The war in Ukraine has so far seen very little engagement from the cyber diplomatic community. While the international community focuses on stopping Russia’s invasion and ending the conflict, the contribution of cyber diplomacy to these efforts has been limited to the usual offers of assistance to deal with cyber incidents. This is surprising, given the number of cyber diplomacy-related questions raised by the conflict. In particular, the war challenges the effectiveness of the tools developed to date and asks how the framework for responsible state behaviour in cyberspace applies in this situation. Activity by non-state actors acting as proxies on both sides of the conflict is also raising new dilemmas. What does the war in Ukraine tell us about the state of cyber diplomacy today?
Caitriona Heinl, Executive Director at the Azure Forum for Contemporary Security Strategy & Adjunct Research Fellow at the School of Politics and International Relations, University College Dublin
While the war in Ukraine does not spell the end of ‘cyber diplomacy’, it raises questions about the effectiveness of peacetime diplomatic instruments – such as cyber confidence and trust building measures – in the face of conflict. Analysts are urgently exploring likely conflict scenarios, including scenarios in which both sides feel this is a war that cannot afford to be lost. There is still uncertainty about whether the Russian Federation intends to further escalate the current conflict; its incentives to use force over diplomacy; its possibly changing definition of ‘victory’ over time; and whether the war might widen beyond Ukraine and Russia. In terms of cyber crisis communication for escalation scenarios, risks include Moscow’s use of intensified cyberattacks at the highest levels; nuclear exchange; and misperceptions, mistakes and miscalculations that might lead ‘rational leaders to get caught up in an escalatory spiral that is no longer under their control’. A key challenge will be to rapidly determine whether cyber behaviour is intentional or unintentional.
Whether cyber confidence-building measures (CBMs) can facilitate crisis cooperation and incentivise restraint is an open question. The answer will likely depend upon Russia’s actual intentions. At the end of 2021, Russia was already said to be focusing its efforts with regard to the West ‘in the hybrid realm, engaging in information operations, cyber attacks and political manipulation’. In this case, it is a key concern that modern risk-reduction mechanisms associated with cyber, digital and emerging strategic technologies are not yet fully developed or implemented. Another concern predating the Ukraine invasion was the growing number of active non-state actors, possibly raising the risk of misdirected responses and even misattributions.
Even before the invasion of Ukraine, the cybersecurity environment was highly complex and risk of escalation was high. There were serious concerns about strategic stability and the nuclear balance – risks exacerbated by cyber-enabled activities and disruptive strategic technologies. As we continue to unpack scenarios and intentions, it is worth remembering how easily confusion can arise when states assess other states’ cyber activities and intentions. The line between cyber espionage and defensive cyber activity isn’t always clear, and its blurriness may be destabilising in unexpected ways. As Jason Healy surmises, ‘Putin might already see the presence of U.S. defensive and intelligence teams operating on or against Russian military networks as evidence of direct U.S. involvement in the war.’
Dr Eneken Tikk, Lead of Power and Influence Studies, Cyber Policy Institute
The Russo-Ukrainian war is not a viable litmus test for the effectiveness of cyber diplomacy tools such as confidence building measures. By definition, these tools are intended to prevent unintended escalation. If anything, this conflict demonstrates the limited usefulness of such mechanisms. Even the remarkable visibility of Russian troops massing at Ukraine’s borders did nothing to prevent the Russian offensive, raising questions about the true value of transparency mechanisms. If counting tanks is not sufficient, applying similar logic to cyber operations is even more complicated. And while hostilities are ongoing, there’s little chance of additional confidence building measures being negotiated or put in place between Moscow and Kyiv.
Between Russia and the West, however, other confidence frameworks are of enormous importance. It has been observed that in numerous instances since the cold war, states have not conformed to or have only partially conformed to the provisions of the Vienna Document. Russia has circumvented notification and observation provisions – in cases of military exercises, for example – and avoided conducting regulated activities. As the trust that does exist between Russia and the West is fragile at best, revisiting existing confidence frameworks and negotiating additional ones might re-enforce confidence on a bilateral basis and save European countries from the cyberattacks that are known to accompany unresolved differences.
