Pages

17 July 2022

The Man at the Center of the New Cyber World War

KENNETH R. ROSEN

Ukraine has long been Russia’s cyberwarfare sandbox, a proving ground for the Kremlin to trial new techniques and new malware viruses. Since Russia launched a full-scale invasion of the country on Feb. 24, Ukraine has seen those attacks increase threefold, according to Ukrainian officials — hitting everything from civilian and military agencies to communications and energy infrastructure.

Those attacks have not been isolated to the roughly 40 million residents of Ukraine. Russian cyberespionage and cyberattacks since the start of the invasion have been recorded in 42 countries across six continents — the majority of which are NATO countries or those that supplied aid packages to or voiced support for Ukraine. In April, the Department of Justice said that U.S. officials had discovered malware planted by Russian military forces in computers across the world and had removed the malware before it could be activated into a “botnet,” a network of computers used in mass cyberattacks.

Few people have been more instrumental in protecting Ukraine’s private and government data, along with the country’s ongoing connectivity, than Shchyhol, who is the head of the State Service of Special Communications and Information Protection, the Ukrainian equivalent of the U.S. Cybersecurity and Infrastructure Security Agency. Since the hours before the ground invasion in February, when cyberattacks struck government and banking websites across Ukraine, Shchyhol has been coordinating with the U.S. and EU from a secure location in Kyiv, responding to cyberattacks while sharing with international allies his insights into strategies used by Russian hackers.

Overall, Ukraine has been doing much better in the cyberwar than expected — few thought the country could repel a ground invasion and consistent cyberattacks simultaneously. There were certain losses: Russian forces eventually took control of the power plant near Zaporizhzhia, along with large swaths of the country’s southeast while establishing a botnet computer server near Kharkiv to spam cell phones with malicious text messages. Separate operations severely damaged governmental data centers. But despite constant aerial and cyber bombardment by Russian forces, SSSCIP has ensured those attacks were largely unsuccessful; civilians have been able to access government services and support directly from their mobile devices and computers.

I spoke with Shchyhol about the challenges of a digital war of attrition, how partner countries like the U.S. are assisting in that fight and what he sees as the future of cyberwarfare. We spoke through an interpreter over Zoom on June 27, less than a week after the European Commission and EU leaders granted Ukraine candidate status, the first step toward formal membership within the bloc.

Kenneth R. Rosen: Viasat communications services went down as Russian forces invaded Ukraine, hindering communication by Ukrainian forces. But one of those high-speed satellite broadband connections was in my own home in northern Italy. Some 50,000 other European residents on the morning of the invasion found their internet routers inoperable. It’s one instance I’ve used to illustrate to my colleagues and peers the long reach of cyberattacks in the Russo-Ukrainian conflict. Was that a wake-up call for your European intelligence-sharing partners and a way for you as well to explain the difficulties faced by Ukraine?

Yurii Shchyhol: For Ukrainians, the first cyber world war started on Jan. 14, 2022, when there were attacks launched at the websites owned by state authorities. Twenty websites were defaced, and more than 90 information systems belonging to those government authorities were damaged.

In the early morning that day, I started talking to our European partners as well as our U.S. partners, their respective lines, ministries and government institutions, like CISA, and we started receiving and are still receiving assistance from them on a daily basis.

Right before the full-fledged invasion, the cyberattack, like you said, happened against Viasat. Some routers were deleted, especially those that were targeted to provide telecom services to the military units. In Germany, 5,000 wind turbines were attacked, so we can safely claim that it was not just a cyberattack on the whole of Ukraine, but against the civilized world.

So yes, you’re right. The world has been awakened and we can observe that countries are more willing to cooperate on those issues and the level of cooperation will only intensify.

But what we need are not further sanctions and further efforts to curb cyberattacks, we also need for global security companies to leave the market of the Russian Federation. Only then can we ensure the victory will be ours, especially in cyberspace.

Rosen: While some of those cyberattacks were against government and military installations, others frequently hit telecommunications services, internet providers, hospitals, first responders and humanitarian aid organizations. What are some of the challenges faced by Ukraine in protecting such a wide, vulnerable attack surface?

