Roughly two weeks ago a digital attack hit Ukrainian authorities – a website defacement campaign put “digital smears” onto the websites of several ministries. Ukrainian officials blamed Russia for this attack. Only a couple of days later Microsoft published a threat warning of a new malware that masquerades as ransomware but actually wipes hard drives and was found after the defacement campaign in official systems. This malware is reminiscent of NotPetya, an attack campaign that caused billions in damage worldwide in 2017 and originated in Ukraine. Both incidents could be harbingers of a military escalation that includes a digital component alongside conventional forces.
Russia first tested the military use of cyber capabilities during the 2008 conflict in Georgia, where Russian forces invaded South Ossetia. The invasion was accompanied by several waves of so-called distributed denial of service (DDoS) attacks against Georgian media and government agencies. In DDoS attacks, servers are flooded with masses of requests, causing them to overload and to deny service. Impeding or even cutting off communications with the outside world is a logical goal of a military invasion and therefore very sufficient.
Russian intelligence services have been steadily improving
While DDoS attacks in Georgia were still relatively crude and technically simple, Russian intelligence services have been steadily learning and improving over the years. Cyber operations also played a role in the occupation of Crimea. However, the focus here was less on disrupting systems technically but more on influencing information and spreading uncertainty and fear.
Ukraine has also been described for years as the "testing ground" of a new type of digital conflict: Cyber operations in military conflicts.
Now, there is widespread agreement in military circles around the world that cyberattacks alone cannot completely defeat a country. Even in modern conflicts, it takes "boots on the ground" to conquer a country. Many military strategists in the U.S. and Europe see cyber operations as an enabler of conventional attacks. Worth mentioning here, for example, would be the Agent-X malware, which in 2016 was found on smartphones of Ukrainian soldiers of the artillery in the contested areas in eastern Ukraine.
The malware was embedded in a mobile application for targeting D 30-Howitzer artillery positions and transmitted the geo-position of these positions. The military benefit of this approach is apparent: locating artillery that is subsequently taken out by air strikes, for example, is extremely useful in a conventional war to facilitate the advance of one's own troops.
Cyber operations may be used for surprise attacks
However, cyber operations can also be used in the early stages of conflict for disruptive actions to support surprise attacks. North Korean military officials speculate, for example, that a power outage in one part of the country can be used to mask the engagement of troops. Attackers associated with Russia practiced this approach in two back-to-back waves in 2015 and 2016, with malware, shutting down power in Kiev for several hours in the middle of winter 2016. When a power outage occurs, not only is the ability to communicate compromised, the outage also means the loss of logistics capabilities.
Past cyber operations attributed to Russia, such as NotPetya in 2017, show that unintended collateral damage is possible in countries which are not directly involved in the conflict. The attackers of 2017 attempted to limit their attack to Ukraine by using tax management software predominantly used there as an attack vector. However, the worm spread to systems worldwide, including Russian ones. The result was billions in damage and logistics failures worldwide. Such cascading effects vouch for barely assessable escalation risks.
Europe's response options
So even if "only" Ukraine could be the target of cyber operations, it is very likely that there would be unintended collateral effects in European systems and networks. In this respect, the EU is also called upon here and has to take a position of unity. It has a cyber-diplomatic toolbox it can work with. A distinction is made here between preventive, cooperative, stabilizing, restrictive measures and, lastly, punitive measures for self-defense in accordance with international law.
Preventive measures include cyber dialogues with third countries to exchange information and to influence. The EU cyber dialogue with Russia is particularly important in this regard.
Ukraine, meanwhile, can get help with cyber capacity building in forensic investigations. Cooperative measures include cooperationin the prevention, detection and mitigation of cyber incidents. Telecom providers should analyze traffic in the event of disruptions and block identified perpetrators if necessary. For the purpose of detecting and attributing attacks, Germany and the EU have agreed to send cybersecurity experts to Ukraine. In the current case of escalating confrontation, the exchange of information on ongoing cyber operations between security agencies, but also between the EU and NATO, is essential.
Reactivation of the Normandy format
High Representative Josep Borrell was quick to condemn the attacks against Ukraine on behalf of the EU. This "signaling" is of high importance for communicating political unity towards Russia. A stabilizing measure could also be the reactivation of the Normandy format. Germany and France can try to reach political compromises, for example, to end cyber-based disinformation campaigns against Ukraine and exclude them in the future before more restrictive measures have to be taken.
The EU resorts to imposing restrictive measures (sanctions) to enforce its policy objectives as a result of serious cyber operations. These are currently being coordinated with allies and directed against the responsible government officials, but also against state-owned companies or other legal and natural persons. Attribution is key for imposing restrictive measures against responsible individuals and/or entities.
Two further levels of escalation are conceivable
It remains to be seen how the EU and NATO will react to serious cyber operations against member states or to any collateral damage. Two further levels of escalation are conceivable here within the framework of the EU. The Lisbon Treaty introduced the solidarity and mutual assistance clauses. Both clauses can be applied in the event of serious cyberattacks. The solidarity clause under Article 222 TFEU provides for assistance to EU states, among others, in the event of serious cyber incidents.
The mutual assistance clause under Article 42 (7) TEU roughly corresponds to Article 5 of the NATO Treaty, but is subsidiary to it for NATO members. Its application took place for the first time in 2015 after the terrorist attacks in Paris by France. The diplomatic response framework does not require a clear attribution about the origin and actor of the cyberattack. In the final escalation stage, military counter-reactions would also be conceivable. In extreme cases, this could include cyber capabilities. But legal and political requirements are unclear and as yet untested. In this respect, the EU reserves a degree of strategic ambiguity toward Russia. Whether this will be enough to convince Russia remains to be seen.
Annegret Bendiek is deputy head of the EU/Europe research group, Matthias Schulze deputy head of the security policy research group at "Wissenschaft und Politik". foundation.