Text resize: A A
Change contrast

Lessons about cyber warfare from Russia’s war against Ukraine

The war in Ukraine serves as a stark reminder of the diverging approaches to establishing red lines in the realm of cyber operations, accentuating the complexities inherent in establishing normative frameworks for governing cyberspace. The intersection of cyber warfare with traditional kinetic conflict further exacerbates the complexities of norm development, underlining the urgent need for sustained efforts to bridge gaps and address grey areas in international law.

In the contemporary landscape of warfare, the lines between traditional kinetic operations and cyber warfare are increasingly blurred. Last year alone, the Security Service of Ukraine (SBU) thwarted over 4,500 major cyber-attacks. Many of these cyber-attacks were coupled with scores of conventional missile strikes. This underlines the urgent need for international cooperation to confront cyber threats.

June 22, 2024 - Leon Hartwell Maria Branea - AnalysisIssue 4 2024Magazine

Graphic: ozrimoz / Shutterstock

This article delves into key lessons gleaned from the intersection of cyber operations and conventional warfare in the context of Russia’s war against Ukraine. These provide valuable insights into the evolving nature of warfare in the digital age and the challenges posed by cyber threats to global security and stability.

Russian cyber capabilities

Russian cyber capabilities, once deemed formidable, are now perceived as regressing to a great extent. Shortly after the February 2022 escalation of the war, some cyber experts pondered whether Russia was going to launch some form of “cyber Pearl Harbor” on Ukraine, but that never happened.

“[Russian cyber operations] had initial success because they had literally years to prepare for this,” notes Professor Alexander Crowther, a non-resident senior fellow at the Transatlantic Defense and Security Program at the Center for European Policy Analysis (CEPA), “but as the battle became flexible, their amount of success has dropped off significantly”.

Resorting to basic tactics like information operations and denial of service attacks, Russia’s cyber strategy reflects a backward and unimaginative approach. “They’re not going up the ladder of sophistication,” Crowther remarks, “they’re going down the ladder back to the basics … if you want to compare it to weapons … they don’t have nukes, they’re back to using rocks and bayonets.”  

To support his argument about the ineffectiveness of Russia’s cyber operations, Crowther stresses that “the failure of the Russian cyber campaign is one of the reasons that they started a heavy-duty missile and rocket campaign against Ukrainian critical infrastructure.” At the same time, it is not merely a matter of Russia’s lack of cyber capabilities that is resulting in weak performance on the battlefield, as Ukraine has also beefed up its cyber defence and cooperation with NATO and NATO member states. This is particularly true in response to the heightened frequency and severity of Russian cyber assaults, which escalated in 2013.   

While Russia’s cyber capabilities may have been overestimated, one should still recognize that cyber-attacks could have life-and-death consequences, especially when used in conjunction with conventional attacks. In a chilling demonstration of this symbiotic relationship between cyber and kinetic warfare, Russia’s cyber warfare unit, Sandworm, which forms part of the military intelligence service (GRU), orchestrated a coordinated assault on Ukraine’s power grid in October 2022. Timed to coincide with a barrage of missile strikes, the assault plunged four regions of Ukraine into darkness, leaving millions of civilians grappling with the perilous absence of heat and electricity during the harsh winter months. The convergence of cyber and physical attacks underscored the vulnerability of essential civilian infrastructure and the human toll exacted by such tactics.

Moreover, the insidious reach of cyber-attacks extends beyond infrastructure, endangering even the sanctity of healthcare systems. In Ukraine, the World Health Organization has sounded the alarm, warning that sustained assaults on the country’s health and energy infrastructure rendered hundreds of hospitals and medical facilities inoperable, placing the lives of countless patients at grave risk.

In December 2023, Ukraine once again found itself in the crosshairs of cyber aggression, as Kyivstar – a mobile cell phone operator servicing half of the nation’s mobile and internet services – succumbed to a crippling 48-hour onslaught. Beyond disrupting communication channels, the attacks compromised air raid sirens, endangering millions by depriving them of vital alerts in the face of potential Russian incursions.

