[iw] - Ukraine’s Digital Fight Goes Global
Richard Forno
rick at rickf.org
Wed May 4 13:00:30 UTC 2022
https://www.foreignaffairs.com/print/node/1128872
Ukraine’s Digital Fight Goes Global
The Risks of a Self-Directed, Volunteer Army of Hackers
By Elisabeth Braw
May 2, 2022
ELISABETH BRAW is Senior Fellow at the American Enterprise
Institute.
A somewhat conventional war is underway in Ukraine, featuring organized
and professional soldiers, a chain of command, advanced weapons such as
drones and tanks, and state-crafted tactics and strategy. But a parallel
war is also taking place, mostly in cyberspace, fueled by foreign
volunteers fighting for either Russia or Ukraine. These online volunteer
forces are loosely organized and don’t have a chain of command. They
have grown exponentially since the war began in February—Ukrainian
authorities estimate that some 400,000 hackers from numerous countries
have aided the country’s digital fight so far. Several high-profile
figures have offered to join the cause: the entrepreneur Elon Musk, for
instance, has challenged Russian President Vladimir Putin to a “single
combat” duel to decide the fate of Ukraine. Hundreds of thousands of
people from around the world have begun to engage in cyberwarfare
related to the conflict, in an impressive feat of grassroots
mobilization.
For those rooting for a besieged country defending its territorial
integrity, this arrangement may seem to have no downside: civilians from
around the world are volunteering their time and skills to help Ukraine
win without expecting remuneration or reward from its government. But
there are serious risks involved in waging an informal cyberbattle
against Russia, particularly since cyberwarfare may be one of the few
remaining tools in the Kremlin’s playbook. This parallel war sets
Russia and the West on a collision course—and risks spinning out of
control into a chaotic, high-stakes contest that could spread beyond the
cyber-domain.
Recognizing the global momentum on its side as people around the world
sought to support the Ukrainian defense, the government in Kyiv forged
this informal network in the early days of the war. “We are creating
an IT army. We need digital talents. . . . There will be tasks for
everyone. We continue to fight on the cyber front,” tweeted Mykhailo
Fedorov, Ukraine’s vice prime minister and minister of digital
transformation, on February 26, including a link to the newly created
“IT Army of Ukraine” group on the chat app Telegram. Offers to aid
Ukraine’s cyber-efforts began arriving immediately—“Let me know if
our team can be of any assistance (free of charge of course),” wrote
the CEO of a cybersecurity startup. Since then, the Telegram group has
grown to almost 300,000 members.
People from all corners of the world have joined the digital fight. They
have worked on projects ranging from disabling Russian government pages
to building a website to combat Russian misinformation—and they have
often succeeded. But while the efforts on the part of this volunteer
army have been impressive, they could very well backfire, threatening to
escalate and prolong the conflict rather than delivering a decisive
victory for either side.
THE DIGITAL CAVALRY
In the wake of Russia’s invasion of its southern neighbor, civilians
from around the world have sought to find ways to get involved in the
conflict from afar. Some of these efforts are essentially boosterism:
countless people tweet images and videos in support of one side or the
other, seemingly irrespective of the accuracy of the information. But
some of the volunteer work has been of the more skilled variety: a
Norwegian computer expert, for instance, has created a spamming program
that sends an automated message denouncing the attack to 150 Russian
email addresses at a time. "Dear friend, I am writing to you to express
my concern for the secure future of our children on this planet. Most of
the world has condemned Putin's invasion of Ukraine," reads the
Russian-language message, which is followed by an English translation.
Participation has not been limited to the online realm: thousands of
foreign volunteers have traveled to Ukraine since the start of the
conflict to help the Ukrainian military defense, though their military
contribution in the country has for the most part been a disappointment.
Instead, cyber-aggression is by far the most powerful element of the
global volunteer effort. Victor Zhora, the deputy chief of Ukraine’s
information protection service, told BloombergQuint in early March that
volunteers had been working on tasks ranging from gathering intelligence
to attacking Russian military systems. “It’s a bit like the people
who traveled to fight in Syria, but this time both [warring] parties are
technologically advanced, so attacking the other side in cyberspace
makes sense,” retired Major General Gunnar Karlson, the former chief
of Swedish military intelligence, told me. “And receiving such
volunteer help is attractive because it brings competence at no cost.