Other extraordinary events that have unfolded in the context of the war – notably Anonymous’ offensive against Russian targets, SpaceX’s delivery of satellite-based internet to Ukraine and the financial crisis accompanying a massive withdrawal of Western businesses from Russia – offer valuable lessons for possible future confidence building discussions. Advertently or inadvertently, the current stage of the Russo-Ukraine war has triggered new protocols for industry and civil society engagement in conflict. However, the high risk of escalation and entanglement may make the international community reluctant to endorse these responses as common practice.
Dr Dennis Broeders, Professor of Global Security and Technology, Leiden University
Diplomacy does not die, but it is profoundly Sisyphean. Every full-blown conflict violates the legal and normative framework of responsible state behaviour, but we are only able to identify those violations because the framework is there. In the middle of this hot war, cyber diplomacy takes a back seat. In part because the cyber element of the hostilities is – so far – relatively limited, but also because, at this moment, top-level security diplomacy takes centre stage. Moreover, the norms of the framework of responsible state behaviour, as laid down in the United Nations Group of Governmental Experts (UN GGE) reports of 2015 and 2021 and in the Open-ended Working Group (OEWG) group report of 2021, are considered ‘peacetime norms’ and are thus not applicable.
Yet, this conflict has raised new questions – and answers. On 1 March, the Ukrainian government requested ICANN (the Internet Corporation for Assigned Names and Numbers) remove Russian top level domains, such as .ru, from the internet. In parallel, RIPE NCC (Réseaux IP Européens Network Coordination Centre) received a request to withdraw Russia’s rights to use their assigned IPv4 and IPv6 addresses and to block their DNS root servers. This would amount to what has been called, in the norms debate, a violation of the ‘public core of the internet’, a concept that has landed in (policy) documents such as the Paris Call, EU Cyber Security Act and the 2021 UN GGE and OEWG reports. Both ICANN and RIPE NCC – though sympathetic to the Ukrainian cause – refused to disconnect Russia from the global internet infrastructure, placing themselves – and that infrastructure – outside of geopolitics. This is arguably a case in which a peacetime norm was translated to a wartime context and was upheld by a private party. In the wake of these requests and answers, the technical community that operates the core internet infrastructure initiated a discussion about their responsibility when it comes to international sanctions. As sanctions are an important part of the diplomat’s toolbox, this is a discussion that diplomats cannot afford to miss and will want to engage with.
Dr Mika Kerttunen, Adjunct Professor Military Strategy Finnish National Defence University
The Russo-Ukrainian war doesn’t make us much wiser on cyber deterrence, which for many states has been the key theme of their cyber diplomacy. For time being, it suggests that states do not employ cyber capabilities recklessly. However, the more involved private, voluntary and proxy actors become in offensive operations, the less controllable this domain becomes.
We can conclude that neither Ukrainian cyber capacity, the EU Cyber Diplomacy Toolbox nor global norms were effective in making Russia abstain from conducting malicious cyber operations before and during the current offensive. Though it’s possible that some operational scenarios weren’t employed because Russians were deterred: we simply don’t know. Instead of acting as a deterrent, Russian cyber and military power seems to have encouraged President Zelenskyi to call on hackers to attack Russia. Only state authorities calculating whether to employ offensive capabilities can know whether and how ‘cyber’ deters their ambitions. They may also be unaware that they’re expected to be deterred in the first place.
There can be any number of explanations for why there have been little to no exchanges of cyber salvos between Russia and the West. Perhaps Moscow and Washington are adhering to the voluntary, non-binding peacetime norms between them. Alternatively, they may think employing cyber capabilities would be ineffective at this moment. They may fear a tit-for-tat response, or vertical and horizontal escalation. They may not want to break more fundamental normative or moral taboos. It’s even possible that they don’t possess sufficient or relevant capabilities. There are many possible reasons for abstaining from offensive action. So far, the war in Ukraine has left the world with more questions than answers.