These harrowing episodes underscore the need for robust norms and laws to govern the evolving landscape of cyber warfare. While it is essential not to overstate the primacy of cyber operations, the inherent destructiveness of such tactics demands a concerted effort to establish clear guidelines and mechanisms for accountability in this increasingly contentious arena.

Tech giants in warzones: a new frontier

The ongoing Russia-Ukraine war has thrust tech giants into the spotlight, sparking debates over their roles in contemporary conflicts. Since the escalation of hostilities in February 2022, major tech companies have found themselves navigating complex terrain, from providing direct assistance to adversaries to safeguarding data integrity and offering intelligence support. This multifaceted engagement exemplifies a paradigm shift in the influence wielded by private sector entities in global conflicts.

Nadiya Kostyuk, an assistant professor at the School of Public Policy with the Georgia Institute of Technology, highlights the growing significance of the private sector in the cyber domain, with particular emphasis on Elon Musk’s Starlink initiative, which has emerged as a linchpin in sustaining communication on the Ukrainian front lines. However, the intervention of private actors in conflict zones raises profound ethical and strategic questions. Tanel Sepp, Estonia’s Ambassador at Large for Cyber Diplomacy, advocates for enhanced collaboration across public, private and civil society sectors to effectively confront cyber threats while upholding shared values.

Yet, the actions of tech giants are not uniformly aligned with ethical imperatives. Elon Musk’s refusal to activate Starlink services in Sevastopol, as revealed in a September 2023 post on the portal X, illustrates the potential for private decisions to have life-and-death consequences on the ground, impeding vital communications during critical military operations. The lack of coverage over Sevastopol directly impeded a Ukrainian naval raid and put soldiers’ lives at risk once communications broke down in the newly liberated territories.   

Moreover, the intertwining of private sector interests with geopolitical dynamics complicates the landscape of technological engagement in conflict zones. While some companies, like Microsoft, Amazon and Google, have demonstrated allegiance to Ukraine by bolstering cyber protections, others have forged strategic partnerships with adversarial states. The burgeoning collaboration between Chinese technology firms and Russia, despite claims of neutrality, underscores the intricate web of alliances shaping contemporary conflicts.

Following the February 2022 escalation and the onset of western sanctions, several Chinese technology firms signed partnership agreements with Russia. Some of those China-Russia partnerships have undoubtedly aided Moscow on the Ukrainian battlefield, despite claims of Chinese neutrality. Moreover, a new report by the Royal United Services Institute (RUSI) warned that “Ukraine and its Western partners should prepare for a potential expansion of Russo-Chinese technological collaboration on the battlefield.” 

As the lines between cyber warfare and commerce blur, questions emerge regarding the moral and legal obligations of industry actors operating in the grey areas of conflict. Sepp contends that “the war against Ukraine, it’s really kind of a black and white situation. If it happens to be a bit more of a greyish area … how should the industry actors then act? What should the governments or the victims expect from these countries?” As such, while the war in Ukraine presents a stark dichotomy, future conflicts may introduce shades of ambiguity, necessitating a re-evaluation of industry conduct and governmental expectations.

The convergence of technology and conflict heralds a new frontier in global affairs, wherein the actions of tech giants carry profound implications for the course and conduct of warfare. In navigating this uncharted terrain, stakeholders must grapple with the ethical imperatives of private sector engagement in matters of war and peace.

Navigating the role of hacktivists in conflict zones 

Since the Russian full-scale invasion of Ukraine, hacktivists on both sides of the conflict have been increasingly operating in support of their respective nations in a clandestine manner, shaping the digital battleground in unprecedented ways.

Amid the chaos of war, volunteer Ukrainian hacktivist organizations have emerged as key players in defending their nation against cyber threats. Entities like the Ukrainian Cyber Alliance, the IT Army, and the Cyber Regiment have transitioned from ad hoc operations to strategic collaborations with governmental bodies, such as the Ukrainian Ministry of Digital Transformation and the military. Their efforts, exemplified by the takedown of the Russian ransomware gang Trigona in October 2023, underline the evolving role of hacktivists in modern warfare.

