Join today’s leading executives online at the Data Summit on March 9th. Register here.
There’s a debate about whether it’s OK to call the digital conflict happening now in Ukraine a “cyberwar” — or if using that term makes you guilty of hyping in the middle of a tragedy.
Setting aside the senseless, heart-breaking devastation and loss of life caused by Russia’s unprovoked military aggression against Ukraine over the past week, there are disturbing indications that cyber assaults against civilian targets have been worsening, as well.
If you haven’t done so already, I encourage you to read the blog post that went up yesterday from Microsoft president Brad Smith. Because it might give you a new basis for thinking about the whole “cyberwar” question, as it did for me.
My big takeaway from the post: The public really has no idea about the scope or severity of the cyberattacks that have struck Ukraine so far.
The bottom line is that, however you choose to define “cyberwar,” it’s tough to say for sure whether Ukraine is in one or not. We just don’t have enough information yet.
It’s true that the electricity, water and internet are largely still operational in Ukraine. There have been virtually no major disruptions to key infrastructure reported, where a cyberattack was the likely cause, since the Russian invasion last Thursday. The worst-case scenario for cyberattacks has plainly not happened so far, as The Washington Post and others have pointed out.
But that does not mean that there haven’t been some very harmful cyberattacks in Ukraine. Unless you think Smith is exaggerating, which doesn’t seem like his style, then there most certainly have been.
Geneva implications
In his post, Smith alluded to cases of cyberattacks against civilian targets in Ukraine — including cyberattacks targeting humanitarian aid, emergency response services, agriculture and energy. These attacks are shocking to imagine, but Microsoft reports it has observed all of them in Ukraine recently.
Smith offered no specifics, but made it clear that some of the cyberattack incidents that Microsoft has tracked in Ukraine recently are about as bad as they come. He conveyed this when he said that the recent cyberattacks against civilian targets in Ukraine “raise serious concerns under the Geneva Convention” — referencing the international treaty that defines what are commonly referred to as “war crimes.”
And yet, none of the cyberattacks in Ukraine that have been publicly disclosed so far really fit with what Smith seems to be describing here.
Except one: The data-wiper attack on Ukraine’s border control, if it was intentionally meant to slow the movement of refugees from a war zone, sounds like a contender for a Geneva Convention violation, according to several cybersecurity experts.
With this type of attack, “you’re crossing over into Geneva Convention territory pretty quickly,” said Casey Ellis, founder and CTO at Bugcrowd.
Netenrich principal threat hunter John Bambenek agreed, calling the attack — reported by The Washington Post and VentureBeat on Sunday — a “stunningly inhumane” action against Ukrainian refugees. (Assuming it was intended, and not inadvertent.)
But the only reason that a public report of this attack even exists is sheer coincidence. A well-known expert on cyberattacks, Chris Kubecka, was trying to cross from Ukraine into Romania in the midst of the wiper attack. Border control officials on the scene were keen to speak with her once they learned who she was, and filled her in on some of the details of the cyberattack.
Information control
But apart from that report — which the Ukrainian government has yet to officially comment on — there haven’t been documented cases of cyberattacks in Ukraine over the past week that seem to reach Geneva-violation proportions.
But that doesn’t mean they haven’t happened, said Stan Golubchik, CEO of cybersecurity firm ContraForce. “I believe that information has intentionally not been released yet,” Golubchik said.
Smith’s general statements about what Microsoft has observed, with few specifics provided, would seem to support that notion.
The Ukrainian government is a customer of Microsoft, and so are “many other organizations” in Ukraine, he noted in the blog. And as a provider of the full gamut of computing capabilities — applications, operating systems, cloud infrastructure and security tools — Microsoft is potentially in a unique position to grasp the true state of cyber affairs in Ukraine, experts said.
“Microsoft would know if civilian infrastructure has been targeted,” said Stel Valavanis, founder and CEO of managed security services firm OnShore Security.
Most likely, the company has evidence of these cyberattacks, which it’s withholding for the time being, Valavanis said. “I believe there are a lot more attacks than we realize in Ukraine,” he said.
In the blog, Smith is “stating explicitly” that these are “some of the worst targeted attacks that Microsoft has seen in some time,” said John Dickson, vice president of cybersecurity advisory services firm Coalfire.
Notably, Microsoft doesn’t send out these types of updates often — and “certainly not from its president,” Dickson said.
“This paints a grim picture,” he said. “I suspect they are seeing way more than they are willing to talk about publicly.”
VentureBeat has reached out to Microsoft for comment. In the blog post, Smith said that for the cyberattacks that raise Geneva Convention concerns, Microsoft has “shared information with the Ukrainian government about each of them.”
Dangers of disclosure
When private companies are breached, they often fear reputational damage and blowback from the public disclosure, noted Danny Lopez, CEO of cybersecurity vendor Glasswall.
“But in [Ukraine’s] case, there are even more dangerous implications,” Lopez said. “There is a chance that disclosing these breaches and their causes in detail at this time could draw further attention from Russia’s nation-state threat actors.”
Security researchers that have disclosed recent cyberattacks against Ukraine have been sensitive to this. For instance, in ESET’s disclosure today of wiper malware that was used to attack a Ukrainian governmental organization late last week — following the Russian invasion — researchers said they are not identifying the affected agency.
“To protect the victims and not to give advantage to the attackers, we cannot disclose more specifics,” said Jean-Ian Boutin, head of threat research at ESET, in a statement to VentureBeat.
There are other potential reasons for holding back details on cyberattacks for the moment, too. Simply put, cyber incidents during war “have the potential to augment fear, uncertainty and doubt” in a populace that is already overwhelmed, said Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks.
One also can’t entirely rule out that the language barrier — and the nature of “cyberwar” itself — could be at play as well. Particularly when it comes to the information that the English-speaking world is receiving on this subject.
“There’s a very definite information warfare and propaganda aspect to this conflict, that’s playing out from both sides — which confuses what kind of information you consider to be accurate or not,” Ellis said.
Cyberwarfare is different
This is one key way that cyber warfare is distinct from the physical battlefield, he noted. For example, when a bomb goes off, you can feel pretty confident in judging whether it really happened or not, Ellis said.
But that’s not always the case with cyberwarfare, he said.
“You don’t even necessarily understand what’s happening in the first place — even if it was in English,” Ellis said. “Then you’ve got the language barrier. Then you’ve got all the disinformation and propaganda on top of it.”
Ultimately, when it comes to Russia’s attack on Ukraine, it may be a while before we can truly assess the cyber aspects — and decide whether it gets to be known as a “cyberwar” for all of time, or not.
“We likely won’t know the true extent of the damage until the dust has settled and peace has been restored,” Lopez said.
One final note: In his post, Smith doesn’t explicitly mention Microsoft’s previous proposal for a “Digital Geneva Convention.”
But the implication that protocols and technology alliances need to be in place to defend against growing cyberattacks is clear, according to Andrew Rubin, cofounder and CEO of Illumio. While rules of engagement exist for land, air and sea conflicts, “today, we need rules of engagement for cyber warfare,” Rubin said.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More