Shchyhol: For the first four months of this invasion roughly more than 90 percent of cyberattacks were carried out against civilian sites. Of course, we were preparing ourselves for this, and in the last 18 months most of our preparations in advance were to be able to withstand widespread attacks against multiple targets. We ensured uninterrupted exchange of information between all [government and civil organizations], sharing information regarding the criteria for compromising networks. We also worked on building up the technical capabilities of government institutions so they could quickly gather server data, make copies, and share those copies with us [ahead of a Russian attack].

In all those efforts we had very strong support from our private sector. It’s worth mentioning that a lot of private sector IT cybersecurity experts are either directly serving in the Armed Forces of Ukraine or my State Service or otherwise are indirectly involved in fighting against cyberattacks, and those private sector assistants of ours are world class experts who used to work in leading global companies taking care of their cybersecurity.

Rosen: When I last spoke with your colleague Victor Zoha, in February, he described the UA30 Cyber Center training facility your special service developed for the private sector. How has that grown since and was that instrumental in training the IT experts?

Shchyhol: This training center of ours launched into operation more than one year ago and over that period of time we conducted more than 100 training sessions for civilian contractors, private sector, military operators, all focused on cybersecurity. We conducted a number of hackathons and competitions. Even though we conducted a few training sessions after the beginning of the renewed conflict, the location of the training center is not safe. So we’re not using it that much right now.

This center was aimed to deepen the knowledge-sharing between the private sector and the government, those tasked with overseeing information protection across various government bodies and institutions. It’s a hub that fosters the knowledge of the private sector. We treat it as a competence center that allows all the industries and sectors involved to grow by helping each other.

Rosen: We’re referring to the efforts of private citizens, in part, when we talk about the private sector. Perhaps for the first time ever, hundreds of private citizens from across Ukraine and the world have volunteered to prevent, counteract and launch their own attacks in cyberspace in defense of Ukraine. The unifying force in defense of one country, which as far as campaigns go, continues to be rather unique. What has been the impact of the so-called civilian “IT Army” on Ukraine’s ability to defend against cyberattacks?

Shchyhol: This is the first time in the history of Ukraine, for sure, probably in the world, when the private sector, the cyberprofessionals, are not only doing what they can — professionally defending the cyberspace of their country — but they are also willing to defend it by any means. What you’re referring to is an army currently comprised of more than 270,000 volunteers who are self-coordinating their efforts and who can decide, plan and execute any strikes on the Russian cyber infrastructure without even Ukraine getting involved in any shape or form. They do it on their own.

Other cybersecurity experts, under the guidance of my State Service, have been helpful in providing consultations to government institutions as to how to properly arrange the cybersecurity efforts, especially in the energy sector and critical infrastructure sites. That’s probably the reason none of the cyberattacks that were carried out in the past four months of this invasion has allowed the enemy to destroy any databases or cause any private data leakage.

Rosen: What are some of the lessons, over these last four months, of these ongoing attacks, that perhaps weren’t known or anticipated before February?

Shchyhol: In terms of their technical capabilities, so far the attackers have been using modified viruses and software that we’ve been exposed to before, like the “Indestroyer2” virus, when they targeted and damaged our energy station here. It’s nothing more than a modification of the virus they developed back in 2017. We all have to be aware that those enemy hackers are very well-sponsored and have access to unlimited finances, especially when they want to take something off the shelf and modify it and update it.

Rosen: At the beginning of our conversation you said that international technology companies should withdraw from the Russian Federation and you’ve written that the world should restrict Russia’s access to modern technologies. Such an effort to restrict their access, you’ve written, should be viewed as “an international security priority.” What technology specifically? Hardware, like servers and data processing computers? Or software, like those sold by western countries for law enforcement and data manipulation? Telecommunications?

Shchyhol: Any equipment that allows their software to be installed on servers, by way of restricting the use of those services globally so they wouldn’t have access to them.

We’re also urging the international organizations such as the ITU (International Telecommunication Union) that Russia should no longer be its member. Why? Because they otherwise can get access to innovations, research results by virtue of attending conferences, common meetings. So we are very much strongly in favor of getting Russia out of those organizations, especially those watchdogs that oversee the telecommunications industry of the world. They should not be able to participate in any events and get any IT information.

Rosen: Noting that you already work closely with NATO’s cybersecurity command, and the international community, what does this further restriction, cooperation and a more efficient cyber-umbrella look like?

