Russia’s war against Ukraine reveals much about the use of cyber capabilities in warfare and the evolving roles of states, international organizations, and the private sector in securing the digital realm. Raluca Csernatoni, fellow at Carnegie Europe, and Tim Maurer, senior fellow at the Carnegie Endowment for International Peace, discuss the blurring of lines between war and peace in cyberspace and what it means for the future of cyber diplomacy.
Russia’s war against Ukraine reveals much about the use of cyber in warfare and the evolving role of states, international organizations, and the private sector in securing the digital realm.
Raluca Csernatoni, fellow at Carnegie Europe, and Tim Maurer, senior fellow at the Carnegie Endowment for International Peace, discuss the blurring of lines between war and peace in cyberspace and what it means for the future of cyber diplomacy.
[00:00:00] Intro, [00:02:04] Russia’s cyber war against Ukraine [00:11:38], The role of states, international organizations, and the private sector, [00:20:39] The future of cyber norms and diplomacy
Raluca Csernatoni, November 8, 2023, “Generative AI Poses Challenges for Europe,” Carnegie Europe.
Raluca Csernatoni and Mark Manantan, July 4, 2023, “EU-ASEAN Cooperation on Cybersecurity and Emerging Technologies,” Carnegie Europe.
Raluca Csernatoni, January 30, 2023, “Towards Strengthening the Transatlantic Tech Diplomacy: Trustworthy AI in the EU-U.S. Trade and Technology Council,” Transatlantic Leadership Network.
Raluca Csernatoni and Katerina Mavrona, September 15, 2023, “The Artificial Intelligence and Cybersecurity Nexus: Taking Stock of the European Union’s Approach,” Carnegie Europe.
Tim Maurer, October 22, 2023, “7 Simple Ways to Shield Yourself From Cybersecurity Threats,” Forbes.
Tim Maurer, September 18, 2023, “6 Actions CEOs Must Take During a Cyberattack,” Harvard Business Review.
Tim Maurer and Arthur Nelson, March 2021, “The Global Cyber Threat,” International Monetary Fund.
Tim Maurer, January 2018, “Cyber Mercenaries: The State, Hackers, and Power,” Cambridge University Press.
Raluca Csernatoni
Can a keyboard be as powerful as a missile? Besides a conventional war involving troops on the battlefield, Russia has also launched a very different kind of war against Ukraine. It’s an enigmatic conflict playing out in the realm of zeros and ones. So far, the Kremlin’s cyber attacks have including the hacking of electricity grids, assaults on critical infrastructure, and disinformation campaigns. Of course, propaganda has been an age-old part of warmongering. But is there anything new in this cyber conflict? What is the role of states and private actors in securing the digital realm? And what does the changing cyber threat landscape mean for transatlantic cooperation on cyber norms and diplomacy?
Raluca Csernatoni
Hello, and welcome to a new episode of Europe Inside Out, Carnegie Europe’s monthly podcast about the continent’s greatest foreign policy challenges. My name is Raluca Csernatoni, and I’m a fellow at Carnegie Europe working on the nexus between European security and new technologies like artificial intelligence.
Raluca Csernatoni
This episode of Europe Inside Out is about Russia’s cyber war against Ukraine and what it means for the future of cyber norms and cybersecurity. I’m joined by Tim Maurer, a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace.
Tim is an old Carnegie colleague who had left to serve the Biden-Harris administration in various positions. He was the cybersecurity advisor to the Secretary of Homeland Security and then a member of the White House National Security Council. He recently rejoined Carnegie. And I should add as a disclaimer here that his views expressed in this podcast do not represent the views of the Biden-Harris administration or of any of the government bodies he served. Tim, welcome. It is a pleasure to have you here.
Tim Maurer
Thank you. It’s great to be here with you today.
