1 October 2022

‘Patriotic Hacking’ Is No Exception

Jason Healey, Olivia Grinberg

The nations of the world agreed to politically binding norms for cyber conduct just in time to have them undermined by the Russian invasion of Ukraine. The issue is not just Russian cyber operations against civilian infrastructure, but also Ukrainian patriotic hacking with clear encouragement, if not coordination, from state officials. While government support for patriotic hacking is not unprecedented, the Ukrainian campaign stands in stark violation of recently agreed-to norms on state behavior in cyberspace, as well as the foreign policy positions of NATO members and the European Union.

In March 2021, the governments of every member of the United Nations agreed to 11 cyber norms, such as the responsibility to promote interstate cooperation on the stability and security of information and communication technologies (ICT) (Norm 13a), prevent the misuse of ICTs within one’s territory (Norm 13c), exclude critical infrastructure from the scope of attacks (Norm 13f), and ensure supply chain integrity (Norm 13i).

These commitments are not legally binding like those of the Geneva Conventions, which are enforceable in international courts. But they are far more than merely “voluntary.” The government of every U.N. member state made a political commitment to individually and collectively abide by them. Originally advanced in 2015 by a U.N. Group of Governmental Experts (GGE) made up of representatives from 25 states, these norms were approved in an all-U.N.-member-inclusive Open-Ended Working Group (OEWG) report and then approved again by every member state of the United Nations.

The OEWG “brought ICT-related discussions to the big floor of the United Nations” for the first time, encouraging diplomats from every state to dive into the issues of cyber conflict in detail. The resulting global diplomatic consensus to these 11 norms, therefore, can hold tremendous diplomatic power, but only if states follow those norms and call out those that are violating them. As a group of over 25 “like-minded” states affirmed in 2019, “[t]here must be consequences for bad behavior in cyberspace.”

Since Russia’s invasion of Ukraine, these cyber norms are being actively undermined—and not just by Russia. These “like-minded” states—many of them Western nations—that have mobilized to provide support to Ukraine in its plight against Russia should continue to do so and loudly call out Russian atrocities. But to ensure that these norms are globally respected, these states must not facilitate selective enforcement and ignore Ukrainian violations of this hard-negotiated diplomatic consensus.

Ukrainian “Patriotic Hackers”

On Feb. 26, just days after the Russian invasion, Ukraine Deputy Prime Minister and Minister of Digital Transformation Mykhailo Fedorov officially announced the formation of the “IT Army,” posting to his official Facebook and Telegram accounts:

Two days later, a crowd-sourced group of hackers followed directives on the IT Army Telegram channel to launch an attack on the official website of the Moscow Stock Exchange—a civilian target. Federov soon celebrated the disruption publicly, writing on his official Facebook account, “Завдання виконане! Дякуємо! Московська біржа впала за 5 хвилин!” or “Task accomplished! Thank you! The Moscow Stock Exchange fell in 5 minutes.” (Translated by the authors with Google Translate from the original Ukrainian.) As support skyrocketed, the channel gained 120,000 members in a single day, and since those earliest days, there is little evidence that members of the Ukrainian government have been continuing to officially direct the attacks. At the recent Black Hat conference, one of us spoke with Victor Zhora, the deputy head of Ukraine’s cybersecurity department, who told us he is “confident that there is no coordination.”

There has been continued official encouragement, however. The Ukrainian government tacitly endorsed the offensive as early as Feb. 28, with the Ministry of Digital Transformation boasting on its official website that the new Ukrainian IT Army “destroys everything in its path.” As of mid-September, the ministry’s official Telegram account is still sending updates on the numbers of targets disrupted: Using primarily distributed denial-of-service (DDoS) attacks, which overwhelm a target or its surrounding infrastructure with a flood of traffic, the IT Army was able to paralyze over 2,400 online resources between Aug. 29 and Sept. 11. For its part, Russian officials asserted that the actions of over 65,000 “sofa hackers” from the United States, Turkey, Georgia, and EU countries who participated in and coordinated attacks against Russian infrastructure as of May 2022 are illegal and that the U.S. was engaging in tacit encouragement of such activities.

Zhora had also previously claimed that patriotic hackers would target only military targets, though they have hit so-called dual-use targets, such as the Russian satellite-based navigation system GLONASS, and purely civilian targets, such as the Russian fertilizer producer Uralkali and even alcohol distribution within Russia (potentially a tongue-in-cheek swipe at what a “typical Russian” cares about). On July 28, the IT Army Telegram channel announced that its members would “start working on Russian online banking,” upping its DDoS initiative from targeting just a handful of banks to well over 50, most of which are not currently under Western sanctions. Banks are a particularly sensitive target set, as the United States has been increasingly concerned about the operational and reputational risks that cybersecurity threats pose to the financial sector.

