In response to Russia’s cyber attacks, Ukraine has rolled out its own system of cyber defence and counter offence. Dmytro Khutkyy summarises six types of cyber resilience and calls for stronger cooperation between the Ukrainian government and civil society.
Introduction
Ukraine has faced numerous high-profile cyber attacks, often attributed to Russian-backed actors. Back in 2015 and 2016, Ukraine’s power grid was attacked, leading to widespread blackouts affecting hundreds of thousands of citizens. Later, in 2017, the NotPetya virus, destructive malware disguised as ransomware, targeted Ukrainian companies, banks and government agencies and then spread globally. The virus paralysed systems, wiping data and causing billions in damage worldwide. Therefore, to counter Russia’s cyber attacks, Ukraine employs cyber resilience, part of a wider digital resilience, and even wider societal resilience. Cyber resilience is the ability to anticipate, withstand, recover from and adapt to adverse cyber events. It encompasses the capacity to prevent, detect, respond, recover and adapt. As Ukraine is facing a full-scale Russian invasion, its cyber resilience can also be viewed as part of its cyber defence and counter offence in its cyber warfare with Russia. How good is Ukraine in this? Let’s explore the topic in detail.
Types of cyber resilience
Analytically speaking, it is useful to analyse cyber resilience in two aspects. The first aspect contrasts centralised versus grassroots cyber resilience. The second aspect distinguishes between (a) domestic-actor single-stakeholder, (b) domestic-actor multi-stakeholder, and (c) international cyber resilience. The intersection of these two aspects yields six types of cyber resilience: governmental, government-led, inter-governmental, hacktivist, hacktivist-led and inter-hacktivist (see Table 1).
Table 1. Classification of cyber resilience types by actors
Governmental cyber resilience
First of all, it is useful to consider cyber resilience executed by government agencies and their projects. The Security Service of Ukraine (since at least 2019) and the Computer Emergency Response Team of Ukraine or CERT–UA (since at least 2021) have routinely detected and deterred cyber threats. Their power is in top-down organisation and discipline that ensure concerted and focused action. For example, in January 2022, shortly before Russia’s full-scale invasion, the State Security Service of Ukraine reportedly detected over 25,000 critical information security events and deterred 121 cyber attacks on Ukrainian government information systems. Next year, in 2023, the State Service of Special Communications and Information Protection of Ukraine reported that Ukrainian security analysts had recorded and processed 1,105 cyber incidents, 62.5% more than in 2022. Also, to avoid data loss and continue providing e-services, Ukrainian government agencies transferred data from national data centres to cloud services hosted in other European countries. As a last resort, to prevent personal data leaks, some state registers and public services were moved offline. Despite debate on creating such a force, there are de jure no cyber troops in the Armed Forces of Ukraine yet. But there are de facto cyber teams within the armed forces and the General Directorate of Intelligence that protect the systems of the respective state institutions.
This discussion shows that governmental cyber resilience is predominantly exercised not by random civil servants but by centralised state information protection, security and military agencies. However, restricted by legal instructions and hierarchy, governmental agencies and teams may lack flexibility.
Image 1. Security Service of Ukraine emblem. Source: Wikimedia Commons.
Government-led multi-stakeholder cyber resilience
Beyond governmental cyber resilience, there is cooperation between the government and businesses as well as between the government and individual citizens, which the government leads. For example, in March 2022, the State Service of Special Communications and Information Protection (SSSCIP) announced multi-layer cyber defence solutions developed jointly with IT companies and CERT–UA. In 2022, the Ukrainian government invited major international technology companies such as Amazon, Google and Microsoft to reinforce Ukraine’s cyber security and critical communications infrastructure. Amazon transferred 10 petabytes of government data to the cloud, including bank information, land registers, and essential data from ministries, universities and private companies. Google incorporated the websites of Ukraine’s government and embassies in its project Shield, which provides free protection against distributed denial-of-service (DDoS) attacks (malicious attempts to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic). Microsoft sponsored the migration of Ukrainian government data and a significant part of Ukrainian computing capacities to the cloud. The shortcoming of this cooperation format is that it heavily focuses on infrastructure and lacks decentralisation of methods and targets of cyber defence.
Inter-governmental cyber resilience
The global community has united to counter Russia’s aggression against Ukraine in cyberspace as well. At the interstate level, already in 2020 USAID launched the four‐year Cybersecurity for Critical Infrastructure in Ukraine activity to strengthen Ukraine’s cyber preparedness and protect critical infrastructure. Furthermore, in March 2022, the Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) granted Ukraine the status of a contributing participant. This cooperation facilitates the exchange of experience between NATO members and partners in the field of cyber defence. Estonian officials were at the core of advocating for Ukraine’s admission to CCDCOE. Estonia’s experience in countering the 2007 cyber attacks that took place against the backdrop of worsening relations with Russia is now complemented by Ukraine’s experience in combating the hybrid war unleashed by Russia. The European Union strengthens Ukraine’s cyber resilience, specifically of the Armed Forces of Ukraine, with international technical assistance projects implemented by the Estonian e-Governance Academy. Such international cooperation creates synergies in the cybersecurity area. Still, Ukraine benefits from only partial membership status in CCDCOE and is an importer rather than an exporter of cyber technologies.