Raluca Csernatoni
Let’s get right into the topic of today’s episode in which we are going to take a closer look at how is Russia’s war on Ukraine transforming the cyber threat landscape. So, Tim, when it comes to Russia’s war against Ukraine, is it really reshaping the concepts of war and sovereignty in cyberspace? I ask this question because even before the invasion of Ukraine, the cybersecurity landscape was already highly complex and contested and I will give some examples here: the proliferation of malicious cyber enabled activities and also the increasing use of emerging and disruptive technologies like AI. In Ukraine, as well, observed attacks are concerning due to the scale, the speed, the sophistication and the actors involved, as well as the use of cyber against critical infrastructure, for instance. So, in other words, are we really witnessing a paradigm shift?
Tim Maurer
It’s a great question, Raluca. And I think we are now at a point where if we look back, not just at the last, you know, now two years since the further invasion of the Kremlin, but actually going back to the events we’ve witnessed since 2014, that the type of malicious cyber activity that has occurred in Ukraine is a good case study to assess how cyber attacks actually play out, one in an actual conflict, and how they are merged with other tools of the military and how they can actually have an impact. I would, perhaps, distinguish between three different dimensions.
One is activity that we know has been tied to some of the state-to-state interactions and the actual conflict. You mentioned the power outage in western Ukraine. We’ve seen other types of malicious cyber activity targeting financial institutions in Ukraine, there was the VIASAT incident and I think those instances have shown that the actual lasting impact of the malicious cyber activity was not of strategic effect, especially if we’re talking about actual physical boots on the ground and bombs and all of that. So it puts cyber a bit more into perspective of how it’s being perceived in the overall context.
The second point I would make is that it is important to bear in mind if we look at the region that it’s not only governments and states that are actively using some of these tools, but that we also have criminal activity and proxy activity. And the reason I flag this is that one concern we had when I was in the administration was the rise of ransomware attacks, which for the most part are profit-driven criminal activity.
Which leads me to my third point and a key lesson learned from looking in particular at the past few years, which is: even though the malicious kind of cyber activity that we’ve seen hasn’t had a strategic impact on the conflict, at least in my view, it really did crystallize the potential for accidental escalation that could have a much bigger impact. To make it concrete, we had the Colonial Pipeline ransomware attack in the first year of the administration, so in 2021, which paralyzed a lot of the fuel supply along the eastern seaboard. And after that, President Biden in a conversation with President Putin, made clear that the US was expecting the Kremlin to take action.
And one of the concerns I had with respect to the conflict in Ukraine was: “What would happen if we had another ransomware attack like that in the United States as Russian troops were crossing the border and marching into Ukraine?” because obviously the US is not party to the war. It’s obviously very supportive of Ukraine. But that kind of potential incident that then may have accidental escalatory risks is something that I think is worth bearing in mind as we talk about cybersecurity in the context of…
Raluca Csernatoni
So, scenario building in a way and strategic foresight and also kind of leveraging lessons learned from previous cyberattacks. And how would you see, again, in terms of kind of the paradigm shift, the blurring of lines? Because you say that you observed an increase of criminal activity, also this criminal activity gaining geopolitical angles as well and escalation. But for instance, critical voices also were observing the fact that the impact of cyber warfare in Ukraine wasn’t as dire as expected. So how do you address this issue for instance?
Tim Maurer
I think there are a couple of reasons that explain what we’ve witnessed. Part of it is that the Ukrainians have done a really good job at getting better of trying to defend some of the cyber operations that were targeting Ukraine. And, you know, that’s where the fact that we’re not just talking about the last two years, but essentially going back to 2014, when Ukraine really had to start thinking harder about how it can defend itself, comes into play.
So, we saw this with a power outage in western Ukraine and the resilience of being able to get the power reestablished, partly because there were manual backups, but then also just the ability for the Ukrainians to come together. Both the government but also some of the private sector actors to figure out how they can better defend themselves against some of this malicious activity is, I think, one of the reasons. Another one is that, if we look at the Russian state and the Russian military, as we witnessed shortly, a couple of days into the invasion, where some of the initial expectations or predictions about the length of the war, didn’t come to fruition - I think it also illustrated how hard it is to integrate cyber tools and mechanisms with other parts of warfare which we may, I think, to a certain extent, have witnessed as part of the conflict as well.