However, the actions of Russian hacktivist groups, such as Killnet, reveal a darker side to hacktivism. Killnet claimed to be responsible for the December 2023 attack on Kyivstar, which left millions of Ukrainians vulnerable as they did not receive alerts of potential Russian assaults. While defending one’s country is a legitimate endeavour, engaging in offensive cyber operations, especially those with potential war crime implications, raises ethical and legal quandaries.

Historically, governments have exploited paramilitary organizations to execute heinous crimes while maintaining plausible deniability. The emergence of closer ties between hacktivist groups and state actors underscores the need for governance mechanisms to regulate their conduct. In October last year, the International Committee of the Red Cross (ICRC) took a significant step forward by issuing the “Geneva Code of cyber-war”, outlining rules for hacktivists. However, adherence to such codes remains voluntary, highlighting the limitations of self-regulation in the absence of enforceable international laws.

The proliferation of hacktivist activity reinforces the urgent need for the codification of laws surrounding hacktivism, particularly concerning potential war crimes and questions of state responsibility. As the digital battlefield evolves, addressing the actions of hacktivists becomes imperative to upholding principles of accountability and humanitarian law in times of conflict. Only through concerted efforts to establish clear legal frameworks can the international community effectively navigate the complex terrain of hacktivism in the 21st century.

Challenges in establishing cyber norms 

Russia’s war against Ukraine serves as a stark reminder of the diverging approaches in establishing red lines in the realm of cyber operations, underscoring the intricacies of normative frameworks governing cyberspace.

Kostyuk notes that US President Joe Biden has “identified 16 critical infrastructure target objects of critical infrastructure, and he said … this should be off limit for the Russian attacks, but nothing like this has been done by the Russian president at least [not] publicly”. The absence of similar declarations from the Russian leadership complicates efforts to foster mutual understanding and adherence to internationally recognized norms.

Interestingly, Sepp states that it is recognised by “all the countries around the world that international law is applicable in cyberspace,” even by the current aggressor, Russia. However, he asserts that significant challenges persist in interpreting and enforcing these norms.

Sepp adds that “I have to argue in the same room with the Russians present and this is just unbelievable what comes out from their statements but one of the core issues is that Russia with its current aggressive behaviour is violating even the UN Charter.” Russia’s ongoing actions in Ukraine, including serious violations of the UN Charter and other international norms, undermines the prospects for constructive dialogue and consensus-building on matters of accountability and responsibility.

The intersection of cyber warfare with traditional kinetic conflict further exacerbates the complexities of norm development, underlining the urgent need for sustained efforts to bridge gaps and address grey areas in international law. In this context, the International Criminal Court (ICC) emerges as a potential avenue for prosecuting cyber-crimes of a particularly egregious nature.

The question of prosecuting cyber-crimes

In the wake of escalating tensions fuelled by destructive cyber-attacks on critical infrastructure, Illia Vitiuk, Ukraine’s chief of cyber and information security, is calling for a robust response through international legal channels. Vitiuk advocates for the referral of such attacks to the ICC, highlighting the gravity of the threat posed by hostile cyber operations.

As the international community grapples with the challenges presented by cyber warfare, the pursuit of normative frameworks and mechanisms for accountability remains paramount. By leveraging existing legal instruments and fostering dialogue among stakeholders, efforts to address the divergence of cyber norms can pave the way for a more secure and stable cyberspace.

Similarly, Tanel Sepp acknowledges that “the ICC should be one of the places that should take cyber investigations on board.” However, he highlights the lack of competence as a significant hurdle in addressing cyber-crimes effectively.

While the Rome Statute does not explicitly reference cyber offences, ICC Chief Prosecutor, Karim Khan recently asserted that cyber-attacks could “potentially fulfil the elements of many core international crimes as already defined”. In other words, cyber-attacks could constitute crimes against humanity, genocide, war crimes, and crimes of aggression, which signifies a recognition by the ICC of the evolving threat landscape and the imperative for legal accountability.