For lots of people, hacking for Ukraine in particular is a very
attractive alternative to donating money or traveling there to fight.
All this is very positive for Ukraine.”
These informal attacks have often been successful. On February 26, for
instance, the global hacking collective Anonymous declared “cyber
war” on Russia and hacked Russian state television to show harrowing
footage from the war, along with other pro-Ukrainian content. On April
13, the collective reportedly claimed that Russia “no longer has
control over spy satellites” following a hack on its satellite
program, which Russia denied. Other hackers have conducted successful
attacks on Russian government websites. On March 16, cyber-intruders
modified the Russian Ministry of Emergency Situations website by posting
a number for Russian soldiers to call if they want to defect. And some
volunteers belonging to the IT Army of Ukraine have voiced a desire to
go further by targeting private companies and disrupting Russian
government agency operations. “There have been long queues to ATMs in
Russia recently. Let’s make them even longer by shutting down online
banking,” a recent comment in the Telegram group read. On April 7, the
IT Army of Ukraine announced it had hacked Rossgram—a Russian
facsimile of Instagram, launched after the U.S. social media platform
was banned in Russia in March—and leaked user data. But the successes
of Ukraine’s volunteer army of hackers in creating widespread
disruption and chaos in Russia could ultimately escalate the war on the
ground.
UPPING THE ANTE
In conventional conflicts, including cyberwarfare, each side follows an
organizational strategy known as command and control, in which a chain
of commanders has oversight and authority over assigned forces in the
execution of a mission. This allows a country to decide on a military
objective and ensure that everyone down to the last private collectively
implements it. Without such a structure, state-on-state conflict would
be a free-for-all, as different units and even individuals would attack
targets of their own choosing. The command-and-control system, of
course, also places ultimate responsibility on state governments.
The shadow war between a global volunteer corps supporting Ukraine and a
smaller group of pro-Russia hackers operates outside any such
structures. And while many hackers may see freelancing for one’s
preferred side as harmless, it is anything but. “No reasonable person
will want to condemn volunteers for trying to help Ukraine,” Ciaran
Martin, the founding director of Britain’s National Cyber Security
Centre, told me. “But just as volunteer soldiers from within Ukraine
or from abroad who don’t know what they’re doing and aren’t
operating in a proper structure can sometimes do more harm than good, so
can volunteer hackers.”
The lack of a command-and-control system—or any commanding authority,
in fact—poses enormous risks. In the absence of any guidance or
direction, “the volunteers . . . could do completely unhelpful things
like attacking the wrong targets,” said Karlson. Many independent
hackers could use the pretext of the conflict to carry out serious
cybercrimes. And even though these volunteers aren’t following
instructions from their home government, they are residents or citizens
of countries that risk being linked to their activities. “This is more
dangerous than U.S. citizens traveling to Ukraine to fight with the
Ukrainian foreign legion, because it brings the very real risk of
aggression launched from our territory,” said retired Rear Admiral
Mark Montgomery, the executive director of the Cyberspace Solarium
Commission. “Everyone instinctively understands that it’s not OK if
some guy in Europe or the U.S. fires off a missile to help the
Ukrainians. Volunteering as cyber-aggressors is the same thing, just in
a different domain.” The efforts of thousands of foreign volunteer
fighters on the ground in Ukraine have, in fact, already raised
questions regarding to what extent governments should be held
accountable for the participation of their citizens in the conflict. The
United States is in a particularly vulnerable situation regarding
pro-Ukraine freelance hacking emanating from its territory, given that
U.S. President Joe Biden told Putin last year that Washington will hold
Moscow responsible for hacking originating from Russian soil. Russia
could well feel entitled to hold a similar position on cyber-activity
emanating from the United States.
This is true on a global scale: with most of the foreign
cyber-volunteers supporting Ukraine, high-profile hits by pro-Ukraine
hackers could prompt an already violence-prone Kremlin to retaliate.
