Ukraine's Cyber Defense Success: Top TakeawaysExperts Highlight the Importance of Preparation, Partnerships, Resilience
Fifteen months after Russia intensified its invasion of Ukraine, what cybersecurity lessons should policymakers and defenders be learning and applying?
Top-line lessons highlighted by experts during a Center for Strategic and International Studies event are that Ukraine was already prepared and well-practiced for the conflict, the importance of bandwidth, and the power of having allies and private sector partners. The Washington, D.C., think tank published analysis of the Ukrainian state of play in a report sponsored by the U.K.'s National Cyber Security Center, which is part of intelligence agency GCHQ.
"The key thing for me in all this: We can see that defenders get a vote," said Paul Chichester, director of operations at the NCSC, who participated in a panel discussion Thursday marking the report's launch. "We say that this is a team sport. My lesson would be: Build those partnerships now; don't wait for a crisis" to prepare and practice.
Cyberattacks remain a fixture of the conflict, if not at levels as dire as some analysts had predicted. As of April 9, the CyberPeace Institute cataloged 1,593 cyberattacks and operations tied to the conflict, which third parties have attributed to 93 different threat actors.
The robustness of Ukraine's defenses have been lauded by Western government and intelligence officials, who point to the benefits of partnership and preparation.
"Ukrainian cyber forces are perhaps some of the most battle-hardened … in the world," said Julia Voo, a cyber fellow at Harvard's Belfer Center for Science and International Affairs. With Ukraine this week becoming a member of NATO's Cooperative Cyber Defense Center of Excellence, she said Western allies will get to learn even more directly from its experiences.
Experts cautioned that while it might look as if Ukrainian cyber defenders are carrying the day, Russia's cyber objectives remain unclear, as does the extent to which it is using cyber operations to further espionage efforts. "Their view of success and ours may prove to be different in the future," Chichester said.
Resilience Beats Deterrence
One big-picture lesson from the conflict is that for defenders, the imperative is not to prioritize deterrence, said James Lewis, director of the Technology and Public Policy Program at CSIS.
The focus must be on resilience, he said. Building for resilience acknowledges the inevitability of ongoing attacks. Multiple governments have made such a shift - for example, in the United States in the U.S. national cybersecurity strategy released in March by the Biden administration.
"Democracies cannot expect to deter adversaries from attempting to use cyber operations to advance their national objectives," he said in the report. Bolstering defenses serves not just to combat unfriendly states "but also criminals and proxy forces," thus protecting "against a much wider - and future - set of threats."
Amy Ertan, cyber and hybrid policy officer at NATO, warns in the report that threats are becoming a constant. "Contested cyberspace is well on the way to becoming the 'new normal,' with a baseline that has incrementally increased over time to the levels of pervasive disruption seen today." Adversaries must be held to account for such attacks, and defenders must "double down on resilience to decrease the success of subsequent malicious cyber campaigns."
Even though "preparation in our businesses is absolutely vital," how to do that in a way that can be sustained at the scale of the Ukrainian conflict remains unclear, said NCSC's Chichester.
"One of our takeaways is: How, as a nation, do you respond at scale, persistently, continuously, day after day after day?" he said. "One of the things we worry about a lot is the longevity of incidents."
Practice Makes Perfect
Panel participants said that creating a "whole of government" and private sector approach to cyber defense today is key to countering future threats.
Russian aggression drove Ukraine in 2016 to adopt a national cybersecurity strategy that "sought to enhance collaboration among all government agencies, local authorities, military units, law enforcement, research institutions, and civil society to improve Ukraine's overall cyber defense," in part via the creation of a National Cybersecurity Coordination Center, Voo said in her CSIS essay.
Allies and business partners have been key to Ukraine's defense, including contributions from Microsoft and Amazon for cloud services and hosting. Portable satellite communications technology, as provided by Starlink, is highlighted in the CSIS report as being a crucial, just-in-time capability gained by Ukraine's military and government, not least after Russia launched a wiper malware attack aimed at Viasat broadband routers.
As the war continues, or for future conflicts, will this model carry forward? "It is still not clear how long these types of firms will be willing and able to effectively donate these expensive services to Ukraine for the remainder of the conflict, or if this kind of support would be replicable for any other besieged country in the future," Voo said.
NATO's Ertan said this is a long-running problem. "There is no agreed current market model for private sector actors to sustainably provide cyber assistance in the context of a conflict or where receiving actors cannot necessarily cover the costs involved."
Two options she offers: facilitating donations, which relies "on a moral incentive," and finding "alternate funding mechanisms," such as emergency funds to which states contribute. She says the latter has a much greater chance of success, especially if accompanied by frameworks that detail how the technology is allowed to be used. For example, Starlink had threatened to withdraw its technology from Ukraine because it was being used for offensive military operations.
Connectivity remains essential for effective cyber defense. "Internet stability is at the heart of the multi-domain era of warfare," said Melanie Garson, acting director of geopolitics at the Tony Blair Institute for Global Change. "As militaries invest in increasingly interconnected and intelligent weaponry, access to stable, resilient and secure communications is crucial."
Don't underestimate the role that the private sector will play in providing internet connectivity and stability during future conflicts, said Garson during the launch event. Defending these capabilities will be beyond "the capabilities of most militaries alone," she said.
The experts behind the CSIS report said more lessons will surely be learned as the war continues and after it concludes. In the meantime, with many different parties willing to claim success for helping bolster Ukraine's cyber defenses, it pays to keep an open mind, said Erica Lonergan, assistant professor in the Army Cyber Institute at the U.S. Military Academy at West Point.
"We have to be careful not to harp on the most convenient explanation of success," she said at the event, in lieu of doing "some real careful analysis," to ensure the right cyber defense lessons are being learned and applied.