Over the past two decades warfare has experienced a remarkable shift in tactics. Rather than relying on conventional military overpowering, states have bolstered covert offensive and defensive capabilities, ranging from drone surveillance, information warfare, and data powered espionage to expanding their offensive cyberspace capabilities. Currently a legal “no man’s land”, cyberspace is not bound by international agreements in the same manner the Geneva Convention regulates and sets legal parameters to armed conflict. For this reason, it is imperative that the UN devises a robust legal framework that will not only safeguard and regulate the development of cyber tools similar to the way the Nuclear Non-Proliferation Treaty does with nuclear weapons, but will also mitigate and respond to current threats. Specifically, given the current Russo-Ukrainian war context, this policy area is highly relevant and a pressing issue that if left unaddressed can lead to further escalations that will be difficult to moderate in the future. This post aims to inform readers about modern state approaches to cyberwarfare policies and tactics, current developments regarding the use of cyberspace operations in the Russo-Ukrainian conflict, and the physical challenges the international community already faces because of weak regulatory practices.
Cyberattacks in modern conflict are an underexplored aspect of modern power projection exercised by both state and non-state actors, wherein actors utilize ICT tools to mobilize electronic resources with the aim of disrupting vital computer systems and networks. While there is no de facto definition for the practice, James A. Green defines cyberwarfare as “an extension of foreign policy by actions taken in the cyber dimension by both state and non-state actors, representing a security threat to another state’s sovereignty”. While the definition is rather broad, it encompasses the primary characteristics of the approach; I would however broaden the definition by adding that state endorsed cyber operations are often used to achieve political goals remotely, covertly, and usually with a certain degree of plausible deniability. The Stuxnet attack in 2010 is widely believed to be ground zero of state-led cyberattacks, when a US-Israeli computer virus successfully stalled Iran’s nuclear program. The Russian government however had already initiated the first largely observed use of offensive mass-scale cyber capabilities when it launched a DDoS (Distributed Denial of Service) attack against Estonian internet infrastructure in 2007. Such attacks overflood websites with illegitimate traffic (usually via botnets) , essentially overloading their servers and making them inaccessible for legitimate users. The attack is largely thought to have been the Russian state’s response to the relocation of a Soviet era statue from the centre of Tallin to a military cemetery, and victims of the cyberattack included banks, media outlets and government portals. The physical effects of the cyber-attack translated into ATMs rendered unusable, governmental email communications made inoperable and media publications largely unable to deliver news updates. While the attacks were not debilitating and were most likely only used for intimidation, they clearly demonstrated the future potential of cyberattacks. This early display of cyber capabilities set the pace for widespread future use of similar tactics by the Russian state, which adopted the strategy for use in its foreign security policy.
During the Russian invasion of Georgia in 2008, Russia flexed its cyber-capabilities in what is believed to be the first de facto case of “hybrid warfare”. The Russian offensive employed both kinetic and non-kinetic tactics, ranging from the traditional use of armed forces, armoured vehicles and artillery strikes , to a state-sponsored cyberattack campaign which utilized grassroot support to disrupt Georgian government websites and media. While the combined use of conventional and cyber tactics during the armed incursion marked a first, what is even more intriguing about the cyber aspect of the invasion was the creation of “www.stopgeorgia.ru”. Promoted on Russian hacking forums, the website went online during the armed incursion and encouraged the grassroot participation of “hacktivists” to aid the Russian state in debilitating the Georgian cyber domain. The website offered easy-to-use DDoS software designed to overload websites with traffic, and a list of Georgian websites to be targeted. Additionally, the website provided simple to follow instructions on how to operate the software, and a post-action report page that was most likely used for user feedback on the Russian DDoS tool for future improvements. By inviting civilians to participate in the conflict, Russia drew blurry lines between combatants and non-combatants. Despite not being physically involved in the invasion, the participants were assisting the Russian state achieve its foreign policy objectives; whether participants did it for fun, educational purposes or due to a strong nationalist sentiment, the incident marked the first time a government has crowdsourced its offensive cyber-capabilities from a civilian pool.
In 2014, the advent of the Russo-Ukrainian conflict expanded the former’s hybrid warfare approach, albeit in a more sophisticated manner. Following the annexation of Crimea, Russia utilized its cyber offensive capability to shut down the Ukrainian power grid, leaving civilians in the capital and western regions without electricity for up to six hours, adversely affecting non-combatant civilian populations. Since then, Russian cyberattacks against Ukraine have increased in frequency, notably with the 2017 NotPetya ransomware attack. The malicious data-compromising software employed by the Russian military intelligence service (GRU) primarily targeted Ukrainian governmental, energy and financial institutions and was designed to rapidly propagate within their computer networks, encrypting their data, and then requesting ransom payments in Bitcoin. There was not however a means of decrypting the data regardless of ransom payment, revealing the attack was disruptive in nature rather than being used for monetary gain -payment was just a bonus for the state endorsed perpetrators, and a potential source of revenue given that Russia had been targeted by a sanctions regime over its aggression in Ukraine. Despite only Ukraine having been targeted by the malware, the attack affected over 200.000 computers worldwide, destroying all compromised data and costing billions to affected parties. It is important to note that 1/5th of the Fortune 500 companies rely on Ukraine’s IT outsourcing industry, revealing how devastating cyber-attacks can be for the interconnected worldwide community and not only the recipient state.
