29 Juni 2022
Formative events often serve as a baseline for assessing future situations, and dissimilarities between past and future tend to be overlooked – sometimes to the detriment of sound policy-making. The question should therefore not be whether we will enter a dynamic era of policy learning, as indicated by use of the term “Zeitenwende” in recent German security discourse. Instead, we should ask whether we will learn the right lessons. In times when old paradigms are questioned, policy entrepreneurs will try to seize the moment and provide solutions to pressing challenges. Sometimes the evidence in support of such radical overhauls of existing policies is rather thin. The best example is the newly flared up debate on hack backs in Germany and elsewhere.
Advocates of more governmental leeway with regard to hack backs seem to imply that such measures are indispensable when it comes to creating strong cyber defences. Yet in the case of Ukraine, one does not find much evidence in support of this view, at least not within the public domain. While the US recently admitted to having conducted both defensive and offensive cyber operations in support of Ukraine, this information alone implies nothing about the role of active defence measures, let alone their success. The US has also revealed the deployment of 28 “hunt forward missions” to 16 nations since 2018, including Ukraine between December 2021 and February 2022. While theoretically such missions could include joint operations within Russian networks, they were in fact limited to the scanning of friendly networks and information sharing, as explained by Joe Hartman, the commander of the US Cyber National Mission Force. Hartmann also explicitly stated that they’re not attacking Russia. The Ukrainian government for its part declared that some of the attacks of the “IT Army” on roughly 400 Russian systems were preventive in nature, without however providing any further details.
It is, of course, entirely possible that future revelations will provide much stronger evidence of an important role of network intrusions as active defence measures within the overall Ukrainian and allied cyber defence effort. Yet even then, it is still telling to see that advocates of hack-backs have so far been able to seize the opportunity and to shape policy debates without providing such evidence. This makes it all the more necessary for the cybersecurity community to set the record straight and to provide alternative ideas on how to support cybersecurity in Europe and beyond.
So What Now?
While it is beyond the scope of this article to provide detailed policy suggestions, a few tentative answers as to the policy implications of the above analysis can be given. First and given the risks of spill-over effects and unintended escalation, NATO countries need to make sure that communication channels with the Russian leadership remain open and that they are used for the very limited, but important aim, of crisis management. News that General Mark Milley, Chairman of the US Joint Chiefs of Staff, has had a call with his Russian counterpart for the first time since the beginning of the war, is comforting ins this regard. But there are also cyber-specific communication channels that hopefully are still ready for use in case of a major cyber incident, for example within the OSCE context.
Second, Western policy-makers will need to walk the talk when it comes to their commitment to the normative acquis of the UN norms of responsible state behaviour. Two issues are crucial in this regard. The first is to insist on the sanctity of the internet public core by declining proposals of disintegrating Russia from the Domain Name System. The fact that ICANN did just that and that no major cyber power supported the proposal is to be welcomed. However, Western attitudes on the second issue, the enlistment of private hackers by the Ukrainian government, are far more ambivalent. While from the perspective of the Ukrainian government, fighting for the very existence of the country against Russian imperialism, it is absolutely necessary to use every means available, this does not mean that those countries whose citizens decided to participate in this effort can ignore the issue.
If they do, the precedent set by Ukraine’s global crowdsourcing of offensive cyber and the indifferent attitude shown by Western governments could certainly backfire by eroding a cornerstone of the UN cyber norms framework: state obligations to take measures against malicious cyber activity that originates from within their jurisdiction At the very least, it is highly likely that future efforts of Western cyber diplomacy to strengthen norms of state responsibility will be countered by allegations of hypocrisy by those who do not want to see the UN framework become implemented.
Finally, the international community should explore ways of emulating the strength of the Ukrainian cyber defence. Not by pursuing hack-backs or other highly intrusive active defence measures but by understanding the source of Ukraine’s cyber resilience and by supporting similar policy measures in other world regions. While efforts to step up international capacity-building are a key in this regard, they will most likely not suffice to establish a level playing field. A complementary need of institutionalising short-term assistance provided in crisis situations is therefore needed, for example through multilateral rapid cyber reaction.