05 December 2022
The Ukraine War has reiterated the urgency for addressing substantial peace and security risk of cyber operations. While there have not been any successful large-scale destructive cyberattacks thus far, the way in which cyber capabilities have been used by both state and non-state actors nevertheless has worrying implications. Existing dilemmas of how to address such risks by appropriate governance responses have been aggravated by geopolitical and geoeconomic circumstances.
Three such dilemmas will be discussed here: enabling transnational solidarity and practical defence cooperation without undermining principles of state responsibility; coping with criminal cyber proxies while avoiding escalatory or militarized cyber postures; and lastly, balancing greater supply chain security with cross-border incident response and security research.
Many EU and NATO member states have been ardent supporters of the principle of state responsibility for addressing transnational malicious cyber incidents for over a decade, both within negotiations at UN level and in their practical responses to specific cyberattacks. A key rationale being to counter the use of cyber proxies, a common strategy of evading international accountability used for example by Russia, China and Iran.
A very basic understanding of state responsibility or due diligence has become universally accepted as one of the UN voluntary norms, requiring that, in peacetime, “states should not knowingly allow their territory to be used for internationally wrongful acts“. Despite more specific guidelines in a recent follow-up report, UN member states have hardly reached a consensus on the operationalisation of this norm. However, an emerging practice among NATO and EU members is to hold Russian, Chinese, North-Korean or Iranian security agencies responsible for offensive cyber campaigns of state-affiliated hacker groups.
The war in Ukraine puts this practice of Western states into question. Only a few days after the beginning of the Russian invasion, the Ukrainian government called on hacker communities for support, with the so-called Ukrainian IT Army being created as an ad hoc platform for recruitment and coordination. This in itself was not unprecedented. Estonia for example created a volunteer cyber defence unit over a decade ago. The Ukrainian effort, however, was not limited to defensive purposes, nor was participation restricted to Ukrainian nationals.
Members of the IT Army conducted numerous hack & leak operations and DDoS attacks against more than 400 Russian system. Some reportedly went further by exploiting vulnerabilities within industrial control systems or other critical infrastructure. Other groups joined the fight on their own terms. The hacker collective Anonymous issued a declaration of war to the Russian government, followed by a number of high-profile hack & leak operations. A November 2022 estimate tracked 81 hacker collectives involved in the war, 36 of those in support of Ukraine.
Given Russia’s brutal aggression, it is difficult to argue against this crowdsourcing effort from a normative point of view. Furthermore, Ukraine is acting in the context of interstate war and therefore not obliged to comply with the UN cyber norms as they only apply in peacetime. However, the situation is very different for Western states who have affirmed their belief in the principles of state responsibility and support Ukraine. Very few have discouraged their citizens from joining offensive cyber campaigns against Russian infrastructures, a notable exception being public remarks by the cyber director of the US National Security Agency. Allowing citizens to participate in Ukraine’s self-defence is – under international law – neither illegal nor does it make Western states war parties themselves. Yet it is precisely because Western states are not at war with Russia that they are still obliged to comply with the peacetime UN cyber norms, including the norm not to tolerate offensive cyber campaign against critical infrastructure originating from within state territory.
The ambiguity of Western states could not only hurt their credibility within international fora but also weaken the UN cyber norms. It will also set a dangerous precedent for future conflicts by creating ample room for misinterpretation and misattribution. Differentiating between independent and state-orchestrated hacker campaigns is anything but trivial. It would also be naïve to assume that private hackers do not have their own agenda. This is, for example, indicated by the attack on Rosneft Germany or by public threats against Western businesses that are still active in Russia. In the case of Ukraine, potential future peace negotiations might not necessarily align with private hackers’ goals and ambitions. The very least that Western governments can do to avoid such a difficult situation is to explicitly discourage private hacking and, in severe cases, to prosecute those who target foreign infrastructures.