Henceforth, it may be possible to prosecute, for example, not only those who propagate genocidal messages, but also the shadowy actors who engineer their dissemination through cyber means. Khan, for example, acknowledges that the ICC remains cognisant of “the misuse of the internet to amplify hate speech and disinformation, which may facilitate or even directly lead to the occurrence of atrocities.”

Still, the ICC operates on the principle of complementarity, and more importantly, it will have to rely on states and corporations to provide it with the support that would enable the ICC to prosecute cyber-crimes. Encouragingly, the ICC hosted a roundtable jointly with Microsoft in January in order to discuss how cyberspace can be used to commit crimes under the Rome Statute. Khan and his team are also planning to launch an ICC policy paper on cyber-enabled crimes, which will be published later this year.

Ambiguities surrounding NATO’s Article 5 in cyber warfare

In the absence of legally binding frameworks, and in the absence of international custom with regards to the actual prosecution of individuals for cyber-crimes in accordance with the core crimes defined by the Rome Statute, NATO, both collectively and at the member-state level, should simulate more exercises on how they will respond to cyber-attacks.

In the realm of international security, NATO’s Article 5 – which states that an attack on one country is an attack on all – stands as both a beacon of collective defence and a testament to the Alliance’s unity. Yet, as the digital age redefines warfare, the question of whether a cyber-attack can trigger Article 5 remains shrouded in ambiguity. The recent escalation of the war by Russia in February 2022 amplified internal debates within NATO, stressing the urgency of clarifying the Alliance’s stance on cyber warfare. NATO’s Article 5 is a sacred concept and the epitome of collective defence among the 32 allies.

Since its inception, Article 5 has been invoked only once, during the September 11th terrorist attacks in the United States. However, recognizing the evolving nature of threats, NATO members expanded its scope in 2014 to encompass cyber-attacks. Yet, defining the parameters of such attacks remains elusive, raising critical questions about the practical application of collective defence in the digital domain.

Following the February 2022 escalation, one NATO official reiterated that “Allies … recognize that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as an armed attack.” Yet, the key question remains, what type of cyber-attack would constitute a big enough event so that allies would come together and decide to trigger Article 5?

Amidst the deliberate maintenance of strategic ambiguity regarding the activation triggers of Article 5, compounded by the absence of clear legal frameworks and established norms for addressing cyber-crimes, NATO finds itself compelled to intensify simulated exercises. While preserving ambiguity remains crucial for strategic flexibility, these simulations are imperative. They offer invaluable insights into the complexities of cyber warfare, providing policymakers, often lacking in technological expertise, with essential tools to navigate the complex terrain of international security.

Maria Branea is a research assistant on the Eurasia Futures project at the European Leadership Network. She previously worked as a programme associate at LSE IDEAS, the London School of Economics’ foreign policy think tank, and the Romanian-based Ratiu Forum.

Leon Hartwell is a Senior Associate at LSE IDEAS, London School of Economics (LSE), a Non-Resident Senior Fellow at the Center for European Policy Analysis (CEPA) in Washington D.C., and a Visiting Fellow at the European Leadership Network (ELN) in London.

, ,

Partners

Terms of Use | Cookie policy | Copyryight 2024 Kolegium Europy Wschodniej im. Jana Nowaka-Jeziorańskiego 31-153 Kraków
Agencja digital: hauerpower studio krakow.
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Accept
Decline
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active
Poniższa Polityka Prywatności – klauzule informacyjne dotyczące przetwarzania danych osobowych w związku z korzystaniem z serwisu internetowego https://neweasterneurope.eu/ lub usług dostępnych za jego pośrednictwem Polityka Prywatności zawiera informacje wymagane przez przepisy Rozporządzenia Parlamentu Europejskiego i Rady 2016/679 w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i w sprawie swobodnego przepływu takich danych oraz uchylenia dyrektywy 95/46/WE (RODO). Całość do przeczytania pod tym linkiem
Save settings
Cookies settings