Most networks can be breached, and most software has exploitable flaws. This can give unparalleled advantage to attackers, but the situation in Ukraine suggests that an energetic and thorough defense can prove more than adequate in matching this advantage. The Ukraine experience can guide decisions on cyber defense, and it suggests that adequate cyber defense will require different approaches, involve new actors, and be complex for nations to construct and coordinate. As part of the UK National Cyber Security Centre’s efforts to shape debate and discussion around cybersecurity issues, this collection of essays examines the war in Ukraine, with a view to the wider debate around the role and value of cyber capabilities.
The “information space” is one of the key spaces in this conflict. Both sides have vied to shape public narratives and international opinion. Much has been written about the West’s use of the rapid declassification of strategic intelligence to counter and debunk Russian lies about actions in Ukraine. Similarly, much debate amongst academics and commentators has sought to understand whether or not the world is witnessing “cyber war” in Ukraine, or whether and how cyber operations add value to furthering a state’s strategic objectives. Originally, this discussion had a focus on cyber’s offensive utility. The following essays shift the focus toward the use of cyber capabilities for defensive or protective purposes and look at the Ukraine conflict through the lens of cyber defense to identify critical lessons from Ukraine on the construction of cyber resilience.
Serious thinking about cyber defense has largely transitioned from giving deterrence a central place in defensive strategies to focusing on the concept of resilience. Democracies cannot expect to deter adversaries from attempting to use cyber operations to advance their national objectives. This leads to the conclusion, discussed in all of the essays, that the goal for national policy must be cyber resilience: the ability to minimize disruption to critical data and services. Advocating for deterrence still serves a political purpose by signaling a desire to avoid conflict, but it is no longer the foundation of national cyber defense.
A good example of this is the new national cyber strategy published in March by the United States. The strategy never uses the word “deterrence” because, in the view of those responsible for its drafting, deterrence had failed routinely in cyberspace. Deterrence assumes that an adversary can be dissuaded from action; resilience assumes that adversary cyber action is inevitable. This has led to the conclusion that resilience is a better approach to cyber defense, particularly against a range of adversaries we confront, which includes not only states but also criminals and proxy forces. In this sense, cyber resilience protects against a much wider— and future—set of threats.
These essays explore different aspects of defense and resilience—including the actors that contribute to it—and identify lessons that Western countries can draw from the Ukrainian experience to build robust, collective cyber resilience. This includes the power of partnerships, whether in responding to cyberattacks or ensuring the continuation of vital services amidst conflict, and the unprecedented coalition of government, multinational, industry, and civil society actors whose efforts have enabled a stronger Ukrainian defense.
It should be noted that the most important aspect of resilience is only discussed indirectly in the essays: the need for political and social resilience. Lonergan, for example, notes that the political implications of cyber actions have proven to be more important than their military effect. One of Putin’s many miscalculations was the belief that Ukrainian defenses would quickly crumble. A Russian analyst (now in exile) suggests the precedent of Afghanistan as shaping Russian expectations, since in that case a well-equipped and Westerntrained army evaporated in a matter of a few weeks. Putin may have expected Kyiv to react like Kabul. However, Ukraine’s leaders and people were not ready to concede to Russian suzerainty. The keystone of resilience is the political will to continue to resist. While it can be an elusive term, this political will forms the basis for diplomacy and defense.
The essays point out that the Ukraine conflict demonstrates that political resilience must be strengthened in cyberspace, by attention to both the digital technologies that create the information space messages and the content itself. This is not only because of the struggles over the narratives that shape opinion (and thus political will), nor solely because of the possibility of disrupting critical infrastructure, but also because cyber actions provide the tools and the structure to build a resilient community for defense—a community, as the authors note, that has transcended the boundaries of Ukraine and Russia.
There is more to cyber resilience than political will, of course (although without political will other actions are superfluous)—people, technology, organization, planning. Nor can cyber resilience be thought of as solely the remit of government. Indeed, what the Ukraine conflict has demonstrated is the broad, diverse range of actors participating in a conflict.
A more diverse set of participants in the conflict raises questions of how it is that the roles and responsibilities within cyberspace are understood, as well as what the norms and rules are that dictate how actors conduct themselves. Ukraine has demonstrated the value of coalitions in cyberspace, and of collective defense, including robust and distributed data and network architectures. Partnerships with civil society, the private sector, and other governments are crucial. Organizing this multi-party effort requires an ability to connect and communicate with all actors, and this requires reinforcing established channels for media and official communications with the use of distributed and decentralized messaging services, like Signal and Telegram. All of the essays explore the new digital landscape where cyber conflict will occur and which nations must defend: a landscape created by fiber optic networks, mobile telephony, the “cloud,” and satellites.
