21 June 2022
Other conflicts may not play-out as the Ukraine war has thus far in cyberspace. Attackers might be better prepared and more ready to use offensive cyber capacities, defenders on the other hand might well have less experience and fewer international allies. In this third part, I want to focus on domain specific escalation risks. Although these risks have not (yet) materialised within the Ukraine context, there is nevertheless plenty of evidence to corroborate their existence. In fact, the war seems to have aggravated a number of problematic tendencies that could seriously undermine escalation control going forward.
Cyber operation often pose the risk of unintended spill over effects and collateral damage, as events in the past have shown. This is largely due to the complexity of interconnected IT systems and the difficulty of knowing the specifics of the target system’s hard- and software. At the beginning of the Russian invasion of Ukraine, HermeticWiper, the malware used against hundreds of Ukrainian machines, also affected two companies in Lithuania and Latvia that worked for the Ukrainian government. While it is hard say if these contractors were hit on purpose or only by accident, spill over was certainly unwanted although not necessarily unforeseeable in the KA-Sat case. On the very first day of the invasion, Russian hackers targeted the terrestrial infrastructure of KA-Sat, a commercial satellite system that provides internet connectivity to thousands of users across Europe, North Africa, and the Middle East – including the Ukrainian military. As a result of the attack, connecting devices of hundreds of users were no longer operable, with effects as far reaching as inadvertently disabling the remote servicing infrastructure of thousands of wind turbines in Germany.
Beyond simply illustrating the risk of spill overs, the KA-Sat incident also illustrates another perhaps even more dangerous effect on escalation control: the unintentional crossing of the line between civil and military uses of IT systems. While in this case the operational aim of disrupting Ukrainian military communication unintentionally affected thousands of civil users, we can easily imagine the opposite scenario of civilian targets disrupting unintended military systems. In such a scenario, one cannot rule out that by affecting military communication systems, a cyber-attack may well appear as preparation of a decapitation strike by opposing forces which, in turn, could motivate pre-emptive measures. A statement by the head of the Russian space agency, Dimitry Rogozin, saying that hacking satellites would constitute an act of war is telling in this regard. What makes such a statement so dangerous is that fact that military and civil uses are hard to disentangle, at least from the outside. There is thus a huge potential for misperception and unintended escalation, and this will stay with us over the coming months and beyond this conflict as well.
A second notable development is the way in which the Ukraine war has given new impetus to the use of cyber proxies, arguably to the detriment of international accountability and crisis management. Blurred lines between state and private responsibilities, as well as the proxies, are certainly not new topics. Back in 2018, Robert Williams characterised Western notions of state versus private capacities and roles as misleading when it comes to understanding Chinese offensive cyber operations given these encompass individuals with various industrial, military, and academic affiliations. For roughly two decades, the use of proxies has mainly been discussed as a practice of authoritarian countries whose aim was, amongst others, to ensure plausible deniability, avoid international attribution, and countermeasures. Use of proxies by authoritarian countries was one, if not the key reason why mostly Western states sought to strengthen the principle of due diligence within the framework of the UN norms of responsible state behaviour. Based on these norms, Western states have started to more explicitly link malicious activities of individual hackers to state authorities in China, Russia and North Korea, for example in the context of US indictments.
The Rise of Western Proxies?
Of course, the use of such proxies, including the ever-growing category of Advanced Persistent Threat groups, was never acknowledged by authoritarian regimes. By creating the so-called IT Army of Ukraine and by soliciting the support of private hackers worldwide, the Ukrainian government was the first government to openly crowdsource its offensive cyber operations. While technically Ukraine itself – being in a state of war with Russia – was not obliged to adhere to the peacetime UN norms of responsible state behaviour, it nevertheless set a problematic precedent that others might follow. Moreover, there is an obligation on third countries to at least discourage their citizens from participating in such hacking activities. So far, there are only very few such statements, for example recently from the United States. This indifference bears the risk of normalising a practice that raises a whole range of questions: who should and is able to coordinate tens or even hundreds of thousands private hackers? Who sets and ensures their attack limits, for example to prevent infrastructure vulnerabilities being exploited instead of being passed to officials? Who is ultimately accountable and responsible for collateral damage? What if the actions of those who are not integrated in the Ukrainian IT army are nevertheless perceived as state-orchestrated by Russian authorities? And finally, will all those private actors adhere to whatever ceasefire or political agreement comes to fruition sometime in the future?
Finally, we witnessed many instances where disinformation and hacking was combined in novel ways, apparently to maximise human insecurity and disorientation. The most well-known example might be the deep fake of President Zelensky, who apparently announced military defeat and called his troops to lay down their arms and go home. This video was not only shared via social media. It was run on a TV news programme after it fell victim to a hacking attack. No less disturbing are reports of hackers gaining access to the Russian civil emergency protection agency and publishing an entry warning Russian citizens of an imminent NATO nuclear attack around Easter. Neither of these two attempts succeeded in causing mass panic. But they clearly illustrated what could become standard practice within future wars, very much to the detriment of human security in war-torn regions.