13 December 2022
Crime, Proxies and Liberal Democracies
Politically motivated individuals and hacker collectives have not been the only ones participating in the cyber confrontation between Russia and Ukraine. Conti, one of the most notorious ransomware gangs, declared their solidarity with the Russian government and threatened retaliation against any Western action within days of the invasion. While Russian state agencies have been suspected of coordinating with cybercriminals for years, such an explicit statement of political allegiance was unprecedented. It was also surprising given the fact that most, if not all, cybercriminal groups include both Russian and Ukrainian members. In fact, other criminal groups issued statements of neutrality, possibly to avoid internal divisions and struggles.
That being said, the Ukraine war has clearly also brought unrest to the criminal ecology. In some cases, internal communication or malware source codes were leaked, most probably by members who objected to the political position of their leadership. In other cases, forum administrators banned Russian or Ukrainian members. There are also fears that the Russian government could shift further towards a North Korean model of state-orchestrated cybercrime. This could be used, for example, as a way to circumvent sanctions by stealing cryptocurrencies or by gaining access to Western intellectual property and technologies. In any case, the strategic instrumentalisation of cybercrime beyond current levels, will amplify existing governance dilemmas for liberal democratic states.
Inside liberal-democratic societies, civil-military relations will come under strain. This is most visible within the US where already prior to the Ukraine war an increasing number of experts and policy makers started to advocate for a greater role of the US Cyber Command in the fight against cybercrime in the midst of a wave of devastating ransomware attacks. Yet any such militarisation will have a political downside. It not only raises questions of civil oversight, complicate interagency relationships and coordination with the private sector. But it will probably also increase international mistrust due to the US Cyber Command’s offensive mission. Related to such an offensive posture is the risk of unintentionally targeting third party systems. In a worst case scenario it might lead to inadvertent cyber escalations. Involving the military within cyber operations against criminal infrastructures should therefore be regarded as an option of last resort to when criminal attacks rise to the level of an imminent national security threat.
Global Security in a Fragmented Cyberspace
Recently, 62 like-minded countries have renewed their commitment to an “open, free, global, interoperable, reliable, and secure” network of networks. With the political fall-out from the Ukraine war, defending such a comprehensive and cosmopolitan vision has certainly not become easier. Some experts already seek to replace it with a rather isolationist and purely security-focussed approach. Meanwhile, the Russian government tries to create facts on the ground by advancing plans for a semi-independent RU-Net and by prohibiting the use of foreign software and hardware. This is anything but good news for dissident bloggers and independent journalists in Russia. In Western countries, ICT companies have dramatically cut back their ties to Russian business partners and clients, way beyond what was required by Western sanctions. For example, Cogent and Lumen, two of the world’s leading backbone providers stopped servicing customers in Russia in March, citing security risks (Reuters 2022b). Fragmentation tendencies are further amplified by the ‘digital trade war’ between China and the United States, with the latter’s ban of Huawei and ZTE equipment indicating the beginning of another escalation round.
Crumbling Security Community
While there is - without doubt - a convincing security rationale for reducing ICT interdependencies both at the state and at company level, possible downsides should not be ignored, even from a more traditional security perspective. For example, in a world of nationalised internet segments and/or less frequently shared hard- and software cyber powers might act with fewer restraints due to lower probabilities of cascading or boomerang effects. Perhaps even more important, technological and organisational de-coupling already inhibits the work of the transnational community of security researchers and incident responders, to the detriment of global cyber security. For example, Microsoft-owned GitHub, a major platform for software development, suspended individual user accounts because of their former ties to sanctioned companies. FIRST, a global network of incident responders, suspended the membership of Kaspersky even earlier in March. There have also been reports of open source development platforms having been misused by individual members to distribute anything from so-called ‘Protestware’ to geo-targeted malware. All these instances may be first signs of a growing fragmentation and polarisation of the transnational community of IT cyber security experts. If this continues, such a trend will gradually remove one of very few stabilising mechanism within the global cybersecurity architecture: the practical cooperation of IT experts on malware detection, threat analysis and attack mitigation.
Again, the Ukraine War has not caused but accelerated an existing trend that is growing due to very different agendas. Back in 2018, the Chinese government prohibited the participation of security researchers in global hacking competitions. It has also issued new legislation in 2021 that might make it impossible for Chinese security researchers to cooperate with international bug bounty platforms anymore. Therefore, liberal democratic governments alone are hardly in the position to reverse this trend of a disintegrating global community of IT experts entirely. This does however not mean that they have no policy choices. The first step would be to discourage discrimination on the basis of geography alone. In a remarkable statement, US national cyber director Chris Inglis recently commented on the blocking of the wider Russian population from TikTok, Netflix, Facebook and other platforms, warning that we should not “conflate geography with risks”. A second important step would be to systematically reduce legal risks to security researchers and to encourage like-minded countries to do the same. Finally, Western states should offer an alternative to the Chinese model by incentivising the global diffusion of existing industry standards and by creating trustworthy governmental procedures for vulnerability management.
With the war in Ukraine continuing, any assessment of the role of cyber operations can only be preliminary. As it stands now, their strategic impact on the actual warfighting is questionable. Yet this does equal the absence of any serious impact on global cybersecurity, for example due to a weakening of principles of due diligence. To counter these developments, Western governments should clearly speak out against disruptive cyberattacks of transnational hacker collectives against the infrastructures of any country, including Russia. Moreover, they should resist the temptation to put the military in charge of the fight against cybercrime for the sake of international trust-building and effective cooperation. Finally, there is a need to prevent a further disintegration of the global community of security researchers, for example by removing legal risks and by incentivising transnational reporting of vulnerabilities.