Amidst a military invasion by Russian forces, Ukraine has taken a surprising (and some might say ironic) step: enlisting the aid of hackers and cyber vigilantes. As reported by Reuters, Ukrainian government officials have put forth requests for independent contractors to apply through a google document[1] in the hopes of enlisting their help in the defense of their country. In hiring these internet-paramilitaries, the Ukrainian government allegedly hopes to protect critical infrastructure and conduct spying and intelligence gathering operations against the invading Russian army.
More specifically, the InfoSecurity group reports that the hackers are to be divided into two groups: offensive and defensive hackers. Those in the defensive group are tasked with ensuring that Ukraine’s water and power systems are safe, whereas offensive unit volunteers will attempt digital espionage on Russian troop movements and plans[2].
This call for what is essentially vigilante justice has raised an important legal and ethical question: are states responsible, or should states be held responsible for the cyber attacks committed by those they sponsor?
A New Paradigm?
Cyberattacks, particularly those committed by state actors against other state actors, are rapidly becoming a commonplace tool of international conflict.[3] And in certain cases they are truly that: states attempting to gain access to other states. See for instance the United States considering retaliating against Russia with cyber-attacks of their own[4]. Such attacks would be organized and performed by United States Government groups
By contrast, examine next the history of cyber attacks as committed by Russian actors. These attacks started as far back as 2007, with Russia being accused of targeting Estonia[5]. From there a pattern emerged, with allegations surfacing of Russian cyber interference with everything from leaking the French president’s private emails[6] to attempting to influence the results of the United States presidential election[7]. A common thread emerges from almost every allegation of Russian hacking: they are committed by private groups. Sure, there are “strong links” or “reasonable suspicions”, but ultimately there is also plausible deniability for the state in question. So why not attempt to go after states for it anyways?
The Hydra of State-Sponsored Hacking
The hydra is a legendary Greek creature who is said to have nine heads, and each time you cut one head off another two grow back in its place. It’s an apt metaphor for the problems that arise when you try to assign blame to countries for state sponsored hacking. Consider the current attempts by Ukraine to enlist vigilante hackers. They clearly have some modicum of popular support, yet what happens if they go too far and target a Russian field hospital for instance, leading to injured soldiers dying. Does this truly help the Ukraine, or cause further injury to soldiers already out of the fight? If not, then are they any different from the widely condemned Russian cyber-attacks? And, assuming they do go too far, is Ukraine now liable for war crimes for employing them in the first place? Don’t forget, they’re not Ukrainian hackers, just hackers employed by the Ukraine.
Jurisdiction is another can of worms. Who takes whom to court over state sponsored hacking? And to which court? And for what crimes? Sure, you could make an argument for the precautionary principle of international law (i.e. it’s your responsibility to handle things that cause cross-border damage), but this is a stretch, frankly, and difficult to enforce for any country that doesn’t want to play ball. Some solutions have been posited, such as the WTO or ICJ[8], but insofar none have come forth to take on the responsibility of handling state-sponsored hacking.
An Utterly Unsatisfying Conclusion
So what is the answer? Should states be held accountable for state-sponsored hacking attempts or not? At this point, not even NATO or the European Union know the answer[9]. And while this article has raised several issues to be considered, that is not to say that the whole endeavor is fated to be fruitless. As cyber attacks continue, perhaps a solution will show itself to the world at large. Or perhaps this is simply another step in the long history of warfare waged by mankind. Either way, at this point all anyone can do is wait.
References:
[1] Joel Schectman & Christopher Bing, “Ukraine calls on hacker underground to defend against Russia” (2022), online: Reuters <www.reuters.com/world/exclusive-ukraine-calls-hacker-underground-defend-against-russia-2022-02-24/>.
[2] Sarah Coble, “Ukraine Asks for Hackers’ Help” (2022), online: InfoSecurity Group <www.infosecurity-magazine.com/news/ukraine-asks-for-hackers-help/>.
[3] “Significant Cyber Incidents” (2022), online: Center for Strategic & International Studies <www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents>.
[4]Ken Dilanian & Courtney Kube, “Biden has been presented with options for massive cyberattacks against Russia” (2022), online: NBC News <www.nbcnews.com/politics/national-security/biden-presented-options-massive-cyberattacks-russia-rcna17558>.
[5]Kenneth Geers, “Cyberspace and the changing nature of warfare” (2008), online: SC Magazine <web.archive.org/web/20081203191412/http://www.scmagazineus.com/Cyberspace-and-the-changing-nature-of-warfare/article/115929/>.
