Russia's cyberattacks against Ukrainian civilian and critical infrastructure has shown what it looks like when cyberattacks are part of warfare. What remains to be seen is whether the world will treat them as war crimes.
"For too long, the world has been considering cyber terrorism as something unrealistic, too sci-fi-ish, and cyber weapons as not posing any serious threat," says Victor Zhora, deputy chairman and chief digital transformation at the State Service of Special Communication and Information Protection of Ukraine (SSSCIP). "Russia's war against Ukraine has proven such thinking wrong."
According to SSSCIP research and military experts, the war is a hybrid one, with "clear correlations between cyberattacks, kinetic, and information attacks," Zhora says. For example, the energy sector has been targeted by both cyberattacks and missile attacks since the start of the invasion.
Public authorities and local governments, which "operate for civilians' benefit and are vital for the country," are the most targeted, Zhora says. Last year the Computer Emergency Response Team of Ukraine (ERT-UA) manually processed 2,194 incidents, with only 308 specifically aimed at the security and defense sector. The situation has remained similar this year — between January and April, CERT-UA handled 701 incidents, with only 39 of them directed at the security and defense sector.
It's not just critical infrastructure that is under attack. Zhora says the Russians have also deployed massive campaigns aimed at harvesting Ukrainian citizens' personal data. The purpose of those activities remains unclear to him.
Cyberattacks as War Crimes
The events of the past year-and-a-half have prompted Zhora and other cybersecurity experts to gather evidence of cyberattacks against civilian and critical infrastructure, with the hope of convincing the International Criminal Court (ICC) in The Hague to classify those as war crimes.
"We can see that cyberattacks are a part of [R]ussia's 'hybrid' warfare," Zhora said during WithSecure's The Sphere event this week in Helsinki. "So the ICC should properly recognize them as a component of the [R]ussian war machine."
This action, while unprecedented, is necessary, he added.
"When the global democratic community faced the immediate threat, it found itself lacking efficient legal instruments to confront cyber terrorism and cyberattacks as war crimes," he said. "Now we need to create such instruments from scratch."
Zhora demands effective mechanisms to punish cyberattacks, although he recognizes that the road to achieving that goal is challenging.
"Such decisions as recognizing that a certain country is a cyber terrorist and needs to be held accountable require strong political will," he said. "Such will, in turn, depends on how much national governments and international institutions are aware of the risks."
The plan to hand evidence to the ICC in The Hague was first mentioned by Illia Vitiuk, the head of the Department of Cyber and Information Security at Security Service of Ukraine, in April during the RSA Conference in San Francisco.
The idea of classifying cyberattacks against civilian infrastructure as war crimes is gaining traction in international policy circles. Foreign policy analyst Jessica Berlin, who has traveled to Ukraine on several occasions since the full-scale invasion started, says that rules and classifications should be adjusted when we talk about cyber warfare.
"We live in unprecedented times," Berlin says. "There's a lot that's happening right now that no one was prepared for. And if we try to solve the problems we face with our old rule book, we won't be able to solve them."
Boosting Infrastructure Security at Home
Meanwhile, Ukraine is working toward further strengthening its legislation around cybersecurity, asking all public and private entities that own critical infrastructure to conduct security audits and offer detailed explanations concerning their adherence to the specified requirements. Furthermore, it's demanding that owners of critical infrastructure appoint security experts who will work closely with state agencies to prevent, detect, and respond to cyberattacks.
These provisions are part of Bill No. 8087, which will undergo a second reading within the Parliament of Ukraine in the coming months. The bill was voted in during the first reading in January of this year, and a final vote is expected soon.
This legislation is "very important" and "it is necessary to be adopted very soon," as it will increase the country's cyber defense based on the lessons learned since the beginning of the war with Russia, said Zhora.
The bill, which was in the works even before the full-scale invasion that started on Feb. 24, 2022, seeks to strengthen the security of Ukraine's critical infrastructure. Simultaneously, it aims to enhance the exchange of information regarding cybersecurity incidents, to introduce "a new system of state control over the technical protection of information" and to "create a system of cyber defence units in state authorities," according to Ukrainian law firm Asters, which helped to draft it.
Ukraine's head of cybersecurity added that the knowledge gathered by Ukraine is shared with its partners within the cybersecurity community, which are also increasingly targeted and face their own set of challenges.
"We share our experience and know-how with the partner countries' dedicated cyber defense agencies, businesses and civil sector so that their citizens won't experience the effects of this aggression themselves," Zhora said. "We are working hard toward creating a unified secure cyberspace for the entire civilized world."