The ongoing armed conflict in Ukraine continues to cause enormous suffering for the civilian population. The CyberPeace Institute welcomes the talks on Recovery and underscores that the socio-economic development of a country depends on stable, secure, and safe information and communication technologies (ICTs).
The forthcoming Ukraine Recovery Conference (Lugano, Switzerland, 4-5 July 2022) must include recovery of the social, economic, environmental and infrastructure from cyberattacks.
The country will not fully benefit from recovery efforts if its critical infrastructure, including its financial system, and its information space, are not stable and secure and free from the presence of malicious actors. Recovery efforts must include support to clean malware that may have been planted in critical networks.
Response efforts and resources needed to rebuild the country – to avoid a socio-economic crisis and to support economic development – must take into account how cyberattacks and operations in the war harmed Information and Communication Technologies (ICTs) and were used to destabilize society.
The recovery effort must be informed by 3 perspectives:
- Scope of the damage – It is crucial to understand which organizations, networks, and systems have been negatively affected in order to direct recovery efforts to where there is the largest need. For example, recovery from wiper malware attacks deployed for destructive purposes. There will also be impacts from some attacks that may only manifest themselves over time and may require recovery years later, such as possible repercussions from the compromise and theft of data e.g. from a nuclear safety organization.
- Lessons learned – Past and ongoing investment efforts have enabled the resilience of Ukraine’s ICTs. It is important to understand and learn from the measures that contributed to this resilience to ensure future investments and collaboration to reinforce this capability.
- Multistakeholder efforts – For years, external stakeholders have contributed to Ukrainian resilience efforts in cyberspace, and amplified the impact of these efforts through collaboration. Governments, the private sector, NGOs, and individual experts helped Ukraine become more resilient to cyberattacks. Multistakeholder participation in discussions about recovery efforts is important to inform resource allocation, to share experiences from the implementation of previous projects in Ukraine, and to support the response to challenges posed by the impact of war on ICTs.
The CyberPeace Institute publicly shared key observations based on data collected on cyberattacks during the ongoing armed conflict, these relate to 4 main types of ramifications and can inform discussions about where the recovery efforts will be needed:
- Destruction – The CyberPeace Institute observed attacks aimed at the permanent deletion of data or damage to systems rendering them unrecoverable. The war has seen the deployment of wiper malware targeting Ukrainian government entities and other sectors. These attacks can have long-lasting effects on organizations if they are unable to retrieve backups or reset systems. It will be important to also ensure that systems are cleaned of the presence of malicious actors and that tools, technology, and processes are in place to avoid such attacks in the future.
- Disruption – Disruptive attacks were observed that led to the temporary interruption of services or operations due to, for example, increased traffic or the encryption of systems. Denial-of-service (DDoS) attacks have featured heavily during the ongoing conflict, affecting Ukrainian organizations since the early stages of the Russian military invasion in February 2022. These attacks have heavily impacted the connectivity of telecommunications and internet services across Ukraine and the availability of websites. Attacks that impact telecommunication and Internet services should be studied closely as this infrastructure is key to recovery efforts.
- Data exfiltration – Attacks leading to the theft or exfiltration of data or the acquisition of data for espionage, surveillance or intelligence purposes were observed. Although the latter are known practices in the context of armed conflicts, the former are attacks which have been heavily conducted by collectives of actors in the name of activism. Challenges related to safety and confidentiality of information are key to avoid further re-victimization of individuals and attacks impacting socio-economic recovery of the country.
- Disinformation – Attacks with a focus on the spreading of false information and propaganda, and/or the manipulation of the information space, have leveraged the use of cyber and have become a feature of the armed conflict. From SMS spam campaigns spreading false information about technical malfunctions of ATMs, to cyberattacks on TV stations in which information is falsely displayed on the news ticker or deepfake videos are streamed, through to threat actors compromising email accounts in order to gain access to the social media accounts of high-profile Ukrainians in order to post disinformation campaigns. The damage that disinformation causes to society is the hardest to remedy and prevent in the future. The success of the Ukraine Recovery Conference itself can be undermined by disinformation. It is therefore crucial that recovery also focus on efforts to increase societal resilience against disinformation.
Safe and secure ICTs are key for the functioning of society. When stakeholders from governments, international organizations, private sector, think tanks, and civil society meet in Lugano, they have to consider how to repair damage from cyberattacks caused by the Russian Federation and malicious actors acting against Ukraine. It is also vital to create a secure ICT backbone and societal awareness of threats to ensure that recovery efforts will not be hampered or weakened by further cyberattacks, espionage and disinformation.