The ongoing conflict in Ukraine has drawn in hackers vowing to conduct cyberattacks on behalf of both parties to the conflict. On the Ukrainian side, the government has called on hackers to join its “IT Army” and there are indications that upwards of 400,000 individuals have volunteered their services. Additionally, hacktivist groups have independently taken up cyber arms against Russian interests. Anonymous, for instance, declared “cyber war” against Russia and claimed responsibility for a number of cyberattacks. Other groups, such as GNG and NB65 (which are loosely affiliated with Anonymous), as well Ghostsec, Cyber Partisans, and others have engaged in similar activities.
A similar dynamic exists on the Russian side. Notably, the Conti ransomware group announced its backing of the Russian government and warned of cyberattacks against critical infrastructure. The Sandworm group, which has links to Russian military intelligence (GRU), is also involved. The United States and United Kingdom governments have both issued alerts about new malware, CyClops Blink, linked to Sandworm. Sandworm’s presence is of particular concern because of its track record, which includes the 2015 BlackEnergy cyberattack against Ukraine’s power grid and the 2017 NotPetya cyberattack. Given Russia’s past reliance on cyber proxies, it is probable that the groups involved in Ukraine are operating at least with Moscow’s tacit permission, although Russia continues to deny responsibility for cyberattacks conducted against Ukraine.
While the impact of the cyberattacks conducted by these groups has been minimal so far, the proliferation of these third-party, non-state cyber actors has important—and potentially negative—implications for norms of behavior that the U.S. government is seeking to promote. The reality of how political actors behave often has a greater bearing on norms development than formal agreements, like those fostered via the United Nations Group of Government Experts or Open-Ended Working Group. The Ukraine conflict is revealing potential tensions between norms the United States professes to support and the behavior taking place in the digital world.
In one sense, from the perspective of emerging state practice, the prominent role of cyber proxies in Ukraine is not a novel phenomenon. Third parties—whether deliberately or inadvertently—have long played a role in crises and conflicts, especially ones involving Russia. Examples include Estonia in 2007, Georgia in 2008, and Ukraine in 2014. States perceive a strategic benefit in establishing ambiguous relationships with non-state groups (ranging from proxies and criminals to patriotic hackers and lone wolves) because of the plausible deniability and capability augmentation benefits they confer.
However, there is one aspect of the conflict that is different from past behavior: the Ukrainian government’s explicit and open calls for cyber proxies to fight on their behalf. This raises questions about how this behavior may affect two important norms that the U.S. government has sought to promote: norms against state sponsorship of cyberattacks and against targeting civilian critical infrastructure.
First, the United States has long sought to promote a norm that states are responsible for cyberattacks that emanate from their territory and to hold accountable states such as Russia that provide safe havens to cyber actors. For example, in the wake of the Colonial pipeline ransomware attack last year, President Biden stated that Russia has “some responsibility” to address ransomware attacks that emanate from Russia even if the attacks were not directly ordered or sanctioned by the government. States often shield themselves by leveraging plausible deniability, refusing to take responsibility for cyber attacks conducted by third parties linked to the government. In this case, the Ukrainian government is rejecting plausible deniability outright; instead, it is publicly calling for assistance from third parties. Moreover, Ukraine’s “IT Army” is reported to operate at the direction of the government, with specific tasks and a target list assigned through a Telegram channel, such as requests to conduct Distributed Denial of Service (DDoS) attacks against Russian and Belarusian targets.
Second, the United States also endeavors to promote norms against targeting civilian critical infrastructure with offensive cyber capabilities (as distinct from cyber operations to gain access to critical infrastructure and/or for legitimate intelligence collection purposes). When President Biden met with President Putin in Geneva in the spring of 2021, he explicitly reinforced this norm and warned against Russia conducting or permitting cyberattacks on sixteen critical infrastructure sectors. Similarly, during the ongoing Ukraine conflict, President Biden reinforced this norm by stating on multiple occasions that the United States is “prepared to respond” to Russian cyber attacks against U.S. critical infrastructure, including attacks carried out by ransomware groups or other third parties with links to Russia. If Ukraine’s “IT Army” were to conduct cyberattacks against Russian civilian critical infrastructure (not legitimate military targets), there is a risk that this kind of behavior could undermine this norm as well.
Some might argue that a wartime situation calls for a different set of cyber norms. For example, the norm against targeting civilian critical infrastructure sometimes explicitly focuses on cyberattacks during peacetime, but in other instances is described as applying both above and below the level of armed conflict, consistent with international humanitarian law concerning attacks against civilian targets.
But there are risks inherent in not calling out some of the cyber behavior taking place in this conflict, such as lending implicit justification for states, such as Russia, to allow third parties to conduct cyberattacks against non-belligerents with an interest in a conflict, such as the United States. There are also concerns about spillover and Russian retaliation against the United States. It is unlikely that the Ukrainian government will be able to exercise sufficient command and control over its IT Army to prevent cyber operations from having effects beyond the intended target, or to avoid provoking a Russian response. For example, after a group claimed it had shut down the control center of Russia’s space agency in March, Russia warned that a cyberattack against its satellites would be a justification for war. This is particularly concerning given the reliance of nuclear command, control, and communications systems on dual-use satellites and the implications for nuclear stability if these were attacked in cyberspace.
U.S. policymakers may be reticent to admonish cyber behavior, especially when it is in support of Ukraine, because the United States has an interest in undermining Russia’s war effort. However, this may set a precent with unintended negative consequences, eroding norms the U.S. government seeks to promote and making it more difficult for the United States to hold other states responsible for similar actions in the future.
Erica D. Lonergan (nee Borghard) is a research scholar in the Saltzman Institute of War and Peace Studies at Columbia University.