Dr François Delerue, Senior Researcher in Cybersecurity Governance, Leiden University
The international armed conflict in Ukraine raises important questions of international law that are also relevant for cyber diplomacy. These include questions about the Russian aggression and the use of force, the conduct of hostilities, international criminal law, dispute settlement including at the International Court of Justice, and state responsibility.
The most pressing questions concern the regulation of cyber operations by international humanitarian law (IHL). Cyber operations during armed conflicts must respect the obligations imposed by IHL (see e.g. The Tallinn Manual 2.0, rules 86–145), including the restrictions on targeting civilians and civilian infrastructure. This observation echoes the importance of the work and advocacy of the International Committee of the Red Cross on this matter and the positions expressed by various states, as well as related discussions at the UN OEWG (2021 Report, p. 19(12)) and the UN GGE (2021 Report(71)(f)).
During an armed conflict, civilians must be protected from attack, unless and for such time as they directly participate in hostilities, including, notably, conducting cyber operations against one of the belligerents. In that sense, the creation of the ‘IT Army’ comprised of individuals located all over the world conducting cyber operations in support of Ukraine raises different legal questions. An important issue concerns individuals acting from third countries who are located outside of the geographical scope of the armed conflicts and of IHL. The status of these individuals remains, to some extent, an open question. Their actions are likely to be considered transnational cybercrimes and could pose a challenge for international law enforcement and judicial cooperation. For cyber diplomats, this situation might also raise questions related to the principle of due diligence, which says states must not allow their territories to be used to launch cyber activities against other states.
Dr Patryk Pawlak, Brussels Executive Officer, EU Institute for Security Studies; Project Director for EU Cyber Diplomacy Initiative – EU Cyber Direct
No, this is not the end of cyber diplomacy, but it is a wake-up call for EU cyber diplomats. EU cyber diplomacy has been in soul-searching mode for several years now. Messages from Brussels served us confusion about what type of actor in cyberspace the EU would like to be: one that prevents conflicts in cyberspace or one that flexes its muscles to deter its enemies. Ultimately, it has failed to become either. There are many reasons why, but a lack of political leadership and an often-reactionist approach are the EU’s biggest problems. As a result, when it comes to cyber diplomacy, the EU often punches below its weight.
But, like every crisis in the history of EU integration, this one provides an opportunity. The isolation of Russia at the UN and increasing scepticism about its intentions provide a window of opportunity to expose the true motivation behind Russia’s information security narrative while at the same time stressing the importance of existing international law. It is also a chance to build new coalitions and advance on the Programme of Action, which, with the looming failure of the OEWG in the current political climate, could well become the only realistic game in town.
Internally, the EU will need to confront some difficult questions. These include questions about its international obligations, and those of its Member States, during the war, especially as concerns the principle of due diligence. The uncertainty surrounding the deployment of the Cyber Rapid Response Teams in Ukraine is a warning that effective crisis management mechanisms are difficult to find once a crisis is in progress.
This is why the EU should consider launching new Civilian Cyber Missions under the Common Security and Defence Policy umbrella. The role of the Cyber Diplomacy Toolbox as part of the EU’s broader diplomacy needs to be addressed. The establishment of an EU Cyber Diplomacy Network and EU Capacity Building Agenda, as proposed in the EU Cybersecurity Strategy, are long overdue. Finally, the EU needs an Envoy/Special Representative for International Cyber Issues to provide a strategic direction to the EU’s global engagement on cyber, digital and tech issues. Their work should be supported by an interinstitutional task force and guided by a forward-looking strategy centred on strengthening global resilience and cyber compellence rather than deterrence. Business as usual is no longer an option.