This paper is part of Carnegie’s ‘Cyber Conflict in the Russia-Ukraine War’ paper series, a project to better understand the cyber elements of the Russia-Ukraine war. Carnegie experts each examine a unique dimension of the cyber conflict: Nick Beecroft on international assistance to Ukraine’s cyber defense; Gavin Wilde on Russia’s unmet expectations; and Jon Bateman on the overall military impact of Russian cyber operations.
Western leaders have been unequivocal that they will not commit military forces to fight in Ukraine. Yet in the digital sphere, Western governmental, military, and commercial actors are directly engaging Russian attackers and taking on a swath of responsibilities for defending Ukrainian networks and data. This ad-hoc coalition confronted an intense campaign of Russian cyber attacks in the first six months of the war.1
Notwithstanding the heightened rate of cyber attacks, Russia’s much-feared cyberwar has failed to materialize the way that many experts anticipated it would. The international effort to bolster Ukraine’s cyber defenses has featured prominently among the wide range of theories put forward to explain the relatively limited impact of cyber operations in the war. But experts are divided on the significance of almost every aspect of the cyber campaign, including the claim that international assistance has been instrumental in enabling a relatively small country to fend off one of the world’s leading cyber powers. This article investigates what has been done to assist the defense of Ukrainian cyberspace in order to evaluate what, if any, strategic effect has followed and to identify the broader implications for the value and feasibility of collective international defense in cyberspace.
It would be premature to draw definitive conclusions based on eight months of war, but nonetheless the activity in cyberspace has developed to the point where important lessons are emerging. It is hard for any outside observer to form a comprehensive picture of activity, and so this article draws on interviews with representatives of some of the organizations that have participated in the defense of Ukrainian cyberspace. I wish to thank the people listed below, who gave their time to assist my research. The views expressed are entirely mine and may not reflect the policies of any of the organizations listed.
Ginny Badanes (Microsoft), Luke Champion (UK FCDO), Bertie Kerr (BAE Systems Digital Intelligence), Stephanie Kiel (Google), James Muir (BAE Systems Digital Intelligence), Adrian Nish (BAE Systems Digital Intelligence), Oleksandr Potii (State Service of Special Communications and Information Protection of Ukraine), Christiaan Smits (Cloudflare), Charley Snyder (Google), and Alissa Starzak (Cloudflare).
The article focuses on the defense of Ukrainian digital networks against Russian attacks since the ground invasion began. It is important to note that this represents only a part of the international effort to support Ukraine in cyberspace, activity that has additionally included combating disinformation, generating open source intelligence, and harnessing digital platforms for humanitarian assistance and civil defense. Inevitably, the analysis is skewed to those activities that participants are willing to discuss; readers should assume that the measures described are complemented by a substantial amount of covert operational activity.
Competing Claims
Many (though not all) pre-war assessments expected that cyber attacks would play a significant role in Russia’s campaign. The strategic context suggested that, although Ukraine had much experience in defending against Russian cyber attacks and could call on motivated, highly capable experts to protect critical targets, it would ultimately be unable to prevent major harm to, and exploitation of, digital networks and data. Ukraine’s operational strengths would be outmatched by Russia’s strategic advantages of possessing some of the world’s most powerful offensive cyber capabilities (albeit with debatable strategic effectiveness2) and operating in a digital terrain that has been thought to favor the offense over defense. Moscow appeared to hold a decisive advantage in cyberspace.
Indeed, Russia intensified its long-standing campaign of cyber attacks against Ukraine prior to the ground invasion, and it has sustained a heightened tempo of attacks in the months following. Yet the attacks appear to have achieved only limited disruption, contributing little strategic value to Moscow’s war aims. The early evidence has led senior Ukrainian and American officials to hail the major importance of international partnerships in strengthening Ukraine’s cyber defense, while Microsoft has proclaimed that “a new form of collective defense” has “proven stronger than offensive cyber capabilities.” Public commentary that cyber operations were not a significant feature of the war created frustration among some of those involved, who argued that successful defense was being wrongly interpreted as absence of activity. Microsoft’s public reports of April and June 2022 were in part aimed at illuminating activity that had gone unacknowledged in public discourse. Six months into the war, the head of GCHQ assessed that “we have arguably seen the most effective defensive cyber activity in history.”
