments using violent language that would normally be prohibited, as long as the context is related to the invasion. News of the allowance reportedly prompted Russia to designate Facebook an extremist organisation and open a criminal case against its parent company, Meta.
Countries and organisations supporting Ukraine are taking their own measures to counter information operations, including Russian propaganda. The EU, for its part, adopted an extraordinary measure that suspends broadcasts by Sputnik and Russia Today ‘taking place in or directed at the EU’.
Other relevant IT-related developments
The response to Russia’s invasion – which has included coordinated Western sanctions and the mass withdrawal of Western internet, technology and social media companies (among many others) from Russia – is contributing, along with the Russian government’s own actions, to a substantial untethering of Russia from the international financial system and the global internet.
For its part, at the outset of the invasion, the Ukrainian government made an unprecedented request to ICANN to ‘revoke specific country-code top-level domains operated from within Russia, arranging the revocation of SSL certificates issued within those domains, and shutting down a subset of root servers located in Russia’. ICANN refused the request on the basis that it must maintain its neutrality and act in support of the global internet, while also noting its intention to continue supporting Ukraine and global internet security, stability and resiliency. This has not prevented private companies critical to the technical functioning of the internet from taking their own measures. Take Lumen Technologies, which operates one of the largest internet backbones and carries a significant percentage of the world’s traffic. It stopped routing traffic ‘for all organisations based in Russia’, with spillover affects across the region. The company argued that it did this to ensure its networks would not be used to conduct cyberattacks. Reports critical of this argument have also noted similar actions by Cogent as well as by the London Internet Exchange.
These measures reflect a broader push by technology and social media companies to cease operations in Russia. Human rights and privacy advocates have strongly criticised these moves, as well as those of Western government lawmakers and legislators, for leaving the Russian population in the dark and at risk. As an alternative, they suggest that companies draw on the lessons of the Iran and Syria sanctions regimes and the advocacy efforts made with the US Treasury Department to reduce harms in those contexts. For this to be effective, the Treasury Department would first need to update and clarify the guidance it provided in those contexts to reflect new geopolitical and technological developments.
In another response to some of these measures, the ‘multistakeholder Internet governance community’ published a document entitled ‘Multistakeholder Imposition of Sanctions’. It represents an effort to address requests such as the one made to ICANN, as well as the uncoordinated measures of private actors. Essentially, the aim of the group is to achieve better coordination of such decisions and narrow their scope, so they don’t affect ‘web access for ordinary Russians’. In addition to the annexed technical discussion of internet governance sanction measures, it presents a list of seven principles to consider in decision-making over sanctions, along with a core recommendation for establishing a ‘new, minimal, multistakeholder mechanism’ based on existing practices that would publish decisions on sanctioned IP addresses and domain names that organisations can then use to inform their decision-making processes. Human rights and privacy groups quickly reacted to the proposal, noting that its legitimacy will surely be questioned from the outset and arguing that only an ‘airtight, inclusive and open process for proposing, vetting, appealing and implementing such a list could hope to meet human rights standards’.
For its part, beyond its latest decision to place the assets of Western companies ceasing operations in Russia under ‘public management’, the Russian government is running amok with censorship practices that range from blocking news and social media sites to passing legislation that criminalises the distribution of any material contradicting the Kremlin’s narrative on its war on Ukraine. In addition, the Russian telecom regulator announced government plans to protect its networks and services by inter alia removing its reliance on Western hosting services and switching to Russian-owned ones. It is unclear whether the government’s broader plan is to totally disconnect the country from the global internet and activate the proposed RuNet alternative to the DNS, as suggested in the 2019 internet sovereignty legislative amendments.
Implications for crisis management and conflict resolution efforts?
To date, very little expert commentary has focused on the potential implications of cyber and influence operations, as well as the other technology-related measures discussed herein, for crisis management and conflict resolution. This includes their possible implications for efforts to seek an off-ramp to the conflict and for leveraging an end to the violence and destruction in Ukraine and sustaining the outcome of negotiations. Undoubtedly, the latter would be complicated by the fact that much of the state-led activity involves intelligence agencies whose actions are shrouded by varying degrees of visibility and plausible deniability, and by the fact that an unprecedented number of non-state actors are involved in the conflict.
Undoubtedly, peace negotiations remain a very long shot at present, given developments on the ground, Russia’s failure to respect agreed-upon humanitarian corridors and the failed attempt at initial high-level negotiations in Antalya. However, there does not appear to be ‘a confident route to decisive military victory’ for either party, the dawning reality of which is likely driving both parties’ reported shifts in position on the 15-point negotiation package. While there is still a strong possibility that this shift may well be short-lived, it nonetheless concentrates the mind on potential off-ramps to the conflict as well as potential political and economic points of leverage for ending the violence and for guaranteeing any negotiated outcome.
Among all of the possible hypotheticals surrounding the latter, some questions relevant to managing cyber activity and influence operations come to mind based on how they have figured in other conflict contexts and efforts to bring an end to violence. For instance, in the immediate term, were there to be a good-faith agreement on Russia’s part for a cessation of hostilities or a ceasefire, would it be necessary to include a commitment to refrain from using cyber capabilities to target humanitarian infrastructure or infrastructure hosting information critical to the humanitarian effort? What about measures aimed at curbing misinformation or disinformation about the humanitarian effort? And even if the parties were to agree on and adhere in good faith to such restraint measures, what about all the other actors involved, including potential spoilers? If behind-the-scenes bargaining takes place, who should be doing it and which actors should they be engaging with? While coordination among state and non-state actors on basic humanitarian and ceasefire issues is complex enough, coordinating silence across an army of hackers and hacktivists who do not fully understand the complexities on the ground is another story.