Raluca Csernatoni
Very interesting point. And maybe just to build a bit on the sovereignty side of the question, because we see as well with the conflict how nontraditional actors and you mentioned here the private sector, but I would add here the involvement of civil society and volunteer engagement in the conflict. And I would give the example, for instance, of the Ukrainian government initiative of this voluntary cyber IT Army. For me this is very interesting because in this case it could be argued that the IT Army has become a pro-Ukrainian threat actor. It might be a controversial way of putting things, but I would say that this call to set up a voluntary IT army is unique for a state. In that sense, it introduces this idea of a paradigm shift because in a situation of armed conflict and also in the sense of attracting Ukrainian talent, volunteers can continue to fight on the digital front. How would you assess or analyze, explore this new development?
Tim Maurer
I think it’s a fascinating case study for how we’ve seen actually Ukraine step up over the past few years. I remember traveling to Kyiv, it was in 2015 or 2016, as part of my research for my book on cyber mercenaries and proxy relationships at the time. And I met with representatives from the Ukrainian government at the time. I also met with some hackers. And what was clear at the time after 2014 was that the Ukrainian society volunteered across the board, not just for cybersecurity purposes, but the Ukrainian people wanted to help out after what they saw happen in Crimea. And the government didn’t have the mechanisms to absorb that volunteer capacity. So it was an organizational challenge for the Ukrainian state. And what we I think have now seen in the past two years is that the government has had enough time to think through how it can actually make better use of this volunteer capacity. And we’ve now seen that play out. I do remember also in 2015, 2016, I had a conversation with the self-declared head of what I think was called the Ukrainian Cyber Army. And it sounded a lot more grandiose than it ended up being because he was essentially a one man show with some people then trying to carry out DDoS attacks or just guess the passwords of CCTV cameras.
Now, just one more note on that. Looking at the actual invasion, if you are able to gain access to a CCTV camera in an occupied territory and you can witness troop movements, that could actually be something of interest to the military. But it’s not the kind of cyber attack that we think of in the traditional sense.
Raluca Csernatoni
Yeah, sometimes more in the academic literature, people refer to a cyber Pearl Harbor. But it’s really interesting to also note from an international law perspective, how would you assess, for instance, this role of the IT Army? As an active actor in the conflict, how should we think about it?
Tim Maurer
It’s an interesting area where the government itself has limited resources and sometimes limited expertise, and being able to leverage the insights and also the capabilities of the private sector can be really helpful to augment the defense of a state and the government because, as you know, cybersecurity is such an amorphous kind of concept. It really depends: are you talking about IT systems? Are you talking about operational technology of like, the energy grid or the financial sector? So it helps augment the ability to defend yourself.
At the same time, it raises some questions. Are those volunteers providing assistance that gets them close to being an agent of the state and that has implications for international law and the kind of protections they may or may not enjoy? Or are they sufficiently independent that they’re not part of the state itself? So that has implications for whether they constitute a legitimate military target or not. One of the most fascinating recent developments is that the International Committee of the Red Cross has put out a set of principles, or actually they’re based on existing principles, but has clarified how the Red Cross sees existing international humanitarian law apply to hacktivist groups with a set of principles that it hopes these hacktivist groups will embrace.
Raluca Csernatoni
Very interesting because in a way, it brings us to the next point of our discussion and zooming out a bit from the Russia-Ukraine conflict and reflect a bit on the role of states but also international organizations that you mentioned and as well as the private sector, and especially when it comes to advancing international law and cyber norms cooperation. And just to give a bit more of a historical background here, how would you assess the history of cyber diplomacy, for instance, or cyber norms cooperation and what role is the multistakeholder community playing in advancing this cooperation?
Tim Maurer
Yeah, so... The good news is that the international community has now spent ten plus years in developing a framework for how we should think about the rules of the road for cyberspace. So the international community has made clear that it believes that existing international law applies to the Internet, just as it applies offline. That includes international humanitarian law and all of the principles about the targeting and principles of proportionality, etcetera. There’s also the complementary set of voluntary norms for cyber space that also makes clear that, for example, there should not be offensive cyber operations, disrupting civilian infrastructure, including in peacetime.
