The scale and pace of Russia’s wartime cyber operations have been unprecedented, but Ukraine has nonetheless provided the world with a masterclass in withstanding open cyber warfare through bolstered defences and improved resilience, according to a European Cyber Conflict Research Institute (ECCRI) report commissioned for the National Cyber Security Centre’s annual CyberUK event, which continues on Thursday 20 April in Belfast.
The wide-ranging report, The cyber dimensions of the Russia-Ukraine war, contains detailed analysis of the cyber security dimension to Russia’s war on Ukraine, offering potentially valuable new insights to learn from.
“We are very grateful to ECCRI for this important and valuable analysis of the cyber dimensions of the Russia-Ukraine conflict to date,” said NCSC operations director Paul Chichester.
“The report offers a range of helpful insights, not least around what Ukraine has taught us about the power of resilient systems in the face of sustained cyber attacks. As we look to the future during our CyberUK conference, this is a timely contribution to the debate on what we can learn from the conflict, as well as the limits to our current understanding.”
Security minister Tom Tugendhat added: “Putin’s illegal war isn’t just being fought on the ground. Ukraine’s protectors are also defending their country against unprecedented cyber attacks on a digital battlefield. This report has shone an important spotlight on a different kind of hostility, which the Ukrainians have responded to with exceptional resilience and determination. We must carefully assess its findings and learn the lessons it has to offer.”
The report is based on a workshop held under the Chatham House Rule earlier this year, at which participants explored angles such as the role played both by cyber criminals and political hacktivists – as detailed earlier this week in an NCSC alert on mercenary hacktivist groups.
It looks at how the lines between cyber criminal groups and political hacktivists on the Russian side have become blurred, with some groups claiming to be politically motivated, but then by their actions seeming more interested in stealing money than making a statement – Conti, and its subsequent split and downfall, is a good example of this.
Some criminal groups, panellists noted, seem to have pivoted from denying access to information for financial gain, to stealing information for espionage purposes. Ransomware, it seems, is becoming ever more politicised.
On the Ukrainian side, it explores the impact of the ad hoc IT Army of Ukraine, a band of cyber warriors encouraged by Kyiv who have met with success in gamifying the Ukrainian cyber response and may have contributed to “romanticising” the conflict.
Panellists at the workshop expressed some concerns that the IT Army has “skirted the boundaries” of some established cyber norms and may have participated in attacks that violate international law – even though they were against Russia. The panel also noted that the IT Army raises questions for the future, in terms of what its globally dispersed members do after the war, what kind of threat they pose in the long run, and whether any of them are at risk of being radicalised into cyber criminality or worse.
The report is not wholly full of praise for Ukraine in other regards too, and in a section exploring limitations to visibility and analysis of cyber warfare incidents, notes that Kyiv has created an “interesting and often subtle” barrier to a truly coherent analysis by curating the information that its allies in the west see.
The panel said that while Ukraine has talked openly about some of the incidents that have targeted its own infrastructure, for understandable operational security reasons it has offered far less visibility into offensive cyber activity in support of its own campaign. But overall, they agreed, Ukraine has proved exceptionally adept at managing the narrative, and public opinion, to its advantage, exploiting the digital realm to influence public opinion against Russia and bring together a coalition of wealthy and militarily advanced allies to support it.
The report also asks critical questions around the role of tech industry support to Ukraine, in particular how, and whether or not, large technology companies should remain neutral. Many, including Microsoft which has donated millions of dollars of services to Kyiv’s war effort, have proven invaluable in their support. Others have quietly committed support, or promised to withdraw from Russia at the very least and then quietly remained on the ground, citing operational issues.
The importance of resilience
Ultimately, the report concludes, Ukraine’s ability to withstand Russia’s cyber war has clearly shown the importance of cyber resilience.
Panellists agreed that Ukraine has learned a lot of useful lessons since Russia first violated its sovereignty by illegally occupying and annexing Crimea in 2014, such as how to build resilient systems by capitalising on its deep familiarity with Russian tactics. In line with the NCSC’s focus on resilience at this year’s CyberUK conference, several panellists argued that resilience should be at the heart of any country’s defensive strategy.
Overall, the report says, when push comes to shove, Ukraine has demonstrated that the ability to mount a good defence in cyberspace counts for much more than one might have thought, and this will likely have major repercussions on how future cyber operations are conducted.
But ultimately, it stresses that the lessons learned from the war on Ukraine may not be easily applied to other conflict situations, such as the potential flashpoint between China and Taiwan. This is for a number of reasons, among them geographical ones; Ukraine faced an unprepared and overconfident enemy with which it shares a long land border, factors that cannot be said to apply to the situation that Taiwan may one day be confronted with.