Moscow would not retaliate against the attackers—who might be a few
different individuals dispersed around the world—but against Ukraine
or against the attackers’ countries of origin or residence. That, in
turn, could trigger further escalation. “If you’re hacking Russia
from your living room in London, it poses a risk to the [United
Kingdom],” Karlson said. “Putin wouldn’t fire off cruise missiles
against the UK to avenge hacking from London, but he could use such
means to retaliate against hacking attacks originating in neighboring
countries.” That risk extends to the countries hosting the servers
that handle hackers’ traffic—including the United States. The
West’s extreme dependence on electricity and the Internet already
makes it an attractive target for Russia. “Just imagine what would
happen if the power went out for a few hours in New York City,”
Montgomery said. “And with Americans already active in this parallel
war, the Russians could stage a false-flag attack to suggest an attack
was being conducted from the U.S. or another Western country.
Attribution is extremely hard in cyber, and that makes it hard to prove
a negative.” The Ukrainian government, meanwhile, might likewise
choose to retaliate against any crippling cyberattacks that appear to
have a Russian connection.
Another crucial difference sets these novel volunteers apart from
soldiers in the employ of armed forces: they are not obliged to follow
the Geneva Conventions, nor do they seem familiar with them or with
national laws that, for example, ban citizen cyber-intrusions, even
against foreign countries. Ever since Russia’s invasion began,
supporters of Ukraine have been sharing videos on social media of
Russian prisoners of war held captive in Ukraine in what is almost
certainly a genuine effort to help spread optimism regarding Ukraine’s
chances of defeating its invader. But sharing footage of POWs violates
the Geneva Conventions, which stipulate that “prisoners of war must at
all times be protected, particularly against acts of violence or
intimidation and against insults and public curiosity.” Naive social
media users are thus providing Russia with an opportune pretext to
likewise mistreat Ukrainian POWs. In Montgomery’s words, “Yes, the
war is deplorable, but you can’t say it’s so terrible that you’ll
go ahead and violate international rules and norms.”
LESS IS MORE
For many volunteer hackers, that ship may have already sailed.
Russia’s invasion of Ukraine is reminiscent of the Spanish Civil War,
in that the invasion has compelled countless people from around the
world to play a part in the struggle. But in contrast to the Spanish
conflict, Ukraine’s cyber-volunteers can choose to take part from the
safety of their homes. “It’s inevitable that we’ll see more such
shadow wars in the future,” Karlson predicted. “And countries that
can’t afford big armed forces can wage war on the cheap by appealing
for volunteers to join such shadow armies. For younger generations, this
could become the natural way to participate.” As the volunteer
cyberwar over Ukraine grows bigger, the United States and its allies
must not be caught flat-footed should this shadow conflict—or the
next—threaten to spiral out of control.
In the absence of any official authority over volunteer hackers, state
governments should brace themselves for a rise in cyber-accidents,
cyberattacks, and potential escalation—and most importantly, they
should attempt to regulate freelance shadow wars. Despite the West’s
military contributions to the Ukrainian defense, as well as some
states’ tacit approval of foreign military volunteers, the United
States and its allies must work to differentiate the shadow
cyberconflict—and to drive home the stakes for average citizens
inclined to join the cause. A retaliatory Russian cyberattack targeting
the United States could devastate critical infrastructure, the private
sector, and civilians who have played no part in the conflict.
Washington must make clear that hacking Russia from U.S. soil is not
worth the risk. It must also revise and update its neutrality laws to
account for these new forms of informal cyberconflict, to be able to
hold hackers fighting from U.S. soil accountable.
Perhaps most importantly, U.S. officials should encourage the public to
help the Ukrainian defense in ways that cannot be used as a pretext for
retaliation. Private citizens can help by housing Ukrainian refugees,
supporting Russian dissidents, and taking care not to spread
disinformation about the conflict. Residents in the United States and
Europe could deliver the ultimate blow to Russia by reducing energy
consumption: that move would deprive the Russian government of an influx
of cash and mitigate the possibility of Russia threatening energy
cutoffs to retaliate against governments providing aid to Ukraine. If
private citizens are looking to make a difference for Ukraine, turning
off the lights at home would be a good start.
Copyright © 2022 by the Council on Foreign Relations, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sticklist.org/pipermail/iw_sticklist.org/attachments/20220504/1a38ff99/attachment.htm>
More information about the Iw
mailing list