Now, the bad news is we’ve seen going back to 2014, that we have a member of the Security Council with Russia that has blatantly ignored not just the rules of the road for cyberspace, but even long-established rules for the integrity of a country’s territory that have been the reason why the world has been as peaceful as it has been since World War II.
Having worked on cyber norms for many, many years, it’s a rather sobering realization that Russia, who has been very actively involved in those discussions, seems to actually care very little about the rules. Now the important takeaway from that, however, is that even though Russia seems to have no interest in actually following the rules that it itself has been advocating for doesn’t mean that the rules themselves no longer have value. If the rest of the world still adheres to it, the world will be a much more peaceful place, and to quote Michelle Obama, but in a slightly different context, I happen to believe that if they go low, we should go high. And if they decide to show the world that they care very little about violating another country’s territory, kidnapping kids and taking them far away from their family, then it’s even more upon us to demonstrate what we should stand for and what the rest of the world should stand for.
Raluca Csernatoni
Moving a bit from the role of states, what we observe as well in the Russian Ukraine conflict is the rise of the private sector as a supporting organization. And here it’s also the question of again attacks against critical infrastructure and as well who is responsible in protecting critical infrastructure from information technology and communication networks. You mentioned electricity and power outages and so on.
But for me it’s very interesting to observe as well in terms of thinking also about cyber norms and the promotion of an open, safe, and secure cyberspace: How would the private sector approach this topic as well? Because on the one side we are talking about, of course, capacity building involving private companies, the big tech as well in becoming these supporting organizations but on the other hand they play different roles, let’s say, in international relations. So how would you assess this?
Tim Maurer
Apart from the importance of the transatlantic cooperation, when we talk about cybersecurity - because many of the threat actors we face in the US are also targeting institutions in Europe - the cooperation with the private sector is equally important in my view, because so much of the infrastructure is operated and owned by private companies, many of which are actually located in the United States. So if we talk about the big tech companies, Microsoft or Google that provide the software running our computers or phones or email accounts.
So that, on the one hand, further than reinforces the importance of transatlantic cooperation, in particular for European governments, to be able to coordinate with US-based companies and with the US government of how we think about cybersecurity and cyber defense. Which leads me to the other point, which is something we witnessed very quickly after Russia’s further invasion of Ukraine, which, by the way, President Biden warned the world of starting December 3, I believe, very publicly and unfortunately, not a lot of people believed us at the time. But once it actually started happening, a lot of private companies took action. And most of that action was voluntary and the companies just felt that was the right thing to do.
So we have the situation where there is this very unique, rare alignment of the government’s kind of approach to this, companies’ approach to this, that we may not see again in the future, in other conflicts where the importance of getting support from the private sector may be as much. But where the interest between the private companies and governments may be more divergent than as we’ve witnessed in the context of Ukraine.
Raluca Csernatoni
That’s an excellent point and maybe just as a parenthesis it also showcases how the Ukrainian government as well nurtured public-private relationships even before the conflict as well as in terms of protecting data but as well as training and other capacity building for that matter.
But you also raise a very interesting point that is close to my heart. It’s mainly the alignment of interest between the public and the private sector and of course when it comes to the private sector there is always profit-making logic behind decisionmaking, while of course when it comes to war, but also state interest, national security plays a very important role and I’ll just want to raise one example. Of course in 2022 I would say that when Ukraine requested the American aerospace company SpaceX to activate Starlink satellite Internet services in the country, of course this service was provided free, unrestricted, but now we see a different development in this process. So it’s as you say about predicting or forecasting a bit in terms of future conflicts. Would you see this type of alignment happening or divergence or a transformation of how public-private engagement will play out in cyberspace?