The essays draw several lessons from the Ukrainian experience. The first is that many cyber strategies, in light of that experience, can now be seen to be incomplete or inadequate in their definitions of what is critical for defense. A second is the need to establish deep relations with allied and partner nations for sharing intelligence, technology, and tactics. Ukraine had an advantage in that its cyber conflict with Russia began in 2014, allowing government agencies to develop greater collaboration in responses and Ukraine to build mature relationships with allies. Similarly, establishing relations with global service providers and civil society on an ongoing basis is critical. The ability to use resources and support from the private sector and civil society gave Ukraine an advantage in defense that Russia was unable to match.
The authors recognize the need to exercise a degree of caution in drawing on the Ukrainian experience. Russia’s military proved to be startlingly incompetent; future opponents may not be similarly afflicted. Russia’s brutal and unprovoked invasion created a wave of sympathy and support among democracies and civil society. Other conflicts, where moral and ethical distinctions are not as stark, may not produce the same response. One task for national cyber agencies is to build now the supportive relationships with nongovernmental actors that are needed for conflict: both the constant ongoing low-level conflict that defines cyberspace and the eventuality of a conflict that crosses the threshold of the use of force, something that seems much closer than it did a decade ago.
The essays included in this collection predict that many different categories of actors will be enmeshed in future cyber conflict. This aspect of the Ukraine conflict provoked a confusing discussion in the broader cybersecurity literature on the legality of using proxies and the implications for the global norms on responsible state behavior in cyberspace that were agreed upon at the United Nations. Frankly, this debate seems to be based on misunderstanding. The UN discussions made it clear that the agreed norms do not apply during armed conflict—which is the sphere of different norms and laws, in particular the Laws of Armed conflict (LOAC). There are ambiguities, of course, created by the nature of cyberspace when nations attempt to apply LOAC, given that distinctions among participants and targets that can be clear in the physical world are opaque in cyberspace, but the authors discuss whether the use of proxies and militias has become a normal and (if done in accordance with LOAC) legal part of warfare and most likely an element of any cyber conflict in the future.
The essays raise these points in greater detail and clarity. Lonergan’s discussion of proxies makes the important point that while there is little evidence of effect from “hacktivism” on opponent decisionmaking or military capabilities, there is strong evidence that the primary effect is political and international—to build a community of support and to shape the narrative of the conflict for national and international audiences. The proxy actors’ apparent relationship with the “sponsoring” state is a key determinant of this, combined with a greater international orientation to shape the narratives of the conflict, and a focus solely on cyber effects may miss the most important impact created by proxies. Lonergan criticizes the tendency among policymakers and media to default to hyperbolic language to depict the effect of proxies, regardless of their true impact—noting that hyperbolic rhetoric about cyber proxies only reinforces their narratives and becomes a tool to rally their constituencies.
Voo’s essay notes that the internet has become a political battleground and that Ukraine offers important strategic lessons for the key foundations of successful cyber defense. She asks fundamental questions of whether the responsibility for defense lies in the voluntary actions of tech companies or whether special rules for social media, dual-use technology, and the participation of volunteers are needed in periods of conflict. She emphasizes the need for organization and the importance of integrating cyber defense strategies into a country’s wider military and intelligence strategies.
She and Ertan both note that private sector actions are not driven solely by altruism, since Russia’s cyber actions harm the space in which they do business, and there is only an ad hoc business model for private sector actions. Voo asks what has become the central question for international cybersecurity: whether consequences are needed for norms to have any meaning. Ertan suggests that countries may need to develop (individual or collective) funding mechanisms to remedy this with suggestions for remodeling cyber resilience from a NATO allies perspective. She also makes the critical point that “cyber war” is a flawed concept, since most adversary action remains below the use-of-force threshold. The increasing ease with which authoritarian states use cyberspace to undermine a rules-based order creates an uneasy space that is marked by conflict rather than peace. Garson also points to early misunderstandings of the complexity and limitations of cyber operations that confused expectations for the Ukraine war. She explores the sheer depth of the private sector’s involvement in cyberspace, along with the complexity this creates for companies as they seek to navigate engagement and risks within complex geopolitical crises—as well as the implications that the private sectors’ actions hold for long-term stability in cyberspace, as the lines between defensive and offensive activity become increasingly blurred in conflict.
These brief synopses do not do justice to the essays, and indeed barely touch upon many of their most salient points. There are also the caveats that the conflict has not ended and that the full details have not emerged. But with these caveats, the essays provide a deeper understanding of the use of cyber operations in the war— and how democratic countries should, in light of this, prepare their cyber defenses and resilience, whether within or outside of a conflict.