However much those in Western nations may cheer its aims, the Ukrainian IT Army represents far more than Ukraine’s ingenuity in employing an underdog defense. It challenges existing norms on civilian participation in war, the applicability of laws of armed conflict to cyberspace, and state responsibility for cyber offenses. Stefan Soesanto, a researcher who follows its activities, has perhaps expressed its amorphous nature best: a “hybrid construct that is neither civilian nor military, neither public nor private, neither local nor international, and neither lawful nor unlawful.”

A Normative Framework to Evaluate Patriotic Hacking

Table 1, a novel framework for analyzing how patriotic hacking fits with various normative guidelines, demonstrates how almost every aspect of the operations of the Ukrainian IT Army works against the cyber norms for “responsible state behavior” that like-minded states have been advancing over the past two decades in the U.N. GGE and elsewhere. The top half of the table addresses operations during international armed conflicts, while the lower half focuses on times of relative peace. For each half (upper and lower), reading across the five columns from left to right outlines key elements of offensive cyber operations, which together help to characterize an attack.

Simply put, states arguing for responsible state behavior generally agree that offensive cyber operations are either official actions by law enforcement, military, or intelligence agencies or are illegal activities by criminal groups. There is little acceptable activity between those two poles.

To put that in terms of Table 1, the preferred command-and-control structure would be in the top third of the chart: A directive to conduct offensive cyber operations should preferentially come through normal command-and-control channels, having been ordered by the president or military chain of command, and be directed to the legally authorized government personnel legally authorized to conduct that kind of operation—during an international armed conflict against military or dual-use targets in the belligerent state.

During an international armed conflict, the like-minded states prefer to center “responsible state behavior” on U.N. norms on international humanitarian law (IHL), such as obligations of target selection (“Kind of Target” in Table 1). Using the regular command structure is also especially important since under IHL, the state is responsible for the actions of its military and its proxies. This includes respecting principles such as distinction, or distinguishing between combatants and military objects and civilians and civilian objects—the latter of whom are generally immune from direct attack. While those norms might not cover belligerents in an international armed conflict such as Russia’s invasion, that would not extend to noncitizens in friendly states operating outside the conflict zone.

Table 1. Framework for Understanding Patriotic Hacking

Timing of Directive

Source of Directive

Intended Recipient of Directive

Location of Intended Target

Kind of Target

During an International Armed Conflict

Military command and control of belligerent state

Military, intelligence, law enforcement

Adversary state or co-belligerent ally

Military

Civilian leadership of belligerent

Citizens of belligerent state

Former civilian leadership or military of belligerent

Diaspora of belligerent

Non-belligerent partner

Dual-Use

Not During International Armed Conflict

Military or leadership of non-belligerent partner

Citizens of non-belligerent partner

Citizen of belligerent

Anybody

Anywhere

Civilian


Citizen of non-belligerent partner

Anybody

The Ukrainian IT Army operates almost entirely opposite to NATO and EU preferences. Ukrainian civilian leaders direct not just Ukrainians but anyone who follows them on social media, including citizens of non-belligerent partner nations, against any kind of target—including civilian targets in non-belligerent nations.

Table 2, a more specialized version of one that one of the authors advanced in 2012, aids in contextualizing the IT Army operations within the overarching scope of state responsibility. The left column enumerates the degree of responsibility from “state-prohibited” to “state-integrated,” while the right column offers descriptive qualifiers.

Table 2. Spectrum of State Responsibility

1. State-prohibited

The national government will help stop the third-party attack

2. State-prohibited-but-inadequate

The national government is cooperative but unable to stop the third-party attack

3. State-ignored

The national government knows about the third-party attacks but is unwilling to take any official action

4. State-encouraged

Third parties control and conduct the attack, but the national government encourages them as a matter of policy

5. State-shaped

Third parties control and conduct the attack, but the state provides some support

6. State-coordinated

The national government coordinates third-party attackers such as by “suggesting” operational details

7. State-ordered

The national government directs third-party proxies to conduct the attack on its behalf

8. State-rogue-conducted

Out-of-control elements of cyber forces of the national government conduct the attack

9. State-executed

The national government conducts the attack using cyber forces under its direct control

10. State-integrated

The national government attacks using integrated third-party proxies and government cyber forces

Applying this Spectrum of State Responsibility, Ukrainian government support for the IT Army started at at least state-coordinated (Level 6) but may have since decreased to state-encouraged (Level 4).