[6]Patrick Howell O’Neill “Researchers link Macron hack to APT28 with ‘moderate confidence'” (2017), online: Cyberscoop <web.archive.org/web/20180116135134/https://www.cyberscoop.com/researchers-link-macron-hack-to-apt28-with-moderate-confidence/>.
[7] Ellen Nakashima “Cybersecurity firm finds evidence that Russian military unit was behind DNC hack” (2016), online: The Washington Post <www.washingtonpost.com/world/national-security/cybersecurity-firm-finds-a-link-between-dnc-hack-and-ukrainian-artillery/2016/12/21/47bf1f5a-c7e3-11e6-bf4b-2c064d32a4bf_story.html?postshare=9631482406341944&tid=ss_fb-bottom>.
[8]Delbert Tran, “The Law of Attribution: Rules for Attributing the Source of a Cyber Attack” (2018) 20 Yale J. L. & Tech 376.
[9]Camino Mortera-Martinez “Game over? Europe’s Cyber Problem” (2018), online (pdf): Centre For European Reform <www.cer.eu/publications/archive/policy-brief/2018/game-over-europes-cyber-problem>.
Good post! I like how this post looks over the more ethical aspect of Ukraines cry for help as well as the US’ responsibility for cyberattacks.
Interesting Post! It is not only about the military war that is happening, people are also seeking help from the digital world to end this ongoing war, voluntarily as the hackers hired from different countries.
I have never thought of the legalities of countries hiring third party hackers to infiltrate other governments. I believe that having a contract that explicitly states what type of hacking and what targets the country wishes to attack can help decrease liability. If the contracted hackers deviate from the contract then the responsibility would be placed on them. I do not think that this type of openly government sanctioned cyber attacks has happened before and so it will be interesting to see what the international court rules.
A great point! What’s interesting to note, though, is that states might be somewhat reticent to engage in formal contractual relationships with hacker groups, as what they are doing is already somewhat in a grey area legally. There is a fair amount of scholarly debate on whether a cyberattack against a state is an act of war, and right now states enjoy at least some level of deniability by claiming that it was a private group. By forming a contractual relationship, they would be confirming their actions to the world, and then the jury’s really out on what might happen!
Good Post! You make an interesting point on how jurisdiction regarding these types of attacks is rather messy. It got me thinking about these types of attacks and how they are conducted. When a sovereign nation employs a group of hackers to specifically target another nation’s IT infrastructure, this can be seen as a type of attack from one nation against the other. But no formal declarations are made, war is not declared, sanctions are not pressed (like those implemented in light of recent events). One nation simply hires a group of people and they go out and they begin their assault. The key (as you mentioned) is plausible deniability, If a government officially acknowledged that they were behind a cyber attack against another nation, would the response be? Would this type of attack by itself be grounds for a harsh retaliation (such as war)?
Thanks for the very interesting post! I always thought that if another world war was going to happen it would be cyberwarfare over weapons and bombs. Seeing how that has now become reality with the help of hackers helping support Ukraine.
I think this shows just how important cyber attacks and defense is in modern warfare with Ukraine attempting to enlist vigilante and hacker help. I also think this is a very interesting discussion in terms of who do we hold responsible for cyber attacks by members of certain states but with the states claiming no part of the attack. I think all those allegations of Russian hackers are great examples that you listed of this as well as potential harm hackers employed by Ukraine could cause in return. It also makes you wonder about a scenario where United States hackers or any other country start causing serious damage to Russia but with the states not taking any responsibility, what happens then.
This post is representative of fighting fire with fire. Clearly, the Ukrainians are realizing the importance of maintaining cyber superiority against the Russians. In fact, every day I read something about hacking in the news which is initiated by the Russians or independent groups targeting the Russians. The post got me thinking if the West might make adjustments to their own cybersecurity force to combat foreign aggression because cyberattacks have clearly occupied the forefront in the Ukrainian-Russian conflict.
This was an interesting read. It shows that the conflict is done through cyberattacks with both governments recruiting hackers for this. I still find it hard to believe that this is reality but hopefully this comes to an end soon.
Interesting post. It really got me into thinking about how these attacks are being conducted. It is true that Ukraine is hiring hackers to attack Russia right now in order to slow down Russia’s invasion of Ukraine. It just shows how vital cyber-attacks and defenses are in this battle. I also do think states should be held accountable for state-sponsored hacking attempts, even though not even NATO or the European Union know the answer.