Shchyhol: The cyber-umbrella is something that should be placed over the whole world, not just Ukraine. It should be like an impenetrable wall. Russia would not gain access to any modern IT developments, not have access to innovations or new designs coming from the U.S., U.K. and Japan.

This is something that would pummel Russia’s ability to develop for themselves. Of course, they could design their own software, but without access to modern IT developments and without the ability to install it on any modern hardware those efforts would soon become obsolete.

We also have dire need for more competency and skills and knowledge; we don’t have enough qualified staff. In order to raise more qualified personnel, we need to ensure the expedient exchange of information and coordination between professional and government institutions. That should be the global project for the next five to 10 years. Today the enemy can attack Ukraine, tomorrow the United States, or any other country helping to defend our land. Cyberspace is a unified space for everyone, not divided by borders. That’s why we need to learn to operate there together, especially in recognition of this attack on the civilized world perpetrated by Russia.

Rosen: How have U.S. Cyber Command and the National Security Agency operations been able to assist Ukraine with those aims in mind?

Shchyhol: It’s an ongoing, continuous war, including the war in cyberspace. That’s why I won’t share any details with you, but let me tell you that we do enjoy continuous cooperation. There is a constant synergy with them, both in terms of providing us with the assistance that we need to ensure proper protection and safety of our websites and our cyberspace, especially of government institutions and military-related installations, but also they help us with their experts, some of whom are on-site here in Ukraine and are providing on-going consultations.

Like in further supply of heavy weapons and other forms of weaponry, the same is true for cybersecurity. We expect that level of assistance, of those supplies, will only increase because only in this manner can we together ensure our joint victory against our common enemy.

Rosen: We’ve talked a great deal about the hidden cyberwarfare, of a war without borders, but what digital communications devices, or physical gear and assets, sent by the U.S. in aid packages have been helpful and why?

Shchyhol: The most helpful so far was the SpaceX technology, the Starlinks, we’ve been sent. So far we’ve received more than 10,000 terminals. What those have helped us with was a relaunch of destroyed infrastructure in those communities we’re liberating, providing backup copying services to regional and local governments whose digital services [like healthcare cards, tax and travel documents, vehicle and home registrations] are accessed by Ukrainian civilians. It has also aided the repair of critical infrastructure sites.

Second to this have been the servers and mobile data centers. Those have allowed us in a very short time span to arrange backup copies of our government institutions, agencies, state registries, and locate them in safe regions, or at least locations that the enemy couldn’t easily access. It’s allowed for the continuous operation of our government.

And, the third — I wouldn’t say it’s the last as we don’t have time for the exhaustive list — are software and technologies that we’ve received access to now [that were too expensive before the invasion]. After the invasion, industry leaders started providing software free of charge or allowing us full access — like Amazon, which provided Ukraine with a private cloud, allowing us to administer data from the state registries.

It goes without saying that we’re not only consuming someone else’s services especially when they come free of charge. Even now, when the war is still raging, we’re taking care of our cybersecurity by investing more funds into procuring what we need. Last week, the government allocated additional funds from the national budget to finalize the preparation of a national backup center. We’re ready to buy if it’s exactly what we need.

Rosen: Most of those vendors are Western-based companies. In April, the U.S., U.K., Canada, Australia and New Zealand, part of the Five Eyes intelligence sharing cooperative, said that Russia was planning a largescale cyberattack against those countries supporting Ukraine. Back then there was no shortage of protracted fears in the security industry that a global cyberwar could trigger Article 5 of NATO. But that constant threat to Western nations seems to have been downgraded in the news cycle along with coverage of the war.

Shchyhol: Russia is already attacking the whole world. Those cyberattacks will continue regardless of what’s happening on land. Ukraine can win this war with conventional weapons, but the war in cyberspace will not be over. Ukraine is not capable of destroying Russia as a country, it’s more likely to destroy itself.

That’s why we all have to be ready for the following scenario to unfold: Those western countries and companies that are supporting the Ukrainian fight against Russia will be and are already under the constant threat of cyberattacks. This cyberwar will continue even after the conventional war stops.

The fact that in the last two months there was a relative lull in the number and quality of cyberattacks of our enemy, both against Ukraine and the rest of the world, only follows the usual Russian tactics, which are that they are accumulating efforts and resources, readying themselves for a new attack which will be coming. It will be widespread, probably global. Right now our task here is not to miss it, to stay awake and aware to that threat.

No comments:

Post a Comment