Tim Maurer
What we’ve seen in Russia-Ukraine is a great case study for the role that private companies can play in an act of conflict. Starlink is a good example as you just mentioned, but it also illustrates the tensions and the really enormous decisions that a company can face when it is thrown into the midst of geopolitical tensions. One of which is that very few companies have ever been in a position like this before. And a lot of the mechanisms governments have or the reflections and institutional knowledge of how to weigh different trade-offs, how to manage escalatory risk, how to assess the potential reaction of another party – that’s very unique and very novel, I think, to a lot of companies. Which demonstrates also the importance for why companies, I think, need to have some sort of engagement with the government to be able to coordinate.
Now there have been some voices who’ve said: “Starlink, private-run company, this should be government owned and we need to have a system that is run by the government so that a company wouldn’t be in this place or that the governments wouldn’t be as dependent on a private company.”
But if we look at the macro level, there is a reason why today the States have moved further away from running their own large-scale infrastructure – like a space program – or relying much more on private companies for their space program because they’re incredibly expensive, they’re incredibly risky as well. And some of the companies and the competition have facilitated further innovation in this space.
It’s not an easy decision or answer to then simply say, “Oh, now we need to go back to government-funded projects like this” because of the pure scale and scope, and frankly because there is the broader geopolitical race with China as well, where there is an incentive to make sure we can innovate as quickly as possible. And I’m not sure that apart from the very narrow focus on strategic technologies that the Biden administration is currently focusing on, whether beyond this of running very large programs on broader technology can be done effectively by the state. I think the state can help nurture and facilitate it by for the private sector and provide some guardrails and direction. But if we really want to turbocharge innovation partly in this global competition, then I think we will need to continue to rely on the private sector. But how to mitigate some of the risks or what we’ve now seen in the Russia-Ukraine conflict I think is really important. We haven’t quite found all the perfect answers yet.
Raluca Csernatoni
Again, maybe to zoom out even more or let’s say to think about the future a bit. The point of discussion here is also to think about how to best mitigate any type of cyber conflict in the so-called digital trenches. And for instance, what role would transatlantic cooperation or international cooperation play in this regard? How would cyber diplomacy efforts or norms be better fine-tuned? Or a more controversial question here: have existing cyber diplomacy efforts and norms failed, given that we observe so many conflicting and worrying engagements in cyberspace?
Tim Maurer
The example of the Russia-Ukraine conflict is a good illustration of how intelligence can actually be really, really useful. So as we’ve witnessed leading up to the Kremlin’s decision to invade Ukraine, the US government had used intelligence to try to warn Ukraine and the world for several weeks prior to the invasion taking place. With respect to transatlantic cooperation, bearing in mind what we witnessed in the case of the Iraq war, and understanding that there may have been some residual skepticism from some of the European governments, but what the US government did was a very deliberate attempt to use intelligence in a way to avoid what then happened in February. With respect to transatlantic cooperation, making sure that there is mutual trust so that when these kind of warnings occur, governments are able to take action, I think is the first really important point.
The second that I would make is the reason this matters so much is that in the US we launched what was called the Shields Up campaign, which was actively calling on the private sector to step up its cyber defenses at the end of 2021, leading up to what we then expected was going to be the invasion. And that was to mitigate the risk and increase our resilience against this potential accidental escalation that I mentioned earlier.
We didn’t see that happen in Europe, partly because people simply didn’t really believe what the President and the U.S. government had been trying to warn the world of. So that’s another area of transatlantic cooperation when it comes to increasing resilience, because a lot of the systems are very similar of what kind of software we’re using on both sides of the Atlantic.
And then the third piece, I would say, as it relates to AI and, you know, one of the potential short-term risk, how attackers can use it, is AI is helping to break down language barriers so you could see criminal activity leveraging the ability to be better at spear phishing because they can now write an email that looks actually like it’s been written in Romanian, or German, or French. And that is something where there’s also an opportunity for transatlantic cooperation to make sure we compare notes on the latest trends.
And then the last point I would make is that we need to make sure that the EU and NATO and Europe is thinking about emerging technologies and has frameworks in place so that it facilitates transatlantic cooperation. Because we in the US already have put a lot of thinking into that and there are new strategies and frameworks come out. And if Europe doesn’t have those, it makes cooperation so much harder.