Hacktivist cyber resilience
Grassroots initiatives like the Ukrainian Cyber Alliance harm and hack Russian information resources. Their strength is in swarm-like bottom-up self-organisation that is difficult to detect and react to. According to the Alliance, they hacked Russia’s prison agency and obtained personal data of Russian leadership from state decision-making centres. Their concealed activity pattern also complicates the identification of their operations – they are rarely advertised publicly. Yet, we know that they have been active since 2014 and intensified their activities in 2022.
Another example is the IT Army of Ukraine, which is ostensibly independent of the Ukrainian government. Its website encourages visitors to install specific software, read instructions on setting up DDoS attacks, pick up pre-defined tasks and participate in DDoS challenges. The website also offers support for those with questions and suggests new targets in Telegram. This format of cooperation is powerful as it coordinates numerous individual cyber activities. Already in 2022, the army purportedly consisted of 200,000 persons with access to the personal data of the Russian private military company Wagner and had hindered or stalled the work of over 2,400 Russian online resources, including the e-resources of Gasprombank, Moscow CreditBank and Sovkombank. Other organised cyber actors such as Ukrainian Reaper, KiberBull, Cyber Palyanitsa, the Student cybergroup, DDoS Attack Cyber Cossacks, Anonymous-Ukraine, DDoS joint group and UA Cyber Shield have purportedly engaged in IT Army operations as well. Such a grassroots decentralised initiative allows greater flexibility, although it might lack the kind of focus that more centralised initiatives have.
Hacktivist-led multi-stakeholder cyber resilience
There is one more format of collaboration between hacktivists and the government – the form initiated and led by hacktivists themselves. The power of such a format lies in the consolidation of decentralised efforts leveraged by government capacity and mandates. It may have been experimented with in the early days of the full-scale invasion, but there is no solid evidence that it grew into anything systematic afterwards. Reportedly, already on the first day of the full-scale invasion, on 24 February 2022, the automated e-system “Elections” that supports the illusion of Russian election legitimacy was shut down; due to this cyber attack, the hackers also gained and transferred to Ukrainian law enforcement authorities the personal data of Russian civil servants. Purportedly, they also hacked the management system of the Federal Treasury of the Russian Federation, which disrupted funding of the Russian army, law enforcement agencies, state enterprises and executive authorities. However, there is no solid evidence that such cooperation grew and evolved further.
Inter-hacktivist cyber resilience
At the level of international civic initiatives, The Wall Street Journal reported that in the first days of Russia’s full-scale invasion of Ukraine in February 2022, Anonymous – a global network of hacktivists – carried out successful cyber attacks on the Kremlin, the State Duma and the Russian Ministry of Defence. Then, according to materials disclosed by The Washington Post, independent digital hacktivists hacked and published documents from the Russian state propaganda and surveillance agency Roskomnadzor and the electronic correspondence of the All-Russian State Television and Radio Broadcasting Company. Even the Russian Ministry of Foreign Affairs admitted the scale of cyber attacks from around the world on Russian government agencies in response to the attack on Ukraine. Yet, Anonymous’s cyber activities against Russia seem to have decreased since early 2022. Nevertheless, such cyber resilience is highly decentralised and concealed. But the challenge is that Anonymous’s agents follow their own agenda and priorities, which are subject to change.
Image 2. Anonymous emblem. Source: Wikipedia.
Conclusions and recommendations
These examples fall into six categories of cyber resilience: governmental, government-led, inter-governmental, hacktivist, hacktivist-led and inter-hacktivist. So far, the most widely advertised are the governmental and the multi-stakeholder government-led ones. Inter-governmental initiatives are rather systematic, too. Grassroots Ukrainian hacker activities against Russia are reportedly numerous and powerful, but it is difficult to assess their impact. Finally, inter-hacktivist as well as multi-stakeholder hacktivist-led and joint government-activist cyber activities are rare. This indicates a gap in the cooperation between the Ukrainian government, the Ukrainian hacktivist community and the international hacktivist networks. Still, the available pillars of cyber resilience constitute a loose yet robust system combining hierarchy, distributed decision-making self-organisation and a hierarchy with multiple semi-autonomous elements. These findings indicate that Ukrainian cyber resilience can be reinforced by bridging the Ukrainian government and civil society and strengthening their cooperation. When a genuine hacktivist-government cooperation emerges, Ukraine has the potential to generate more synergies and become even more efficient in digital and societal resilience. Kyiv International Cyber Resilience Forum and Lviv IT Arena are examples of national platforms that can be employed to establish connections and build the community for Ukrainian cyber resilience. At the global scale, inter-hacktivist cooperation can supplement the domestic one and, therefore, should also be strengthened.