Press play to listen to this article
In the brewing conflict over Ukraine, cyberattacks are becoming too big a problem for the West to ignore.
The Ukrainian government has twice suffered major attacks in the past weeks, first in mid-January when hackers posted messages on government websites and spread malware to wipe out data, then this week when government websites went down due to an avalanche of traffic targeted at them.
The attacks — believed to be part of Russia’s strategy to challenge Ukraine’s government and NATO — are just the latest in a long line of cyber aggressions against Ukraine including attacks on elections in 2014 and malware that brought down energy grids in 2015 and 2016, to the devastating NotPetya malware outbreak that started in Ukraine and quickly spread across the world, crippling multinationals like the Danish shipping giant Maersk, logistics giant FedEx, pharma company Merck and others.
The onslaught has the West scrambling for a response.
“This is not innocent. This is not business as usual,” Margaritis Schinas, vice president at the European Commission, told a conference in Munich Thursday about the recent spate of attacks.
“In the world we live in, before an unfriendly tank crosses the border or a fighter jet violates an airspace, it is networks that will have been first tested and attacked,” Schinas said, adding “the European Union stands ready to respond.”
The question is: Respond how exactly?
The U.S., NATO and Europe in past years adapted their security policies to be able to respond to cyberattacks coming from Russia, China and others. But its approaches have so far failed to deter or stop adversaries from attacking on a quasi-daily basis.
Here are four responses the West can consider:
1. Come to Kyiv’s aid
Just hours after attacks hit Ukraine in January, the European Union’s chief diplomat Josep Borrell said the EU would “mobilize all our resources to help Ukraine to face these cyberattacks.” And on Thursday, NATO Secretary General Jens Stoltenberg said the defense alliance and allies were “helping Ukraine boost its ability to defend itself [including with] cyber and intelligence expertise.”
Part of that response so far has been to free up new crisis funding for the country in the U.S. and EU and support it, through NATO and other mechanisms, with intelligence and cyber capabilities from countries like Lithuania and others.
“Your response starts with cyber resilience. You first make sure you can defend yourself against attacks … It’s the most important thing, the thing you start with,” said Timo Koster, former cyber ambassador for the Netherlands.
There are limits to resilience, though: Helping protect networks isn’t going to stop the attacks themselves.
And improving networks’ cybersecurity also takes time — time that Ukraine may not have at this point.
“The Ukrainians have made progress, but significant improvements and resilience don’t happen in weeks, so we’re realistic about what we can achieve,” Anne Neuberger, the Biden administration’s deputy national security adviser for cyber and emerging technology, told reporters during a recent trip to Brussels to meet with allies.
In the U.S., cyber diplomacy experts have spent years pressing the State Department to build a bureau dedicated to providing cyber aid to allies and promoting cyber norms, but that effort is only now really taking off. Experts have said the U.S. missed an opportunity to increase its support to partners like Ukraine in advance of crises like the current showdown.
EU officials pointed out Ukraine has improved its own capabilities to respond to cyberattacks, with the support of European countries.
The European Union has been running an EU-Ukraine “cyber dialogue” since last June, which is meant to support Ukraine with expertise on policy and operational responses to cyber threats. The two sides “exchange information regularly” through the platform, EU spokesperson Nabila Massrali said. Ukraine also works closely with the EU’s law enforcement agency Europol on cybercrime.
2. Slap sanctions on aggressors
Both the United States and European Union have begun imposing sanctions on hackers in Russia, China and North Korea, in efforts to dissuade state-backed groups from attacking Western infrastructure.
Now experts say sanctions should be imposed on people perpetrating cyberattacks on Ukraine, as part of a broader effort to get Moscow to back off from the Ukrainian border.
“If Russia would be hit with major sanctions, the specific entities that were preparing cyberattacks should also feel the impact of those sanctions,” said Heli Tiirmaa-Klaar, former Estonian ambassador at large for cyber diplomacy who now leads the Digital Society Institute at the Berlin-based European School of Management and Technology (ESMT).
In the U.S., more than 30 Republican Senators Tuesday introduced sanctions legislation against Russia for its aggression towards Ukraine, which included millions of dollars in cybersecurity aid and imposes sanctions for cyberattacks. However, the aid and the tougher sanctions may never materialize as the bill is stuck amid broader negotiations in the U.S. Senate about how to come to Ukraine’s aid.
There’s another problem: attribution.
To impose sanctions, European and U.S. security officials, together with Ukrainian officials, have to be pretty much certain they know who is behind the attacks. Such attribution is hard to pin down with many cyberattacks, especially distributed denial-of-service attacks that hit Ukrainian government websites this week.
“This is the tricky part about cyber: Can you unequivocally demonstrate that attacks are coming from a certain entity, and can you convince others of this?” said Koster.
It’s what makes cyberattacks an attractive tool for states to use, Koster said. States have “plausible deniability” and can dismiss claims that they’re behind the attacks.
What’s more, previous sanctions like the ones on Russia’s security service GRU for hacking the German parliament and launching the NotPetya attack seemed to have failed to deter the GRU — and other Russian hacking groups — from launching cyberattacks on Western countries, leaving experts wondering if the tool is really as useful as diplomats have claimed in recent years.
3. Hack back
Why not fight fire with fire?
Discussions on whether or not to launch cyberattacks on other countries as a response to attacks have been ongoing for years. But there are few publicly-reported cases where the West has hit back with an attack. In part that’s because responding could escalate an online conflict with Russia that many countries aren’t confident they’d win.
But countries have also started to open up more about hacking back. The clearest case is the U.S. Cyber Command, part of the U.S. military, which took down the Internet Research Agency based in St. Petersburg in 2018 to prevent it from spreading misinformation about the mid-term election, officials previously told the New York Times. There are reports of U.S. cyber actions against North Korea, as well as more traditional cyber espionage work by European countries like the Netherlands to gain intelligence into Russian and other countries’ operations.
In Gaza in 2019, the Israeli military also responded to cyber aggressions by bombing the building that it said housed a Hamas hacking group — which experts considered the first time a state responded directly to cyberattacks with military action.
NATO in past years repeated it can respond to cyberattacks on member countries with measures of its own — cyber or otherwise.
“Your response is meant to change the calculus of the attackers. You don’t have to respond in kind. You can respond differently,” said Tiirmaa-Klaar.
4. Keep calm, carry on
When defense ministers of the NATO alliance met Wednesday, their joint statement made no mention of the ongoing cyber aggressions disrupting Ukrainian networks. In recent days the focus of Western diplomats has been on troop counts at Russia’s border and the longer-term diplomatic strategy to get Russia to back off.
It goes to show that the incidents happening in cyberspace have not significantly altered the course of diplomacy around Ukraine so far.
Some experts pointed out that, in cyberspace, cooler heads prevail.
“When it comes to cyber attacks, the bang is often worse than the blast,” Sandra Joyce, head of global intelligence at cybersecurity firm Mandiant, told POLITICO’s Digital Bridge newsletter. “We should prepare, but not panic because our perceptions are also the target.”
Eric Geller, Maggie Miller and Mark Scott contributed reporting.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.