Beyond land, sea and air, armed conflicts are increasingly being waged in outer space, the information space and cyberspace. The borderless nature of these domains has changed how an armed conflict between countries may have an impact beyond the military objectives of those parties. The military invasion of Ukraine in February 2022, preceded by a series of cyberattacks affecting Ukrainian public institutions and organizations, set the scene for what is today a war fought both online and on the ground. Attacks and operations, deployed in cyberspace in the context of the war between the Russian Federation and Ukraine, have destabilized cyberspace and threatened the safe, secure and trusted use of technology.
When critical infrastructure comes under fire
Critical infrastructure is no stranger to cyberattacks – an oil pipeline (United States, 2021), water pumping stations (Israel, 2020), healthcare services (United Kingdom, 2017) and the armed conflict in Ukraine have starkly illustrated this. In the lead-up to and during the early days of the conflict, six different strands of data-wiping malware were deployed against Ukrainian organizations in critical sectors. Malware can cause significant harm as it disrupts critical services for the civilian population. The attack on ViaSat’s KA-SAT satellite network, reportedly intended to hit aspects of military command and control in Ukraine, resulted in the major loss of internet communication for users across Europe and impacted a German energy company, which lost remote monitoring access to over 5,800 wind turbines. Both this attack and other data-wiping malware deployed during the conflict have been attributed to highly sophisticated nation-state players.
Unconventional players disrupting cyberspace
In addition to the traditional parties to the armed conflict, this armed conflict has seen others playing a significant role and the boundaries between them are increasingly blurred. Created by the Ukrainian government, the IT Army of Ukraine is a less conventional player whose Distributed Denial of Service (DDoS) attacks are heavily impacting Russian online resources. Meanwhile, socalled hacktivist collectives have flooded the networks of government institutions, state-owned enterprises and other organisations with DDoS attacks. They have played an active role in disrupting the public-facing online infrastructure of their targets. This has resulted in downtime for websites and portals, many of which are used by the general population to conduct routine activities such as booking transport tickets or submitting tax declarations.
A significant number of NATO member countries, not parties to the conflict, have been particularly impacted by cyberattacks in recent months. These were carried out by hacktivist collectives, seemingly in response to those countries’ public positions on geopolitical, ideological or economic subjects.
The publication of large volumes of sensitive data has become part and parcel of the cyberthreat landscape during the conflict. Acting in the name of anti-war activism, collectives have conducted a significant number of hack-and-leak attacks which lead to sensitive customer and corporate data, including personal data, being made publicly available. These attacks raise significant questions relating to the protection of individuals, data protection, and the potential for malicious use of this data in the future.
A number of questions arise from less traditional players participating in the armed conflict, not least with regard to attempts to attribute attacks, i.e. to determine who developed, launched or authorized a particular cyberattack.
Protecting “our” cyberspace
Cyberattacks and operations conducted in the context of war or in peacetime, by countries and non-state players, have contributed to the destabilization of cyberspace and in turn of society, which so heavily depends on technology. Such destabilization has long-lasting impacts, many of which are yet to be uncovered. Advancing responsible behaviour in cyberspace is essential to ensuring an open, free, stable and secure digital environment, and will require commitment and engagement from all:
- Whether in war or peacetime, cyberattacks should not be directed against critical infrastructure essential for the survival of civilian populations, respecting international law and norms.
- The potential harm and impact on people, and the humanitarian consequences of the use of cyber, must be a primary consideration before its use.
- Countries must ensure accountability for cyberattacks that breach international laws and norms.
- Public institutions such as Computer Emergency Response Teams (CERTs) are essential for the protection of systems and the investigation of attacks through effective collaboration and information sharing.
- Private companies can play a role in developing and providing secure products and services to the most vulnerable in society, and proactively protecting governments and their citizens.
- And last but not least, civil society organizations can contribute to documenting and analyzing cyberattacks and the impact they have on people to facilitate investigations and support the policy debate.
Guest editorial published by Stéphane Duguin (Chief Executive Officer, CyberPeace Institute), with the support of the Institute’s Analysis team, in the National Cybersecurity Centre (NCSC) Switzerland, Semi-annual report 2022.