But evaluating strategic effect is even harder in the digital realm compared to other domains of war. Some scholars claim that the Ukraine war has demonstrated the inherent limitations of offensive cyber operations, while others contend that the expectations of “cyber shock and awe” were unrealistic and that Russia has in fact used cyber operations to great effect against the desired objectives. Although each group interprets the cyber dimension of the war very differently, both points of view downplay the significance of Ukraine’s defensive strength in determining the strategic value of Russia’s cyber attacks. Other factors have been suggested as far more significant, such as Russian cyber agencies’ lack of preparation or lethargy and a desire to preserve key Ukrainian networks for exploitation.
Evaluating the international effort to support Ukrainian cyber defense therefore proceeds against a background of diverging assessments of events and competing theories of the role of cyber power in this and future conflicts.
International Reinforcements
Russia launched an intensive campaign of cyber attacks to coincide with the invasion, constituting around 800 attacks against Ukrainian targets up to the end of March. Ukraine has more experience than any other nation of defending against, and recovering from, Russian cyber attacks, yet it became clear early on in the war that Ukraine’s seven cybersecurity agencies faced an unprecedented task that would likely outstrip their defensive capacity and reveal critical weaknesses in resilience.3
Requests for assistance in cyber defense therefore featured early in Kyiv’s outreach to potential allies, meeting increasingly receptive responses as momentum for action built in Western capitals. With the political foundation in place, it quickly became apparent that the ability to deliver operational effect in cyberspace rested not only on government and military agencies but also on the close integration of commercial technology and cybersecurity companies. While official Western agencies could draw on existing relationships with Ukrainian partners and possessed powerful tools and unique capabilities, delivering cyber defense at scale could only be achieved by the private sector entities that owned, operated, and understood the most widely-used digital services. Early decisions by the leadership of some of the world’s major technology and cybersecurity companies to take proactive roles in defending Ukraine were pivotal.
Numerous foreign governments and cybersecurity companies had invested in Ukrainian cyber capacity building over several years. These initiatives aimed to set the foundations for resilience to Russian cyber attacks, for example through training cybersecurity practitioners and reforming laws and regulations. The invasion created an urgency that could not be met through programs aimed at long-term development objectives, and the mobilization of public and private resources spawned some innovative partnerships. For example, the UK Foreign, Commonwealth and Development Office (FCDO), with technical advice from the National Cyber Security Centre, is sponsoring a program that enables Ukrainian agencies to access the services of commercial cybersecurity companies.4 The security providers are tasked by Ukrainian agencies, with funding and coordination from the FCDO. The UK government has harnessed commercial cybersecurity capabilities for immediate operational effect. While there was no blueprint for this arrangement, it bears some similarity to international disaster relief programs in which sponsor governments catalyze and coordinate the delivery of operational capabilities drawn from the private sector.
The FCDO program is a national initiative, and the international defensive effort that has emerged is not centrally orchestrated according to a unified plan but rather constitutes an agglomeration of activities driven by national and organizational perspectives on the war and resource capacities. The Ukrainian National Cybersecurity Coordination Center, established in 2016, has played a key role in synchronizing these disparate operations and actors.5 Mapping the activities to form a strategic view is a difficult undertaking, compounded by the fact that many parties involved, both governmental and commercial, have chosen not to publicize their actions. Nevertheless, enough information is in the public domain to allow a basic conceptual framework, with illustrative examples, that reveals the scope of activities undertaken. Table 1 below sets out six lines of activity that capture the types of tasks undertaken and capabilities employed by governmental and commercial actors.
Table 1: Lines of Activity and Examples of Measures Taken by Governmental and Commercial Parties to Defend Ukrainian Cyberspace | |||
Line of Activity | Description | Examples of Governmental Activity | Examples of Commercial Activity |
Network defense—deployed | Cybersecurity personnel sent to Ukraine or neighboring countries |
|
|
Network defense—remote | Cybersecurity operations from home locations |
|
|
Threat intelligence | Sharing of classified and proprietary material such as attack indicators and warnings; adversary tactics, techniques, and procedures; and strategic assessments |
|
|
Capacity building | Training, institution building, and policy coordination |
|
|
Technical robustness | Provision of hardware and technical measures to address vulnerabilities and mitigate the impact of attacks |
|
|
Cloud-enabled robustness and resilience | Migration of data and services to servers located outside Ukraine and operated by commercial cloud service providers |
Ukrainian cybersecurity officials believe that this international assistance has been vital in limiting the effectiveness of Russian cyber attacks.8 Incident response and remediation has operated at a much greater scale than Ukraine could have achieved independently, and it has allowed attacks that might have caused strategic harm to be interdicted (notably, the attempt to disrupt the Ukrainian electrical grid via Industroyer2 malware). Collaboration on threat intelligence has enabled accelerated learning of Russian methods and shared situational awareness. The Ukraine Computer Emergency Response Team (CERT-UA) has become a prolific source of threat reporting.