In the medium-term, if there is an opening for peace talks, how will the many competing and misleading narratives be managed, particularly at decisive moments in the negotiations? Other armed conflicts have provided plenty of examples of how IOs can complicate peace negotiations and similar efforts, but never at this scale. It’s also hard to say if or how cyber skirmishes and other cyber activities involving both parties, as well as their external supporters, might affect ongoing negotiations. Managing centralised cyber activity and its spillover effects is difficult enough. Managing the decentralised activity accompanying this conflict is another story.
Finally, one or both parties might escalate cyber activity to signal their intentions or discontent in advance of or during a ceasefire, or during eventual peace negotiations, if they transpire. While the conflict parties and others privy to what are usually very discreet negotiations might correctly interpret these signals, will others? In the event that a peace deal is brokered, would a parting cyber salvo targeting Ukrainian and/or Western assets and infrastructure be an acceptable off-ramp? Other questions include whether it would be recognised as such, and what the pain threshold is. It’s also worth asking if such an eventuality should be bounded by specific political and economic points of leverage in the negotiations.
Implications for multilateral and multi-stakeholder negotiations and discussions?
Just under one year ago, collective sighs of relief were aired at the UN as not just one, but two reports relevant to the responsible behaviour of states in their use of ICTs in the context of international security were adopted at the General Assembly. A joint resolution proposed by the Russian Federation and the United States that same year endorsed both reports as well as the two decades of work upon which they were built ahead of a new, five-year OEWG that held its first formal week of meetings in December 2021.
The invasion of Ukraine casts a shadow over these and other related advances. Most immediately, many will question whether meaningful negotiations can continue under that umbrella. It is, however, important that discussions at the UN continue for now, to, at minimum, maintain a platform for dialogue and remind all states of their obligations under the UN Charter and other international law and their commitments to the norms, confidence and capacity building measures agreed on to date. Looking towards the next rounds of meetings of the OEWG as well as other relevant and ongoing internet and technology-related discussions and negotiations, a few questions come to mind.
For instance, is the cautious language in the OEWG and GGE reports downplaying the reality that ICTs are used in armed conflict defensible any longer? While no major cyber event has to date occurred, cyber activity is nonetheless evident. Will states be prepared to advance a much-needed discussion on how the core principles of international humanitarian law (IHL) apply to use of ICTs in conflict?
On a more practical level, confidence building measures (CBMs) are very useful mechanisms for ensuring greater transparency and cooperation between states and for ensuring that states can manage crises when they emerge. Given that cyber operations will rarely lead to major conflict in and of themselves, does additional work need to be done at all levels to integrate cyber-related issues into broader crisis management and conflict prevention and resolution efforts, including in other critical international security arenas?
Current developments provide ample reason to continue bolstering the critical infrastructure-related norms 13 ((f), (g), (h)) as well as relevant CBMs agreed to at the UN, particularly where health, energy and information infrastructure are concerned. What would this look like under the current circumstances? Some might advocate for a more binding commitment relevant to such infrastructure. Yet, even if there were appetite for the latter, it would likely take years to negotiate, so what can be done in the meantime? National and regional experience around major events (e.g. the Tokyo Olympic Games) has shown that intensified cooperation can be beneficial for building resilience and preparedness. Would an accelerated cooperative mechanism involving the pooling of public and private resources and capacities be an option for states requesting such support?
And what about the legal and ethical implications of individuals participating in the conflict, particularly those who are staging targeting operations from territories that are neither Ukraine nor Russia? Passions and politics aside, are we willing to accept the kind of precedent this activity is setting? Does it require dedicated attention, bearing in mind existing obligations as well as the spirit and intent of norm 13 (c) in the UN GGE reports? Perhaps an exchange of views on how different governments and communities are dealing with the issue domestically – from their own due diligence responsibilities to sensitisation campaigns reminding individuals and communities of their respective duties and responsibilities – would be a good start.
Also, given how extensively information campaigns/influence operations have figured in recent major events (think climate, COVID and conflict), posing significant harms to people across the globe (the full extent of which we have yet to fully understand), the topic is likely to become more salient both domestically and across UN negotiating bodies in the near future, with all the compounding benefits and risks. Are we prepared for a meaningful discussion on the issue?
Finally, beyond the UN, what about all the issues emerging around internet infrastructure governance? As discussed herein, despite significant pressure, ICANN has remained neutral and apolitical so as to ‘sustain confidence in the multistakeholder model and policies designed to support global internet interoperability’. Yet, current circumstances are demonstrating the impact of decisions (compelled or otherwise) made by other actors, particularly the private sector on entire populations, not just a country’s decision-makers and war-fighters. This reality has been more than obvious in other ongoing conflicts, but there are many new precedents in this one. How, then, moving forward, to ensure a balance that neither favours nor benefits one specific group of actors – states, industry actors or others – over another, but that ensures and protects ordinary people’s access to the internet and their rights in both peacetime and in conflict?
Appendix
Thanks to Patryk Pawlak (EUISS); Tim Stevens (King’s College London); Heli Tirrma-Klaar (ESMT Berlin); and Enrico Formica (UNDPPA) for their input on different sections and iterations of the piece.
Thumbnail Image credits: @LightFieldStudios on @EnvatoElements
