Cyber road from Ukraine: where will it take us?

‘The potential for the next Pearl Harbor could very well be a cyberattack.’ 

US Defense Secretary Leon Panetta, 2012

This (in)famous warning has been discussed and re-discussed since 2012. Could a devastating cyberattack against critical infrastructure – like an energy grid or a water facility – be a prelude to all out war? The past decade has taught us that, in spite of numerous severe cyberattacks around the world (including notPetya, SolarWinds, WannaCry, BlackEnergy, etc.), countries haven’t called for arms in response.

Tensions concerning Ukraine, during the months and days before the invasion, reignited some of the worries that severe cyberattacks could be deployed in the absence of an open use of force, which could further escalate into an open conflict. While an open conflict did emerge, expected high-impact cyberattacks didn’t take place.

Why is that so? Because of the fact that high-impact attacks have a specific advantage ‘in peacetime’ – to disrupt and destruct infrastructure without risking open war. What the Ukraine conflict shows is that, once missiles are launched, they dominate the cyber options. For now.

However, this does imply there is no wartime use of cyberattacks, as we can see from examples of wipers that disrupted the work of companies and DDoS attacks that made certain sites unavailable, aiming to spread panic. Particularly impactful would be cyberattacks against the infrastructure that support military activities (e.g. the Ministry of Defense forces servers, intelligence apparatus including satellite technology, etc.).

An emergence of cyber-group clashes can also be observed. Both Russia and Ukraine host some of the most skilled and experienced ‘cyber mercenaries’ which have started taking sides. Ukraine has started mobilising both its nationals and the interested foreigners to conduct coordinated attacks against various digital infrastructures in Russia. Anonymous, a global, politically driven group of cyber activists, has joined in and declared war against Russia, attacking its digital infrastructure. On the other hand, various cybercrime groups, often hosted in and tolerated by Russia, have warned they would strike back.

Can it escalate?

The current political climate displays high risk for cyberattacks to get out of control and escalate beyond the conflict in Ukraine. Some countries have already expressed their concerns of possible cyberattacks targeted on their national critical infrastructures. There are several possible scenarios for escalations:

1. To increase its offensive, Russia adds devastating cyberattacks to its ground activities, and some of those attacks spill over beyond the borders of Ukraine. While this has happened already during the first days of the conflict with the wiper malware, which ended up in some neighbouring Baltic countries as well, thus far experts confirm that cyberattacks against Ukraine were unusually well focused and customised to avoid the spillover similar to nonPetya ransomware in 2017.
2. Attacks by cyber groups from and against Russia, Ukraine, or other countries get (mis)interpreted as state-sponsored attacks. The attribution of cyberattacks remains highly complex, and the involvement of numerous self-organised cyber groups and individuals, many of which have already left footprints in state-linked attacks in the past, further blurs the distinction, and ‘invites’ for misinterpretation.
3. In response to economic sanctions, Russia decides to conduct cyberattacks against the critical infrastructure in the USA and other countries. Though this would clearly cross the red lines that the US president Biden presented to president Putin at their meeting in June 2021 in Geneva, it is a possible scenario in situations where Russia has already ‘crossed the Rubicon’ with invasion, and where the sanctions may be interpreted as a form of attack against it, anyhow.
4. The USA may decide to enhance its efforts to slow down Russian operations, by unleashing ‘defence forward’ cyber options – essentially launching clandestine offensive cyber operations to disrupt some Russian infrastructures (from military to transport to financial). News of such options being at the table was quickly denounced by the White House, but it is not a secret that limits of defence-only approach have been discussed in the USA in the last years. Russia, on its part, was very clear that it would interpret this as attacks.

In either of those cases, Russia and states other than Ukraine (which it is already at war with) may interpret such attacks as use of force – or, depending on the effects of an attack (e.g. disruption of critical societal services, or even life loss due to it), even its gravest form – as an armed attack. It would then be up to the attacked states to decide if and how to respond.

Russia, in its current status and in line with decisions to put nuclear forces on high alert, might respond with devastating cyberattacks. On the other hand, the USA and NATO, on their part, have already confirmed that a cyberattack against any of its members would trigger Article 5 of the NATO Charter, allowing NATO to strike back with all means available. In the past, the USA and allies have mainly resorted to public attribution of attacks to Russia and, eventually, some sanctions against involved individuals. With their portfolio of sanctions now almost deposited already, there is not much more that they could do to respond to such attacks – so counter cyberattacks remain a possible option.

Any comfort in international law?

There are several major cyber agreements in the UN that both Russia and Ukraine, along with all other countries, have endorsed. The framework of responsible state behaviour is defined by the agreements of the UN Open-ended Working Group (OEWG) and the UN Group of Governmental Experts (GGE) – all subsequently adopted by the UN General Assembly (UNGA).

This framework, among others: 

• confirms that international law, including the UN Charter, applies to cyberspace,  
• confirms that international humanitarian law applies, but only in situations of armed conflict, 
• outlines a number of voluntary cyber norms that states should adhere to.

Image source: ASPI

While the framework provides the basis for more predictable developments, there is a number of elements that can render it useless: from the lack of clarity and agreement on how international law applies in case of a cyberattack (e.g. what constitutes an armed attack in cyberspace, whether states under cyberattacks may trigger their right to self-defence, and should that imply only cyber retaliation or response with all means available), to the fact that cyber norms are voluntary. 

The concurrent kinetic attacks, cyberattacks, and sanctions raise another set of questions that have not yet been sufficiently addressed at the OEWG or the GGE. The Russo-Ukrainian war is a hybrid war, being fought on the ground as well as in the digital realm. According to the resolution adopted in the UN General Assembly (Resolution A/RES/ES-11/1), Russian troops formally entering the territory of Ukraine violated Art 2(4) of the UN Charter that requires states to refrain from the use of force against the territorial integrity. This, in turn, triggered the application of international humanitarian law, including the Geneva Conventions. The questions remain on how the rules of traditional warfare and the voluntary normative framework described above apply to the digital part of this conflict. Should cyberattacks be considered as part of the military operations? What are the consequences of involving third states or non-state actors in the cyberattacks between two states at war? All the questions that remain open within the ongoing OEWG 2020-2025 discussions on due diligence, attribution, definition of use of force in cyber setting, critical infrastructure, international humanitarian law protections, and many more are being acted out in real time.

In practice, cyber stability depends on the willingness of the parties to adhere to what they agreed to. Having the current status of adherence to international law and agreements, expectations are rather modest.

What to hope for

Prospects seem rather gloomy if either of the scenarios turn true. Even the ‘best of the worst case scenarios’ of escalation – an ‘all-out’ cyberwar (short of the exchange of missiles) –- would bring vast societal and economic disruptions and destruction on all sides, impacts on civilians with humanitarian and human rights consequences, with unpredictable outcomes and possible further escalations. 

Hope remains in the preservation of sanity and cooperation. On one hand, it is important that all parties involved get fully aware of the dangers in taking actions that can further escalate tensions, even if (or particularly if) related to the cyber realm. Strict adherence to international law and the cyber norms agreed within the UN is critical, to increase predictability, enable dialogue, protect citizens, and prevent human sufferings. On the other hand, the global – and by all means global, with no party excluded – cybersecurity community needs to remain talking and exchanging experiences, working jointly to reduce possibilities of high-impact cyberattacks on either side and against either actor.

It is our joint responsibility.

Interested in the digital&cyber aspects of the Ukraine conflict? Visit the Digital Watch Observatory’s page Ukraine conflict: Digital and cyber aspects.