As Ukraine has entered the new reality of Russian invasion, the country has also suffered a number of cyberattacks on top of the ongoing warfare. But what does a “cyberwar” actually mean and is Russia waging it?
In January, around 70 million Ukrainian government websites were defaced or disabled, with Microsoft identifying ransomware-like malware on dozens of government, non-profit, and IT organizations.
But, says Sandra Joyce, EVP, and head of Mandiant Intelligence, “This isn’t just a Ukraine problem. In fact, we believe that after attacking US and French elections, Western media, the Olympics, and many other targets with limited repercussions, Russia is emboldened to use their most aggressive cyber capabilities throughout the West.”
US security agencies have previously warned that Russian state-sponsored hackers have been targeting defense contractors and subcontractors to the Department of Defense (DoD) to acquire sensitive information, while US and European regulators have warned that banks could also become targets.
So far, the main response from Western governments to this threat has been official warnings to businesses and public bodies that they should step up their cyber defenses.
While it has been mostly silent on the Ukrainian cyber front in recent days, its representatives in other countries, such as the UK, complained about constant cyberattacks. It’s possible that the coming days and weeks could see the outbreak of a true cyberwar. Certainly, President Biden is open to the possibility, recently warning that the US was prepared to respond to any cyberattacks against its companies or critical infrastructure.
“Adding cyber warfare into the mix with traditional land, seas, air, and space conflict will be the norm. It is a new form of hybrid warfare for the 21st century,” Sam Curry, chief security officer at security firm Cybereason, tells Cybernews.
“Ground wars with tanks, missiles, and infantry will not disappear, but a nation’s ability to defend itself from critical infrastructure attacks, supply chain attacks through government contractors and other contractors will not only increase but continue to be a challenge.”
There is, though, increasing uneasiness about referring to state-sponsored cyberattacks as “cyber warfare,” with the legal position somewhat unclear.
Under Article 5 of the NATO treaty, an attack on any of its 30 members is considered an attack on all – and, in 2019, it was decided that cyberattacks could trigger this article.
“We have designated cyberspace a domain in which NATO will operate and defend itself as effectively as it does in the air, on land, and at sea,” said NATO secretary-general Jens Stoltenberg.
“This means we will deter and defend against any aggression towards allies, whether it takes place in the physical world or the virtual one.”
There is, however, no definition of how serious such cyberattacks would have to be in order to merit retaliation – and in theory, a cyberattack could legitimately be responded to with physical force. There are, clearly, big questions around proportionality.
Quite surely, NATO has been reluctant to fully join the ongoing warfare so far – refusing to close the sky over Ukraine in fears of provoking the aggressor and entering a full-scale war. And it is unlikely that a significant cyberattack on Ukraine would trigger a military response from them.
There’s also the thorny issue of attribution. In cyberwars, pointing evidence to a certain country is often hard to collect – regardless of how certain you are.
“Attackers are well versed in hiding their tracks, some much more than others. The process of laying false flags for defenders and investigators makes this harder again and, as a result, takes time and talent which is in short supply,” says Jason Steer, principal security strategist at security firm Recorded Future.
“Net result – attribution is not going to be possible in many cases, which leads to unclear conclusions in investigations at strategic levels.”
Issues like these will make it very difficult for governments to respond to cyberattacks without being accused of picking the wrong target.
“We should prepare without succumbing to paranoia,” says Joyce, “and remain mindful that, when it comes to cyberattacks, the bang is often worse than the blast.”