This post actually shows how big of a role technology can play even in wars. Ukraines move to actually hire hackers seems like a good idea. With the invasion going on, many people have fled the country thinking about their own safety, this includes IT professionals and many other people working in the Defense System of the country. Hacking into Russian system to get competitive advantage might fall under unethical hacking, however, when your own motherland is at risk the question of ethics is the least of anyone’s concern. On a side note, I hope that this tension between Ukraine and Russia comes to a halt and peace returns.
I agree that IT and network infrastructure professionals are a sorely under-considered facet of warfare. Who knows how many vital elements of Ukraine’s internet infrastructure are civilian and have attempted to evacuate, or are otherwise not able to do their job effectively. Perhaps this is something that modern militaries across the globe might want to consider as conflicts increasingly involve the digital sphere.
I agree that IT and network infrastructure professionals are a sorely under-considered facet of warfare. Who knows how many vital elements of Ukraine’s internet infrastructure are civilian and have attempted to evacuate, or are otherwise not able to do their job effectively. Perhaps this is something that modern militaries across the globe might want to consider as conflicts increasingly involve the digital sphere.
Interesting post! Russia had anticipated reprisal for its invasion of Ukraine and had been prepared for the cyberattacks that are expected to occur, which happened.
Since then, accounts linked to hacker collectives and pro-Ukraine Telegram groups have claimed that Anonymous and other organizations had taken down some Russian websites and servers. However, because of Russia’s geofence and its lengthy history of disseminating disinformation, it’s impossible to say whether these websites were hacked and, if so, how long it took for them to be restored.
Great post!
It seems that this Russian-Ukraine conflict will be one of the first major wars fought with cyberwarfare. Since cyberwarfare is completely unprecedented in our times right now, the sort of attacks that Russia or any of the countries who support Ukraine may induce would be nothing that anybody has seen before, and that fact is both scary and fascinating.
I love your reference to Hydra here, although this may seem like fighting fire with fire it just seems to make everything more complex. Although the consequences of this war has tolled thousands and continue to kill it will be interesting to see how cyberattacks advance. Just as war has advanced other technologies – weapons, medicine, radar ect. – I wonder how it may change the way technology can be used. As Joshua brought up in another comment, this could be a first major war to equip cyberwarefare to this extent.
Joshua’s comment:
https://wpsites.ucalgary.ca/isec-601-f21/2022/03/01/a-taste-all-too-familiar-ukraine-calls-for-help-from-hackers/#comment-1717
Awesome Post!
With the way everything is going right now, I won’t be surprised if we get into an international cyber war involving the United States. I think that in cyberworld, there are no rules and definitely no clarity, anything can happen at anytime. And since Ukraine is in the spotlight right now, they need to get prepared for cyberattacks from external hacking groups.
Great post! One thing I would bring up is that the laws of war could play a role here. The attacks mentioned here would qualify as a “cyber-attack”, as they could reasonably cause real-world harm to persons or property. This means that those doing the attacking would be considered as part of a levee en masse if based in the Ukraine, meaning they would fall under combatant immunity, while those not in Ukraine would be considered civilians engaged in hostilities. As well, both of these groups could be lawfully targeted, not just in a cyber context, as long as the response is proportional. As well, there are several cyber operations which would be illegal under the laws of war, including attempting to annihilate the enemy population through starvation, or beligerent reprisals against medical facilities and personnel. As for state responsibility, a state is considered reponsible when the conduct is attributable to it. Specifically, when persons are specifically empowered to exercise “state authority”, their actions are attributable to that state. Because of this, I would argue that the requested actions of any international cyber vigilantes would be considered attributable to Ukraine under international law.
A very important topic, especially in this international climate! From the looks of these situations, hackers-for-hire are increasingly looking like mercenaries, or private military contractors (PMCs). While mercenaries and PMS serve an infantry purpose, they can also serve a purpose in intelligence, logistics, and operational planning and management which makes them very fluid in fulfilling a wide variety of their state clients’ needs. Hackers appear to be playing this purpose as well, but more along acting as a proxy force. However, mercenaries (but not PMCs) are banned under international law. But the hacker is a lot harder to link to its state-sponsore in some cases. As this war drags on, we may see how much this push by the Ukrainian government to hire hackers will impact the battlespace and what acts they may be responsible for. On another note, the fact that Ukraine is doing what Russia has done since the mid-2000s does not surprise me. In this situation, Ukraine has been pushed into a corner. It is of no surprise that any animal or person who is trapped will fight ferociously in order to overpower their opponent. How this may widen outside of cyber operations will be interesting.