A further defining feature of the defensive effort has been the integration of large American technology providers, particularly Amazon, Cloudflare, Google, and Microsoft. These companies’ ability to migrate Ukrainian government data and services to distributed cloud servers; provide automated protection of massive networks, coupled with dedicated protection of high-risk users; as well as continually update threat intelligence drawn from global telemetry has added defensive depth and resilience far beyond that which Ukraine could have achieved independently.
Nevertheless, all parties involved in the effort are cautious in claiming that success will endure. The Russian cyber campaign appears to have consisted of a small number of carefully planned offensive cyber operations leading up to and in the early phases of the war (such as the attack against satellite communication provider Viasat) and has since reverted to unsophisticated (yet prolific and sometimes intense) denial-of-service operations and phishing-based attacks.9 To achieve more strategic impact (for example through disrupting critical infrastructure or essential digital services at significant depth and duration), Moscow would have to prepare complex, bespoke operations, likely requiring many months of research and preparatory activity. It is possible, therefore, that Ukraine might be subject to more harmful cyber attacks once enough time has elapsed for Russia to complete the necessary operational cycle. Equally it may be that Russia has yet to deploy its most sophisticated offensive cyber capabilities, either because it can achieve the same effects through kinetic attack or because capabilities can become obsolete once revealed, creating a reluctance to use them against anything but the most high-value objectives.10
A further complicating factor is that none of the entities involved, including the world’s largest technology and cybersecurity companies, has a complete picture of Russian cyber attacks against Ukraine. Even where a defensive partner has good visibility, certain types of operations might be difficult or impossible to spot. Here, the key concern relates to espionage. Most of the focus on cyber attacks as a component of the war is on the potential to disrupt, degrade, or destroy targets. Yet Russia has an extensive track record of using network intrusions for intelligence gathering, and these operations can be both much harder to detect and less immediate in their impact. State actors have most commonly used cyber operations to shape the environment to their advantage rather than to achieve immediate coercive effects,11 and Moscow could plausibly have secured access to networks and be deriving intelligence that might yet generate strategic value.
A Blueprint for the Future?
The common view that emerged from my interviews was that the defense of Ukrainian cyberspace is an exceptional response to a unique set of circumstances. Therefore it would be premature to identify a template for enduring or more widespread collective defense partnerships. Nevertheless, the war prompted one CEO of a large cybersecurity company to call for a “Tech NATO,” and Microsoft President and Vice Chairman Brad Smith has stated that the war has demonstrated the requirement for a “coordinated and comprehensive strategy to strengthen [cyber] defenses.” The war in Ukraine may not have revealed a ready-made blueprint for collective international defense in cyberspace, but it has tested the concept of multistakeholder collaboration and, in the process, demonstrated five key lessons.
- Cyber defense at scale relies on the involvement of the largest commercial technology and cybersecurity companies. This is because of both the deep dependence on the services of a small number of providers and the fact that national scale cyber defense relies heavily on automated protection of millions of targets.
- Politics and geopolitics count in cyberspace just as everywhere else. The response to the Ukraine war has not involved a strategic and operational construct akin to a “Tech NATO,” relying on an accumulation of efforts conducted within national government strategies. There is a long way to go to evolve from the Ukrainian response to an enduring foundation for international alliances in cyber defense. Devising such mechanisms will require national governments to confront the fact that the most indispensable commercial partners for cyber defense are American. Even European governments, let alone those who view Washington less favorably, might be uncomfortable relying on the decisions taken in a handful of boardrooms in America. For their part, those American companies generally do not want to take positions on global political issues, preferring to focus on protecting users and networks.
- Shared values are as important as shared interests. Commercial entities’ reasons for engaging in the defense of Ukrainian cyberspace are commercial (demonstrating capabilities and benefits), reputational (outwardly, to governments, customers, investors and so on, and inwardly, to employees), and normative (protecting values and preventing harm). The normative component might easily be dismissed as insignificant when compared to the commercial interests of huge corporations, but the practitioners I interviewed displayed a genuine sense of commitment to shared values of conduct in cyberspace, especially in defending civilian targets against state cyber attacks. Sustaining a high tempo of cybersecurity operations has tested all the entities involved, and the motivation to protect Ukrainian democracy and thwart Russia’s aggression has been a key factor in maintaining effectiveness over a prolonged period.
