Russia has used novel hybrid warfare tools against Ukraine – in the form of cyber, informational and psychological operations, among others. (See NATO Review “Hybrid war – hybrid response?” for Russia’s use of these tactics). Since the beginning of the conflict, the Russian government has been linked to low-level cyber attacks, mainly Distributed Denial of Service (DDoS) attacks targeting Ukrainian media, government, and finance sites. It has also launched notable (dis)information and propaganda operations aimed at keeping the Russian-speaking population in Russia, Ukraine and abroad under its “information sphere of influence” and changing Western sentiment regarding the Russian military invasion of Ukraine.
Andrei Illarionov, a senior fellow at the Cato Institute’s Center for Global Liberty and Prosperity and a former chief economic adviser to Russian President Vladimir Putin, goes even further saying “we all are participating in this [information] war” with Russia. Moscow has ingeniously hired online trolls to post pro-Russian comments on Western news outlets and social-media sites. Military experts (most recently General Philip Breedlove, NATO Supreme Allied Commander Europe, and Finnish Chief of Defence General Jarmo Lindberg) have urged that unless NATO and allied armed forces prepare to respond to these new warfare tools, they will not be able to defend the security and prosperity of the community of liberal democratic nations.
Earlier this month at the Wales Summit, NATO committed to enhancing its support to Ukraine through “substantial new programmes” with, among other areas of assistance, a focus on cyber defence, strategic communications, and command, control and communications. NATO has established four Trust Funds to finance modernisation of Ukrainian armed forces – one in the area of cyber defence. Many allies are providing additional military-technical support to Ukraine on a bilateral basis. But more should be done to help. The West cannot afford to neglect the cyber dimension of security, despite the urgent need for basic military and medical equipment. This has been observed by Admiral James Stavridis, formerly NATO’s Supreme Allied Commander Europe, who has called for NATO to set up its own operational cyber defence force and explore the utility of offensive cyber weapons, as well as directly offer the Ukrainian armed forces cyber defence assistance.
There is not much information available on the details of the existing multi- and bilateral assistance projects for cyber defence to Ukraine. Hopefully Western donors are consulting Ukrainians so that their assistance matches the actual needs of authorities and private sector organizations (on the other hand, Ukrainian may not exactly know what they need; mapping gaps may be the first step). In their efforts to help Ukraine, the EU, NATO and their member states should consider the following proposals for cyber defence assistance in three main areas: cyber defence skills and capabilities development; cyber security policy, legislation and strategy development; and material and technical assistance.
Matching the Ukrainian needs
First, a NATO-Ukraine Working Group should be set up in the framework of the NATO-Ukraine Commission to determine specific needs of the Ukrainian government, military, and private sector (mainly Internet Service Providers, telecommunications companies, financial institutions) in the area of cyber defence. The working group should draft Memoranda of Intent or Memoranda of Understanding laying out short and mid-term cooperation roadmaps with specific cooperation modalities regarding information sharing, training and exercises, cyber defence-related scientific cooperation, etc.
Cyber defence skills and capabilities development
NATO, the EU, and their member states should invite Ukrainian experts and officers to their cyber defence exercises (Cyber Coalition, Cyber Europe). The NATO CCD COE could offer a legal course and a web-based basic awareness course to Ukrainian legal experts and decision-makers.
NATO should share cyber intelligence and early-warning information with Ukraine. In the framework of the Annual National Programme, the Alliance should strengthen cooperation for cyber defence capability development in the Ukrainian armed forces to integrate cyber into operational planning, training and exercises. NATO nations could also send cyber defence advisors to NATO offices in Kyiv, and increase their financial support through the NATO Trust Fund for cyber security.
Member states that wish to contribute more could deploy their cyber security advisers and experts to CERT-UA and Ukrainian armed forces. In case of a cyber crisis/incident, NATO allies should deploy their “Rapid Response Teams” within 24 hours.
Since hybrid warfare blends cyber means with information and psychological operations, consultations and training on strategic communication should be offered by the NATO Strategic Communications CoE in Riga. Russia’s propaganda that appeals to emotions of a target audience (e.g. by using falsified emotional images and messages) has not received much attention.
To combat cybercrime the EU should support police and judicial cooperation between Ukrainian and European authorities (Europol, European Cybercrime Centre, Eurojust). In order to respond to attacks by Russian cybercriminals and hackers, the EU should use its leverage to persuade CERT-RU and Russian law enforcement and judicial authorities to cooperate with Ukrainian colleagues.
Cyber security policy, legislation and strategy development
The EU has notable expertise in establishing public-private partnerships and in ensuring resilience of critical infrastructure resilience. The European Network and Information Security Agency has provided guidelines for cyber policy and strategies development for its member states. Those projects could be tailored to Ukrainian requirements.
The EU should consult Ukraine regarding the implementation of the whole-of-nation approach in cyber crisis management. Today in Ukraine there is no single central authority overseeing cybersecurity and functions are divided among the Security Service of Ukraine (SBU), the State Special Communication Service, and the Ministry of Internal Affairs. The EU should provide assistance and training in regards with improving the organisation of inter-agency consultation, cooperation, and information sharing among Ukrainian government agencies in charge of cyber and IT issues.
At the national level, the Estonian e-Governance Academy, having long-term experience in consulting with Eastern Partnership countries on developing cyber security legislation and policy, should offer a course to Ukrainian government officials on how to improve and streamline legislation (today there are more than 20 laws that regulate cyber security), and establish e-governance to increase transparency and accountability, thus decreasing corruption.
Ukraine’s legislation should support better cooperation and timely information sharing among CERT-UA, law enforcement, and the private sector; it should also mandate the implementation of risk assessments, incident reporting, and crisis response plans for government networks and critical infrastructure. Applying the Estonian experience, the legislation could identify voluntary security and service quality standards for those government networks and critical infrastructure institutions that have not yet done so. For example, major banks would be obliged to make sure that in case of cyber incidents, card payments are resumed within certain period.
The West can help to raise awareness about cyber threats and basic cyber hygiene among the general population, and offer technical training for CERT-UA technical experts. The new NATO cyber range to be located in Tallinn could offer technical training for Ukrainian officers. Estonia should sponsor the education of Ukrainian students at the joint graduate programmes on cyber defence, digital forensics, and e-governance technologies & services at the Tallinn University of Technology and the University of Tartu. The International Centre for Defence Studies could provide a strategic cyber security exercise to test strategic-level decision-making processes in Ukraine during a cyber incidence. To leverage voluntary assistance to public and private sectors facing cyber attack, Estonia should share its experience regarding the establishment of the Cyber Defence Unit of the Defence League.
Material and technical assistance
Technical assistance for CERT-UA should encompass modern hardware and software, improved alert, detection and filtering mechanisms, extension of bandwidth, hosting back-up servers (cloud and hardware) outside Ukraine. The EU and NATO should promote a greater use of non-Russian antivirus products and other software and IT security services, non-Russian social networks and email services, and encryption in the Ukrainian government networks.