The cyber conflict between Russia and Ukraine preceded the kinetic conflict by almost a month, with the first major cyber attack on 14 January 2022 knocking out over 70 Ukrainian government websites. These included websites of the Cabinet of Ministers and the Ministries of Defence, Foreign Affairs, Education and Science.1 Since then, even though much of the focus has been on the kinetic conflict, the cyber conflict has also continued unabated with both sides engaged in a variety of manoeuvres, from attacks on critical infrastructure to spreading misinformation.
Along the way, a number of existing preconceptions about cyber conflict in an active war scenario have been upended. Chief among them was the expectation that cyber attacks would play a decisive part in the conflict and that Russia would dominate in this domain given its superior capabilities and familiarity with the Ukrainian cyber terrain. This was especially so since its entities had been carrying out cyber attacks against Ukraine over the past decade. The resilience of Ukrainian networks in the face of these attacks has now been attributed to the very same factors, that they are familiar with the Russian cyber play book, having been at the receiving end for so long.
New variables that have made a difference in the cyber conflict have been the assistance provided, both individually and collectively, by countries backing Ukraine in its conflict with Russia. This assistance has taken the form of training, exchange of information as well as assistance in active defence. NATO, the collective security alliance, which is one of the ostensible reasons behind the Russian invasion of Ukraine, has been at the forefront of providing support against the cyber attacks being faced by Ukraine. Ukraine’s application for membership in the NATO Cybersecurity centre, pending since 2021, was approved in January 2023, making it one of the five non-NATO members of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE).2
The European Union has spent over 10 million euros since the beginning of the conflict to assist Ukrainian cyber defences, including setting up of a cyber lab, and providing security software and hardware to the Ukrainian Armed Forces.3 US Cyber Command has also publicly stated that it has been operating hunt forward teams in Ukraine.4 The latest US defence budget provides enhanced budgetary assistance of US$ 44 million for these teams.5 On a tangential note, the war has also reinvigorated efforts by NATO member countries to better synchronise their cyber defence efforts which has been struggling with the unique challenges of adapting collective security principles to cyber defence. Heightened activity at various levels of NATO shows a renewed vigour to tackle challenges.6
Yet another factor has been the role played by major software and cyber security companies in providing varied forms of assistance, from data to training to even monetary assistance, with Microsoft recently announcing it was providing as much as US$ 400 million to assist in cyber security efforts to Ukraine. Much of the resilience of Ukrainian websites to Russian cyber attacks has also been attributed to pre-emptive measures undertaken by Microsoft in the weeks leading up to the war with active encouragement from the US government.7 Microsoft has also published a series of reports highlighting Russian attacks on Ukraine.8 Amazon also announced that it had contributed substantially to the Ukrainian cause.9
Initiatives such as the Cyber Defense Assistance Collaboration (CDAC), a coalition of tech companies, including Avast, the Cyber Threat Alliance, LookingGlass Cyber Solutions, Mandiate, Next Peak, Palo Alto Networks, Recorded Future, Symantec and Broadcom, Threat Quotient and numerous others, have been brought together by the Civilian Research and Development Foundation (CRDF), established in 1995 by an Act of the US Congress, to work towards protecting Ukrainian critical infrastructure.10
Although the private tech companies, from Microsoft to Elon Musk’s Starlink, have stepped in to fill the gaps and vulnerabilities faced by Ukraine, this raises major questions about the dangers of over-dependence on these companies and the leverage they hold, something that holds good globally. Use of Starlink receivers, for instance, is disabled in Russian-controlled territory.11
Though there is little evidence of Russian companies playing a role in the war effort, many Russian tech companies have suffered collateral damage from the sanctions imposed on Russia as well as the internet control laws in the country. Cybersecurity company Kaspersky is among the last of the companies offering Virtual Private Network (VPN) services to halt its service while Russian internet company, Yandex, is transferring most of its businesses out of Russia to avoid sanctions.12
Another point to ponder upon is the role of state-sponsored and state-sanctioned hacking groups and individuals in the cyber conflict. Russia is home to many hacking groups which are perceived to be sponsored by the intelligence agencies. These groups have been used to disrupt critical infrastructure, steal sensitive information, and spread disinformation. Intelligence agencies such as the GRU (Main Directorate of the General Staff of the Armed Forces of the Russian Federation) and the FSB (Federal Security Service) have strived to maintain a furtive relationship with groups such as Killnet, seen to be responsible for many cyber attacks on Ukraine and other countries supporting Ukraine.13
This approach worked well in an era of low intensity conflict, but has come short in this current conflict because the command and control is too diversified, and the emphasis is more on disinformation and disruptive activities than achieving strategic goals. The decentralised plausible deniability approach which has been Russia’s default position with the intelligence agencies being at the fore is not an optimum set-up in a kinetic conflict situation since there is no clarity on who is exactly in charge. This has led to confusion over the strategic aims of these attacks and ineffective information diffusion to cater to the tactical and operational requirements of the military.
On the Ukrainian side, the government has encouraged the formations of the “Ukrainian IT army”, made up largely of patriotic hackers and cyber vigilante organisations from around the world. They have been engaged in similar actions directed against Russian entities.14 All these largely illegal activities can be considered a setback in the quest for setting rules of the road in cyberspace through norms of state behaviour, since these activities are being both condoned and encouraged not just by Ukraine but also by Ukrainian allies such as the United States. The NATO-sponsored The Tallinn Manual goes into great detail on how to adapt international humanitarian law to cyber activities during wartime, including distinguishing between military and civilian actors and targets but none of that seems to make a difference in the current free-for-all.
Though these cyber vigilantes by Ukraine have been put to good use, there is a huge question mark over the legality of their use in an active war situation. Much of the progress on paper of framing rules of the road for cyberspace has been rendered infructuous by these activities. In fact, the ongoing UN processes such as the Open Ended Working Group (OEWG) have become sites of proxy attacks by one side against the other, and is seeping into the process itself. The decades-long process to evolve norms of state behaviour through various UN processes could possibly suffer quite a bit of collateral damage as a result of the conflict, with the opposing sides taking pot shots at each other becoming the main spectacle at these meetings. In any case, there was glacial progress being made as different blocs had begun to dig in their heels.
Whilst the final outcome of the conflict is yet to be determined, the needle has moved when it comes to certain aspects of cyber conflict. The cyber-warriors of all hues and shades will continue to carry out their operations from the shadows, however the current conflict shows that a command-and-control structure goes further in achieving strategic objectives. Mission creep is something that can only be avoided through well laid-out objectives and clearly delineated responsibilities.
Tech companies have shown their indispensability maintaining the resilience of the Ukrainian networks and critical infrastructure but, on the flip side, it has also served to highlight the vulnerabilities faced by countries in depending on the virtual monopoly of these companies in the tech space, reminiscent of the dependence on semiconductors that came to the fore in the past year. Like with semiconductors, there are few viable immediate workarounds for these dependencies. Going forward, it is likely though, that technologies and their vendors will be less seen as global public goods and will be subject to many tests of credibility and reliability.
The events so far show that cyber resilience is viable and cyberwar still remains a foggy concept. Words and phrases like holistic and whole-of-nation, and public–private partnership might have become cliches in the context of cyber security, but these are the approaches that work. International co-operation in framing rules of the road for cyberspace might be at its lowest point, in which case, there is no way to go but up. Winners and losers might be a relative term here but there are enough lessons to be learnt from the conflict.
Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrrikar IDSA or of the Government of India.