The Emergency Policy Gap
Ukraine is in desperate need of an emergency option to combat Russian cyber attacks. Analysts agree that Ukraine would have been better prepared for the ongoing cyber attacks against its nation from Russia if they had prepared a standing military unit dedicated to defending against cyber attacks prior to the invasion. However, this solution is too late to implement. It is now important for policymakers to consider how Ukraine can better structure itself militarily against Russian cyber forces amid this invasion.
I seek to address this gap in policy recommendation through the suggestion of a better coordination of hacktivist groups assisting the Ukrainian government. This plan of action requires moving from state-encouraged activity to state-ordered and state-integrated activity through three steps: (1) use the encrypted platform Telegram not only to issue calls for support but also to create an organizational body (2) leverage existing hacker groups to create proxy relationships and (3) develop operations that fulfill strategic goals by outlining specific targets for volunteer hackers.
Some cybersecurity experts worry that encouraging hacktivist groups to engage in cyber campaigns in the conflict will muddy the waters of attribution. They would counter my policy recommendation by pointing to two main factors (1) hacktivists may decide not to engage with the Ukrainian government in the ways leaders ask them to and (2) encouraging hacktivists to join the conflict would complicate attribution. However, I argue that my solution would consider both points by creating an organizational structure that would incentivize hacktivists to cooperate with the Ukrainian government while clearly attributing hacktivists as proxy groups working on behalf of the Ukrainian government.
Jason Healey’s Spectrum of National Responsibility
As hacktivists join to support the Ukrainian cyber defenses, there are different levels of coordination that the Ukrainian state can implement. Jason Healey’s “spectrum of state responsibility” is a tool that effectively helps analysts categorize state involvement in a particular attack or a series of attacks by determining if a state ignores, abets, or conducts an attack. The spectrum begins with states engaging with passive responsibility, where a state’s insecure systems have the potential to lead to an attack, all the way to the active end of the spectrum, where a state’s government is actively planning and executing an attack. His spectrum covers ten levels of state responsibility that fall under three broad categories of state involvement in cyber campaigns.
The first category is states having passive responsibility for attacks conducted by outside actors. These attacks are equivalent to a person refusing to acknowledge that a group of people are throwing rocks at their neighbor’s house. The actors could be throwing the rocks because they consider the neighbor a common enemy, or they could be throwing the rocks at the neighbor’s house because they are friends with the person ignoring the attacks. There are three types of attacks that fall under passive responsibility: state-prohibited, state-prohibited-but-inadequate, and state-ignored.
The second category is states ignoring or abetting attacks conducted by outside actors. These attacks are equivalent to a person issuing statements in support of the groups throwing the rocks or by giving incentives for the groups to throw the rocks, including monetary incentives or advice. There are three types of attacks that fall under ignoring or abetting attacks: state-encouraged, state-shaped, and state-coordinated.
The third category is ordering or conducting attacks by outside actors. These attacks are equivalent to the person telling the groups throwing the rocks to target the neighbor’s house at 5:15 pm because that is when he is returning home from work. There are four types of attacks that fall under ordering or conducting attacks: state-ordered, state-roque-conducted, state-executed, and state-integrated.
The Transition to State-Ordered and State-Integrated Campaigns
With each level, the state becomes more involved in the coordination of cyber attacks by other actors. My policy suggestion is to move from state-encouraged campaigns to state-ordered and state-integrated campaigns. This implementation would take the Ukrainian government from simply ignoring and abetting attacks to the Ukrainian government actively ordering and conducting attacks.
To understand this policy recommendation, it is first important to understand what state-encouraged responsibility looks like and how the Ukrainian government is currently implementing this strategy. State-encouraged responsibility occurs when external actors control and conduct the attack while the national government encourages them in the attack. Examples of this support could include positive media in state-controlled press or the encouragement of government or intelligence officials to support these operations while off duty. Despite the encouragement and positive feedback of these attacks, the government is not actively assisting in planning specific targets or executing these attacks.
Ukraine is exemplifying this area of Healey’s spectrum of national responsibility through its support of online hacktivists. Ukraine has implemented an “IT army” that is led by civilians. When Russia first invaded Ukraine, the government of Ukraine sent out a “call to arms” via the encrypted messaging app Telegram. This recruitment mechanism successfully caught the attention of up to half a million people seeking to help the Ukrainian army.
Although this Ukrainian-encouraged group has led several operational successes, such as distributed denial-of-service (DDoS) attacks, these operations have failed to be as strategically successful as they could be. Although the hackers are doing an exceptional job in acting as a nuisance and annoyance to the Russian military as it exposes vulnerabilities in the Russian cyberspace and denies availability of certain services, these hackers are failing to implement meaningful attacks that affect the overall Russian strategy. This lack of strategic success shows how the state-encouraged attacks are not allowing the hundreds of thousands of volunteers who wish to support Ukraine to live up to their full potential.
For Ukraine’s volunteer IT army to live up to its full strategic capability, the Ukrainian government should instead transition to campaigns that implement state-ordered and state-integrated responsibility. State-ordered campaigns are attacks that are commissioned by the national government through policy. Although the government does not actively conduct the attacks, they are an active member of the planning process, with the attackers potentially being considered de facto agents of the state according to international law. State-integrated attacks are the most active form of attacks outlined in Healey’s spectrum of national responsibility. These attacks occur when the state government integrates third-party attackers with cyber forces operated by the military, where both groups have the same command and control. Through these attacks, the government selects targets, timing, and tempo of individual attacks and comprehensive campaigns.
The Impacts on Organizational Structure
Ukraine could transition its IT army from state-encouraged attacks to state-ordered and state-integrated campaigns through three policies: (1) use the encrypted platform Telegram not only to issue calls for support but also to create an organizational body (2) leverage existing hacker groups to create proxy relationships and (3) develop operations that fulfill strategic goals by outlining specific targets for volunteer hackers. The platform Telegram has become a strategic advantage for the Ukrainian army. By better utilizing this existing encrypted platform, the Ukrainian military could more effectively create an organizational structure that would allow for state-integrated attacks.
The best way to organize these campaigns through Telegram is by leveraging the existing organizational structure of hacker groups by employing them as proxy actors working on behalf of the Ukrainian state. By using these existing structures, the Ukrainian army could better work with leaders of established organizations to pass along strategies and orders to members of these proxy groups.
Finally, the Ukrainian government could more effectively leverage the support they are receiving through their hacktivist armies through focusing on implementing operations that are not only successful at the tactical level but are also successful at the operational and strategic levels. The Ukrainian government could develop a list of targets to send to their proxy forces so that these third-party actors could lead concentrated efforts against targets that would most benefit the Ukrainian state’s military objectives. By implementing a list that effectively selects the targets, timing, and tempo of operations conducted by military and civilian cyber forces, the Ukrainian government and volunteer hackers would experience success not only at the tactical level but also at the operational and strategic levels.
Through implementing my three-step strategy of improving organizational structure, leveraging proxy actors, and shaping operations strategically, the Ukrainian government could effectively transition its volunteer IT army from conducting state-encouraged cyber campaigns to state-ordered and state-integrated cyber campaigns. This transition would allow the Ukrainian military to succeed strategically as it implements an emergency option amid the Russian invasion that revealed the weakness of Ukraine’s lack of a standing military force.
Comments