BCS Policy Jam : Cyberwar and Ukraine one year on

In April 2023, the BCS Policy Jam team heard from a Ukraine specialist about how the country was dealing with cyber warfare. Five UK-based cyber security and disinformation experts also discussed its broader implications.

Dmitriy Sirosh, Security Portfolio Manager at Infopulse, one of Ukraine's biggest IT companies, started the session by detailing how, at the start of the war, missiles targeted energy sites and government and military communication channels and personnel were hacked. Now he said a lot of cyber-attacks disrupt day-to-day life.

Civilian targets

According to a Ukrainian government report, the tactics employed by Putin have changed. Russia is now "inflicting maximum damage on the civilian population." It cited the recent cold snap, which the Ukraine government described as the "peak of cyber-attacks against the energy sector." Ukraine said Russia aims "to increase the chaos of a conventional invasion, reduce the country's governability, and damage critical infrastructure." Dmitriy agreed: "It's increased over the last three months, and that's made us stronger."

He said because of the COVID lockdowns, many people were already working remotely, and systems were in place to adapt to the war.

He said Ukraine was resilient because it was already an established hub of skilled IT practitioners and had long experience in defeating Russia's hackers.

Lisa Forte, Partner at Red Goat Cyber Security, also noted that sustaining cyberattacks was challenging: "It has been deployed more effectively as an intelligence gathering mechanism than it has as a weapon. To have a damaging effect and sustain that detrimental effect, and to keep the pressure up is just not feasible.

"Plus, the ability to control and target cyber-attacks is very limited, which poses a huge risk for escalation and bringing people in that otherwise would be more invested in staying out."

Are cyberattacks a war crime?

Meanwhile, the Ukraine government is calling for international humanitarian law to be strengthened around cyberattacks that cause harm, such as cutting off power supplies so that the impact of, for instance, shutting down power supplies, can be defined as a war crime.

However, Dr Alexi Drew, emerging technologies and international law specialist said: "We already have laws that make it very clear that a war crime is a war crime, whether you use a piece of malware or a targeted precision munition."

BCS Fellow Professor Victoria Baines, a leading expert on online trust, safety, and cybersecurity, said the UN General Assembly is currently negotiating a treaty on cybercrime.

She said: "What about the bigger question of when it is okay to intervene in another country's cyberspace? And when isn't it so?

"That means really considering that principle of non-intervention, and also whether existing international law is sufficient to cover all of these operations in cyberspace, that in some circumstances can be military operations, but in others are conducted by civilians."

The role of the hackers

She pointed out that civilians, who in different circumstances would be investigated for cybercrimes, had been mobilised by the International IT Army of Ukraine and asked: "What happens when we need them to disband, and where do those people go?"

She added: "We are at a tipping point of sorts when it comes to international law and thinking about what reasonable behaviour in cyberspace looks like; what is unreasonable behaviour; what contravenes the non-intervention principle and also looking at that also in terms of all civilians being on the front lines."

In response, Alexi said: "There is a possibility that by taking part in this manner, you might be classified as party to an armed conflict which comes with many responsibilities and possibilities regarding redress and action against you. It's not an area we've explored much in international humanitarian terms, and I very much doubt that it's the kind of thinking that generally goes on."

Jen Ellis, a cybersecurity advocate and community convenor, said: "The Ukrainian IT Army model has been fascinating, and in many ways, they've done some really interesting and positive work. But then we've also seen a lot of hacktivism.

"I wonder whether some of that activity might blow up in people's faces and worsen certain situations. We always have to be careful with any conflict scenario, so we don't suddenly decide that what was illegal yesterday is okay today. There are rules about these things that have existed, with good reason, for a long time."

"What we do see more than ever is a public-private partnership on disruptive campaigns, and there are ways, if you work in security, you can get involved that don't break the law, and that are part of strategic directed efforts."

Daniel Card, owner, and principal consultant of Xservus Limited, believed the cyber warriors will always be with us, regardless of armed conflict: "You can't control the internet or the human race. A small group of well-motivated individuals can do a significant amount of good or harm in cyberspace.

"We're trying to modernise our laws and our thinking around cyberspace. But we deployed the internet around 30 years ago without considering the consequences, so we are playing constant catch-up to manage it."

Lisa and Dan discussed the disparate group of pro-Russian hackers known as Killnet, which differs from Russia's highly skilled hackers working for its intelligence agencies' groups such as Fancy Bear and Sandworm. Killnet has been targeting European infrastructure, governments and even the Eurovision song contest with cyberattacks and disinformation campaigns aimed at weakening support for Ukraine.

Truth and lies

Moving on to disinformation, Patrick Burgess, BCS Information Security Specialist Group member and co-founder of the Managed Service Provider Nutbourne Ltd and IT Strategy Platform ClearBenchmark Ltd, said people crossed the line because they felt it was the right thing to do: "People act quite strongly and do things which maybe they wouldn't necessarily do if they weren't getting that continual reinforcement from their echo chambers, and it can get messy when people try to explain why they did what they did."

Victoria said part of the issue was how paranoid Russia is about controlling what its people can and cannot see. She said Russia illustrated this in the first draft of the UN Cybersecurity treaty: "The list of things that the Russian government deems inappropriate for their citizens to see is absolutely incredible. But it's a great indicator of how information control is absolutely central to the Russian government's survival."

Lisa said disinformation was becoming more sophisticated and harder to spot. She also warned: "We have to appreciate that propaganda comes from every direction, and we have to be very careful that just because it fits with our narrative, and we want to hear it doesn't necessarily mean it's true."

Home truths

The panel moved on to how the cyber threat impacts UK companies. For Lisa, it was the unintended consequences of cyberattacks from governments of any stripe which became a problem which she, and the CEOs and CIOs of companies, had to deal with.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

However, Dan said he was more worried about coping with everyday cybersecurity issues: "I'm less worried about like nation-states, I'm more worried about vulnerabilities, human errors and misconfigurations, as anyone can exploit those."

Patrick agreed and said firms needed to keep themselves safe, no matter what global events were unfolding, adding that whilst there had been a surge of awareness campaigns at the beginning of the Ukraine war, people were now becoming more blasé: "There was this awareness, in Western countries of cyber and threats, and campaigns to patch yourself and get better and secure your network. Now there's almost an apathy again."

On the ground in Ukraine

Listening to the debate in Ukraine, Dmitriy said from his perspective, being legal was not the first consideration when fighting a country that didn't respect international law: "When you have to protect yourself, you have to act first. Maybe your actions won't be very legal or in line with all the agreements."

He said the priority was protecting services and staying safe, then looking at sticking within legal frameworks, adding: "It's not about throwing out all the legal agreements. But we should understand that Ukraine still stands mostly because many people wanted to protect the country against Russia. It's maybe not what most people would like, but it's how we can see it now."

He ended by thanking the panellists for discussing the subject of Ukraine and cybersecurity and for the support given by the UK government to his country.