As the world watches the slow-motion catastrophe that is happening in Crimea and the Ukraine and wondering how it will all play out on the ground, many in the cyber community are asking a different question -- how will it play out in the cyber domain? Here is some of what we know is already happening:
- Ukrainian telecommunications links to Crimea have been cut or degraded;
- Russian social network sites have blocked sites and pages with pro-Ukrainian messages;
- Russia Today (the Russian english-language web site) was briefly hacked, with the word "Nazi" prominently inserted into headlines describing Russian actions.
Here's some of what we know about capabilities on the ground (so to speak):
- Russia has a very able set of cyber capabilities, of the sort that it deployed through "patriotic hackers" in the Russia-Georgia conflict;
- Ukraine has its own set of very capable cyber actors (many linked to criminal enterprises) that have substantial cyber network attack capabilities, though likely not as strong as those who would be affiliated with Russia. Nor is it it clear how many of the Ukrainian actors are ones with Russian background/sympathy;
- Ukraine has a large diaspora of IT/cyber professionals in the West who may be motivated by nationalism to participate in the conflict;
- Russia has significant critical infrastructure cyber dependencies, probably somewhat more so that Ukraine. Think of Gazprom or the remaining Russian nuclear industry. Likewise (dare I say it) I imagine Russian cyber controls for its nuclear weapons are capable of penetration in extreme circumstances; and
- NATO cyber capabilities are significant and they likely include some pre-positioned assets that are capable of activation, if we choose to do so. It is probable that the Russians are aware of some of these assets but not all of them.
So what does that mean? Well, we are all guessing, but here are a few thoughts for policy-makers to consider:
- For NATO the biggest issue is to avoid cyber-escalation. One could readily see CNA operations by the Ukraine that are intended as deterrents spinning out of control. We have no established triggers and red-lines in cyberspace in the same way we used to for WMD.
- The danger is especially great that Russia may mistake actions by the Ukraine or its diaspora for actions by NATO or NATO-affiliated forces, given the difficulties of attribution and the likely suspicion with which Russia will view cyber actions generally, and the West.
- Given the asymmetric nature of kinetic force in the region and Russia's military superiority it is very likely that Ukraine will see cyber operations as an avenue of response that has a better chance of success. Look for Ukrainian disruptions of Russian communications, and transportation. Hopefully, they will have the wisdom to avoid CNA against larger critical infrastructure.
If this surmise is anything close to correct, the US and NATO have some urgent work to do -- most notably in contacts with Russia to avoid mis-attribution and with the Ukraine to avoid cyber escalation.