Cyberwarfare

The Ukraine War Has Changed Cyber Security Norms

And there’s even a ‘Geneva Convention’ for cyberwar — gotta keep those black hats under control, right?

There’s a convention for hackers.

In August they met for Black Hat USA 2022 in Las Vegas (where else)?

At that convention, one of the speakers discussed the conventions that cyberwarfare should hold to. Not quite the Geneva Conventions, but the aspiration is there. Maybe, at least for NATO countries and close allies.

I hope you’re not confusing convention with convention…

Anyway, there’s an organisation known as CCDCOE. It’s an NGO (non-governmental organisation, ha!) and its website says

Our mission is to support our member nations and NATO with unique interdisciplinary expertise in the field of cyber defence research, training and exercises covering the focus areas of technology, strategy, operations and law. — https://ccdcoe.org/about-us/

Admirable.

But, as always, things change…

This is how it started

In 2015 the United Nations asked 20 nations, including the US, UK, China and Russia, to develop a framework for international law in cyberspace. Countries were beginning to get rattled about the potential effects of cyberwar on society.

I mean, cyberwar could be like real war, right, with civilian infrastructure wrecked. Civilised nations do not start regular wars and ignore conventions do they, not in the 21st century? They wouldn’t bomb out another country’s civilian infrastructure, its cultural centres, schools, hospitals and markets, committing war crimes in the process. Surely a modern country would seek to defeat the enemy on the battlefield, mano a mano? And maybe in space — and cyberspace?

But attacking civilian targets? That sort of gross criminal behaviour is no longer acceptable, and we need to make sure that it cannot be done by black hat operatives in dungeons as well as by conventional weapons.

We need rules, just as we have for regular war.

So that they can be broken.

Cue CCDCOE

I’ll explain the stupid name later.

Compare the organisation’s 2015 aspiration driven by the UN and the current mission. Methinks countries like Russia and China are no longer sitting around that table — but I could be completely wrong.

That’s because it has morphed into:

The NATO Cooperative Cyber Defence Centre of Excellence

CCDCOE.

Boy, that’s catchy!

It’s a great idea isn’t it?

Just get all the NATO countries and their allies like Sweden, Finland and maybe even Ukraine to agree on how cyberwar should be conducted.

But what about the elephants not in the room, like China and Russia? They seem to have gotten out. One of them is rampaging.

At the recent Black Hat USA 2022 conference in Las Vegas, a journalist, Kim Zetter, expressed concern that the hacktivist attacks by Ukraine during the Ukraine War had changed the face of warfare.

During a keynote speech, Zetter said “Of course, the situation in Ukraine is unprecedented…and this isn’t meant to criticize the country for doing what it thinks is necessary to defend itself. But the security community and governments have to be aware of the potential path that this is leading us to.”

OK, Ukraine uses hacktivists, its IT Army.

So what exactly did it damage in Russian infrastructure? I’ll agree that there was recently a Yandex (=Russian Uber) traffic jam in Moscow when they hacked the system

but how does that compare with what Putin has done recently in Ukraine using conventional methods?

Zetter amplified her comments:

“[the committee i.e. CCDDOE] agreed that states should not intentionally damage other states’ critical infrastructure or otherwise impair the operation of critical infrastructure that provides public services,” [and] “they also agreed that states shouldn’t allow their territory to be used for cyberattacks against other states, and should take steps to mitigate malicious activity emanating from their territory when it’s aimed at critical infrastructure of other states.”

It’s history now but…

Putin has taken no notice of the niceties of war as defined in the Geneva Convention or anywhere else.

Beginning in January 2022, Ukrainian websites were attacked or disabled with extensive DDOS attacks and Russian state-sponsored hackers seeded Ukraine’s government and other computers with malware.

The Ukraine hit back with its emergent world-wide IT Army. Within days those good guys launched DDoS counter attacks against the Moscow stock exchange, the Russian foreign ministry and a state-owned bank.

“The United States has assessed that Russian military cyber operators have deployed multiple families of destructive wiper malware, including WhisperGate, on Ukrainian Government and private sector networks,” US Secretary of State Antony Blinken announced in a statement issued on May 10, 2022.

The small initial cyber target list has grown steadily and the IT Army is now a ‘semi-formal’ branch of the Ukraine defence force. And naturally the Russians are trying to infiltrate it using malware and technical wizardry. Anyone can join the army and download the software tools. I guess ‘anyone’ can include Putin’s own hacktivists. I don’t know how they filter out the infiltrators…

Back to conventions

Zetter seems to be bugged by the notion that what blackhats on the side of Ukraine are doing runs contrary to the norms of that report out of CCDCOE and that governments in countries in which they reside — e.g. Estonia — are turning a blind eye to the breach of these norms by their citizens.

It seems that it’s OK for those governments to send armour and munitions to blow up troops, but to send a list of vulnerabilities to be used in a penetration attack by the IT Army? Well, that’s just not cricket is it?

To be fair, she did point out that there are unique circumstances to consider. Duhhh?

“The IT Army also seems to be showing some restraint in not destroying or disrupting Russian emergency services” she said, trying to dig her way out.

But they buggered the taxis didn’t they?

Conclusion

It’s a purist position but hardly realistic to suggest that there be norms of behaviour regarding cyber-attacks. Russia has used chemical weapons against its own people (Chechnya) — Putin’s first war — but of course the Chechens don’t see themselves as Russian. Putin does not give a flying f##k for international norms and conventions.

Yes, the West should observe conventions, but is this CCDCOE report and stance of any practical value?

Well, yes. You could say that it is wrong to interfere with the running of a hospital using a cyber attack. But if Putin bombs a hospital do you think that he would not use a cyber attack on it if he could?

And, in fact, the Ukraine holds back in its cyber attacks (as Zetter acknowledged). I’m fairly sure the Ukraine IT Army could seriously damage Russian infrastructure, but has not been directed to do so because it would alienate the general Russian population.

It’s self-policing.

Note: I do accept that ‘Western’ force have occasionally been guilty of war crimes on a local level, but not as a matter of military policy and certainly not on an industrial scale.

More to come?

About me: If you follow me I guarantee variety in your inbox with some unusual perspectives! I write on a wide range of topics including humor, tech, space, geopolitics and travel, together with daily news events and the minutiae of my daily life living on a boat. Yes, I really do live on a boat (some readers don’t believe that). I also write about…

…strange conventions

If you appreciate stories like these and want to support other writers and me, consider signing up to become a Medium member. It’s only $5 a month, giving you unlimited access to incredible stories on Medium. If you sign up using my link below, I’ll earn a small commission at no extra cost to you.

Or maybe just buy me a coffee? and tell me what you liked reading (or not)!