- Government can be a catalyst and sponsor of large-scale cyber defense involving commercial entities. Technology and cybersecurity companies might be motivated to engage in international cyber defense, but large-scale action can only come from governments exercising their abilities to convene and confer legitimacy. This process is much easier where mutual trust and understanding are already in place between governmental and commercial organizations. Nevertheless, the culture and values of the technology sector mean that these companies might eschew the type of symbiotic relationship with government that has evolved for defense contractors. They are likely to seek less formal relationships that emphasize shared values as opposed to hard power objectives.12 Additionally, although commercial entities might be willing to absorb some costs and foregone revenue, they will require some form of financial compensation for their commitment of resources. The use of public finances to sponsor this activity could be eased by the fact that defensive cyber operations create a wealth of evidence that demonstrates their impact.
- Capacity building is valuable, but it is no substitute for capability reinforcement. Through its years of being targeted by Russian cyber attacks, Ukraine has closely followed best practice advice for cybersecurity and resilience from international partners and has greatly benefited from participation in joint training exercises.13 Inevitably, though, the speed of implementation and development varied across sections of the public and private sectors, such that by the time of the ground invasion there were major uncertainties and known weaknesses in the national cyber resilience. The most prominent example was the government’s concentrated dependency on potentially vulnerable, on-premises servers, a dependence that had to be quickly remedied by migration to data centers beyond the combat zone, generally operated by foreign cloud service providers. The experience of this war suggests that international cyber resilience is built on a foundation of capacity building but also relies crucially on the ability to rapidly surge capabilities to reinforce allies under attack.
In sum, these lessons indicate that collective defense is not only demonstrating its operational potential in Ukraine but also revealing strategic tensions that would have to be addressed in any more enduring arrangements. At the heart of the challenge for democracies are the integration of commercial actors as agents of foreign and defense policies and the reality that a handful of American companies are indispensable to large-scale cyber defense. Designing mechanisms for collaboration would therefore expose profound issues of national sovereignty, accountability, and burden sharing in cyberspace. This is a daunting agenda, but navigating it could be eased by the fact that the protagonists in Ukrainian cyber defense believe the scale of effort has demonstrated a powerful commitment to shared values in cyberspace.
Conclusions
The international effort to support Ukrainian cyber defense has delivered a major increase in capabilities and capacity, while harnessing a diverse array of actors in a sustained high tempo of operations. Nevertheless, those involved are not declaring victory. In common with the physical environment, it is likely that, in cyberspace, the strength of resistance is only one of a range of factors determining the course of events. The threat of damaging cyber attacks has not been removed, nor has the possibility that Russia may be deriving high value intelligence from network intrusions that are as yet undetected.
It is also important to recognize that the operational accomplishments of eight months of war do not equate to enduring, broad-based structures for collective defense in cyberspace. The war has not resolved profound issues relating to sovereignty, accountability, and burden sharing. And yet, there is a palpable sense among those who are participating in and sponsoring the defense that something meaningful is happening; diverse partners are rallying to shared values and upending previous assumptions that the cyber attacker will always get through.
Notes
1 Author interview with Oleksandr Potii, Deputy Chairman of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP). According to the SSSCIP, Russia conducted over 1,500 cyber attacks against Ukraine in the first six months of the war. This article uses the U.S. National Institute for Standards and Technology’s definition to clarify the term “cyber attack” as “any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.”
2 On the strategic effectiveness of Russia’s cyber operations, some scholars contend that, although Russia has been highly active in using cyber attacks against foreign targets, it has failed to achieve its objectives or has achieved only limited strategic effects. See Brandon Valeriano, Benjamin Jensen & Ryan Maness, Cyber Strategy: The Evolving Character of Power and Coercion (Oxford: Oxford University Press, 2018), 110; and Daniel Moore, Offensive Cyber Operations: Understanding Intangible Warfare (London: Hurst & Company, 2022), 146.
3 Author interview with Oleksandr Potii, Ukrainian SSSCIP, video call, August 2022.
4 Author interview with Luke Champion, UK FCDO, London, September 2022.
5 Author interview with Oleksandr Potii, Ukrainian SSSCIP, video call, August 2022.
6 Author interview with Luke Champion, UK FCDO, London, September 2022.
7 Author interview with Oleksandr Potii, Ukrainian SSSCIP, video call, August 2022
8 Ibid.
9 Ibid.
10 Daniel Moore, Offensive Cyber Operations: Understanding Intangible Warfare, 78–81.
11 Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (London: Harvard University Press, 2020), 312–319.
12 See the list of signatories to the Danish Tech for Democracy initiative for an example of the technology sector embracing the defense of democratic values: https://techfordemocracy.dk.
13 Author interview with Oleksandr Potii, Ukrainian SSSCIP, video call, August 2022.