In January 2022 Ukraine was once again the target of a barrage of cyberattacks, namely HermeticWiper, and since the Russian invasion in Ukrainian territory, cyberattacks have been occurring at an unprecedented scale. Beginning one day before the armed assault in February 2022, the HermeticWiper malware was discovered in hundreds of Ukrainian computers, including a financial institution in Ukraine and Ukrainian government contractors in Latvia and Lithuania , while additional DDoS attacks were also underway ahead of the military incursion. These events pose a major future challenge for the international community, as a cyberattack spillover can sow dissent in international politics. For instance, NATO’s Article V on collective defence, states that an attack on one member state constitutes an attack on all and will be responded to as such. Does the case of the Russian state endorsed HermeticWiper cyberattack affecting Latvia and Lithuania, both NATO members, warrant retaliation by other NATO members? What would the effects of such a response be? The practical and ethical considerations of collective offensive cyber policies raise significant concerns and reveal an uncharted territory that is rapidly becoming the stage for covert international conflict. While no physical harm has stemmed from these attacks -yet-, they were still a part of a hybrid invasion strategy, which has already harmed civilian populations. Unlike the case of Estonia in 2007 wherein civilians were inconvenienced but not harmed by the attacks, the 2022 Ukrainian cyberattacks were a part of a larger hybrid invasion tactic that spilled over to two NATO member states. Should this provoke NATO reprisal? Theoretically, it should. However, since this event is unprecedented, any retaliatory action would be premature given the nature of the legal status of cyberwarfare, highlighting the necessity for relevant policy formation.
What is greatly alarming during this conflict, however, is the increasing grassroot participation of civilian hacktivists in conflict scenarios. In response to the Russian hybrid invasion, the Ukrainian Vice Prime Minister Mikhailo Fedorov urged Twitter users to join the Ukrainian IT army, where individuals are instructed to carry out cyber operations against Russia through a Telegram channel, in a similar way Russia urged internet users to aid its cyber operations during the Georgian invasion.
Additionally, the activist hacker group Anonymous has declared war against Russia, having so far targeted Russian banks, media and the state’s space agency, while another group targeted a Belarusian rail line that has been used for troop transport. Another hacking collective based in Ukraine has claimed they are targeting the Russian energy grid in retaliation to the offensive. On the Russian side, the Conti group and the UNC1151 are amongst many hacking groups that have waged cyberwar against the Kremlin’s opponents.
This unprecedented grassroots involvement in conflict may signal a new era in warfare, in which state-led, non-partisan and for-profit hacking organizations join state conflicts, each for their own purposes, working with, for and against governments. Such cyber groups can be likened to the state sanctioned privateers of the 17th and 18th century, who offered their disruptive services to governments in exchange for legal immunity for their actions. In a similar fashion, hacking collectives are currently violating national and international law by carrying out cyberattacks, but given the current political climate dominating the Russo-Ukrainian war, governments across the world are seemingly turning a blind eye to the phenomenon. States seem to be feeding into a civilian sense of individual agency on issues of a nationalist character and invite non-combatants from over the world to partake in nationalist campaigns. Nothing is stopping global internet users from also aiding such efforts. Should global citizens be able to participate in cyberwars outside their borders?
Recent developments have displayed the disruptive nature of cyberwarfare and have become a catalyst for states and civilians to realize that capability. Will similar state-led grassroot hacking campaigns be used again in future conflicts? Will future malware spillovers risk triggering NATO’s Article V? How can this be regulated? During the study trip to the UN Headquarters in Geneva, these are policy areas I would like to discuss with officials if given the opportunity. The reality is that these are pressing issues that the UN has not yet addressed. Conventional warfare is regulated by the Geneva Convention which instilled a sense of legality and accountability in the otherwise lawless state of warfare. Cyberwarfare on the other hand is a modern approach to conflict that is yet unregulated, and due to the lack of internationally agreed norms it is currently unrestricted in its damage capacity. While the UN has an active Open-Ended Working Group relating to information technologies and international security, there is no concrete legal framework that sets boundaries to ICT weaponization yet. Unless tackled by the international community soon, this could prove largely problematic for international security.
While I recognize that these enquiries may not be answered during the study trip, given time limitations, rapid contemporary developments, and maybe a lack of technical knowledge by the experts we will be meeting, I would appreciate a general insight into how policies are formed, and the overall information exchange that informs the drafting of new policies. I have always considered pursuing a career in the UN, but over the years it has become increasingly unattractive due to its perceived bureaucratic nature; while I appreciate its mission, the reality is that its good intentions are diminished along the way of lengthy bureaucratic processes. This visit could be a great chance to witness whether my expectations and inhibitions regarding the UN are justified. Nevertheless, the study trip to the UN headquarters could be greatly beneficial for my future career path. Having already worked under the UN banner I recognize that the organization can unlock many work opportunities, and this would be an excellent chance to expand my network of contacts, which may eventually lead me to a job that relates to international security affairs. The opportunity to interact with experts would be an invaluable experience and could reveal what a job in the sector really looks like. Is it all paperwork and minute-taking or are individuals given the opportunity to brainstorm and contribute to policy making? I welcome the opportunity to observe a “typical” working day in the office environment and witness how the work gets divided across departments and hierarchies – I imagine the organizational structure to resemble a beehive; having said that though, I wonder, are employees valued for their individuality or is their individuality diluted through the hierarchy? Do employees feel a sense of agency in the decision making or are they in fact alienated from the process?
What I would mostly expect from this visit however is career guidance; asking employees what steps got them where they currently are and if they consider their current employment a steppingstone for their own career trajectory. Having always wished to work in the international affairs sector, this could be the chance to decide if that is in fact the field I want to dedicate my working life in, and if so, get advice on how to achieve my goal.