Even the DDoS campaign by Russian patriotic hackers against Estonia in May 2007 was likely only state-encouraged, as the Kremlin appears to have just been cheering on the sidelines, not coaching efforts in any operationally relevant way. Moscow was heavily criticized for being uncooperative throughout the subsequent investigation and for taking few (if any) measures to mitigate the campaign—arguably a violation of the principle of due diligence in international law. By comparison, in Ukraine, one need only turn to Telegram for cataloged culpability.

Patriotic hacking originated in China back in the 1990s in response to anti-Chinese riots in Indonesia; it was then quickly embraced as a tactic by China and Russia, and later Syria and other states. Yet none of those operations had the scale or scope, nor such strong and prolonged government ties, nor so clearly violated just-agreed-to international cyber norms, as the current Ukraine campaign does.

By comparison, in 2003, in the lead-up to the invasion of Iraq, the part of the FBI responsible for critical infrastructure warned hactivists whose activities would have been helpful that their actions were nonetheless prohibited: “Regardless of the motivation ... such activity is illegal and punishable as a felony. The U.S. Government does not condone so-called ‘patriotic hacking’ on its behalf.” President Biden already set a diplomatic precedent by telling President Putin in July 2021 that the United States expects him to act on all ransomware operations coming from Russian territory, “even though it’s not sponsored by the state.”

The relative silence from norm-setting states, many of them a part of the EU and NATO, about the participation of their citizens and infrastructure in the IT Army is likely state-ignored—Level 3 on our scale of national responsibility.

Escalation Risks

In the context of an international armed conflict, the Ukrainian IT Army flirts dangerously close—or at times may even pass—the legal threshold of “direct participation in hostilities,” meaning its members could become legitimate military targets for Russia. Experts have also questioned Kyiv’s ability to “exercise sufficient command and control” over patriotic hackers, potentially increasing the risk of rogue attacks and unintended Russian provocation.

There are potential risks for NATO and EU member states as well, the first of which comes from the participation of Ukraine’s international supporters in IT Army offenses. Some experts in the United States warn that the risk of citizen-led aggression originating from within U.S. territory is “more dangerous than U.S. citizens traveling to Ukraine to fight with the Ukrainian foreign legion.” Further, as noted by Soesanto, Russia has specifically singled out American and European companies such as Google and DigitalOcean for hosting “malicious software” in order to carry out massive DDoS attacks involving “cyber volunteers.” At what point, Soesanto asks, should such companies “be seen as extensions of U.S. foreign policy” as opposed to independent actors?

Russia has not escalated against EU or NATO member states for providing rockets and tanks, so it seems very unlikely it would respond too aggressively over hactivism originating from those countries. We agree with the assessment that the impacts of offenses conducted by U.S. Cyber Command are “likely to be far greater” than hacktivism. Yet there are two worrying outliers. Patriotic hackers might get lucky, hitting a particularly valuable target, such as gaining access to information that could threaten regime stability in Russia, revealing especially damning secrets, or damaging a particularly delicate but systemically important bit of critical infrastructure. Or perhaps Russian ransomware gangs or cyber commanders decide to disrupt companies like Google or DigitalOcean in a manner that U.S. or EU decision-makers decide warrants a response. In the past, such tit-for-tat attacks have generally not escalated, but during a brutal conflict such as the one currently progressing between Russia and Ukraine, the dynamics may play out differently.

Recommendations

Like-minded states should first publicly dissuade all participants from engaging in hacktivism, in line with the norms they help set; specifically, that “states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.”

Such states should also encourage Kyiv to restructure the command-and-control and targeting of the Ukraine IT Army to be more in line with responsible state behavior (that is, to align with the top third of Table 1). This will also serve as a crucial step in protecting civilians who, as noted above, are at risk of being placed in harm’s way by potentially qualifying as legitimate military targets. As Ukraine pursues joining the EU and NATO, it will need to be evaluated for certain accession criteria, including respect for the rule of law. That process should not be tainted by both sides ignoring patriotic hacking.

Third, UN member states, led by the like-minded states and with a full range of participation from civil society, should continue to work on norms and responsible state behavior. They do matter.

To conclude with a sentiment expressed by one cybersecurity public policy expert interviewed for this article, who asked to remain anonymous: “Neither an unjustified aggression nor the fact that we all empathize with Ukraine should justify this degree of civilian involvement in hostilities.”

No comments: