In the stand-off between Russia and the West over Ukraine, hackers have upped the ante with cyberattacks and disinformation targeting the eastern European country.
The question for Western security officials is this: What exactly are we dealing with — and how do we respond?
In one attack on Friday, hackers posted messages on government websites, disrupting the sites of the Ministry of Foreign Affairs and other ministries and causing them to go down. In other incidents starting Thursday, Microsoft spotted new malware attacks on Ukrainian networks, reminiscent of the 2017 outbreak of NotPetya malware that wreaked havoc across the world.
These incidents are far from armed attacks; there were no reported casualties and no serious harm was done. And yet they present Western security officials with a range of tough questions on how to respond to this type of “hybrid” conflict, where states seek strategic gains by using tools that cause societal disruption and shake up internal affairs of adversaries.
The latest attacks on Ukraine "could be signaling. It could be the attempt to implant specific narratives. It could certainly be seen as low-level escalation," said Lukasz Olejnik, a cybersecurity researcher and former cyberwarfare advisor at the International Committee of the Red Cross.
"If a state actor is behind them, perhaps we may reasonably consider them violations of state sovereignty, or violation of international law," he said. "However, we may not consider it warfare."
That message has been repeated over and over by cybersecurity experts: Don’t call it “cyber war.”
"Cyber warfare doesn't exist, it's nonsense. There is no war in cyberspace — cyber is just a part, an essential tool of states' capabilities,” said Bart Groothuis, member of the European Parliament and former chief cyber policy official at the Dutch defense ministry.
“'Warfare,'” Groothuis said, “we have to reserve that term for other things."
Hackers’ actions in Ukraine disrupted government services and put IT networks under stress — which, for now, seems to cause reputational and economic damage at the most.
According to Merle Maigre, former head of NATO’s cyber center of excellence in Tallinn, “it's a demonstration of how cyber is part of foreign policy. If one would really want to hurt a country, one would take down something more critical, something that has a bigger impact on the livelihood of people.”
What’s more, the hackers behind Friday’s disinformation attacks operated very overtly, causing more noise than actual damage to networks.
“For military cyberattacks, I'm not sure we'd read it in the news,” Maigre said, suggesting military cyberattacks would happen much more stealthily.
However, others warned the refusal to consider hybrid attacks as part of military aggressions could work to the West's disadvantage. “There is a reluctance to talk about war … But what is happening is serious,” said Vytautas Butrimas, a cyber expert at the NATO Energy Security Center of Excellence in Vilnius.
Conflicts already often combine actions in the physical world and in the virtual world, Burtimas said, adding that wars would have both elements: “There's going to be a cyber component to any future war. It's not going to be a ‘cyber war.’ It's just war.”
NATO in previous years warned that a “serious cyberattack” could trigger its Article 5, meaning countries would come to the aid of a country under attack.
For now, officials are still working to identify who conducted Friday’s cyberattacks and who’s spreading the malware. The Ukrainian government attributed the attacks to Russia on Sunday but one official also told Reuters the Belarusian government was behind disinformation campaigns. The EU and U.S., while having condemned the attacks, haven’t officially stated who they think is behind them.
This adds to the woes of governments seeking to respond to the attacks: If you can’t say for sure who’s behind it, how can you push back? For countries like Russia, which have wielded disinformation and cyberattacks in the past, the hybrid approach also offers the benefit of “plausible deniability,” meaning Moscow can deny any involvement in these online operations.
Above all, cybersecurity experts warned the West still lacks proper legal frameworks and governmental response mechanisms to respond hybrid threats.
“We have laws on cybersecurity and international law, but we don't have any laws on hybrid,” said Butrimas.
That's starting to change. The European Union in November broadened its rules to allow member countries to slap sanctions on entities and people for carrying out “hybrid attacks” against the bloc. The move came in response to Belarus directing migrants to head for the border with Poland, Latvia and Lithuania.
The bloc is working on other response mechanisms to hybrid threats. It set up response mechanisms and strategic communication cells in past years and is currently revising its cyber diplomacy toolbox. And foreign affairs and defense ministries, together with cyber agencies and others, have been training in how to respond to disinformation and other threats in recent major exercises.
Part of the effort to call out the attacks on Ukraine is the fear that they become a prelude to serious military deployments. There's a need to deter Russia from going further by "showing strength" and stopping Russia from "crossing red lines," senior U.S. officials told POLITICO earlier.
Cyber experts also called for caution in the way diplomats and — even more so — military personnel respond to hybrid threats.
"The risk of an overreaction is a big problem. If politicians, leaders, or their advisors overreact when low-level escalatory events happen it is worrying," said Olejnik, the cyber researcher.
If states come out swinging at every curveball, he said, "you have to ask what will be left to do in case of the potential future events or higher escalations?"
Maggie Miller contributed reporting.
This article is part of POLITICO Pro’s premium coverage of Cybersecurity and Data Protection. From the emerging threats of a volatile digital world to the legislation being shaped to protect business and citizens, across sectors. For a complimentary trial email [email protected] and mention Cyber.