Raluca Csernatoni
So to unpack this, I would say there are three layers. One: trust. Then there is the second layer: the capacity, intelligence and also capacity in terms of capabilities. But then the third layer would be as well to really, really align in terms of interoperability, which is another very important term here.
But maybe just to unpack a bit the transatlantic cooperation because we have different formats. We talk a lot about EU-NATO cooperation. I would also note here there is the EU-US Cyber Security Dialogue that addresses more the threat assessment landscape but also issues related to the protection of critical infrastructures. And, more recently, we also have the EU-US Trade and Technology Council. So what format would be better suited, for instance, to enhance cooperation either in terms of interoperability, intelligence sharing, trust building as well in terms of venues for socialization, but also exchange of information and practices?
Tim Maurer
They are mutually reinforcing in my view, partly because if we talk about technology policy, if we talk about artificial intelligence, they are so cross-cutting and impact so many different areas of our daily lives, society, the transatlantic relationship, that they will have to be incorporated in these different mechanisms, right? So there is a piece of this which is about how we engage in security policy that is more with respect to NATO. At the same time, if we look at the Russia-Ukraine conflict, the importance of export controls and how we engage actually from an economic perspective and instruments of economic statecraft became incredibly important. And that’s obviously much more of an EU question. So I don’t think there is the one kind of “to rule them all”.
It was very clear that with respect to tech policy there was a gap with respect to existing channels, which is why the Trade and Technology Council was created. And I know there’s been a lot of criticism about the process, but to me the test really is: if the TTC wouldn’t exist, would the world be better off? And I can assure you the voices who are currently critical would then be calling for something like the TTC. So I think the question is rather how can we improve the TTC? But overall it’s been, I think, a really important innovation.
Raluca Csernatoni
Maybe one question on the TTC itself. Would you say that cyber or cybersecurity features as a priority on the agenda of discussions at the TTC or is more of a cross cutting horizontal issue?
Tim Maurer
So cybersecurity now has a fairly established mature international architecture, right? We have on the diplomacy side ambassadors for cybersecurity. We have the national cybersecurity centers in more and more countries that are an elevated version of the national Computer Security Emergency Response Teams that were set up many years ago. So there is a standalone community, there are well established mechanisms at this point.
So, my sense is reflecting on some of the other tech policy areas that are increasingly important, be it AI, be it biotechnologies, quantum computing. Those are, I think, the areas where we don’t quite yet have mature framework strategies, communities of experts that are on both sides of the Atlantic. So that in my view is probably an area that’s more worth focusing on. And as you know from the TTC working groups, they have been much, much broader than just the cyber issue partly because there was a sense that for cybersecurity policy we already have well established mechanisms and channels.
Raluca Csernatoni
And one last question to wrap things up and this is kind of a bigger picture question. In your view, are international cybersecurity norm-setting processes at a critical juncture?
Tim Maurer
They are, just as I think the international system at large is at a critical juncture because Russia’s decision to violate the territorial integrity of Ukraine, tears at the foundation of the international order and the peaceful international order and the stability that we’ve witnessed since World War II. So that means that for the rest of the world we have to think through how we navigate this more turbulent world of uncertainty. And, with respect to cybersecurity norms, it also raises the question then: how do you engage with an actor that clearly ignores international law and norms at a much more fundamental level?
Now, with that said, I do think there are - one - opportunities, but also value in further advancing this project. Because if we look at some of the recent developments where we’ve seen water facilities get targeted, hospitals in the midst of a pandemic, I do think it’s really important to preserve some of the core ideas that have informed international law, like do not target civilian infrastructure. And a lot of the critical infrastructure, which is this amorphous term that in many countries is so widely defined that everything is critical, in which case nothing is critical. Right?
I do wonder if there may not be opportunities to get the international community to just get back on some of the core ideas that something like targeting a hospital in the midst of the pandemic, targeting a water facility, like infrastructure that’s purely civilian in nearly 99 percent of the cases and trying to reinforce those lines, because the more those lines get crossed, the more the core ideas and achievements of humankind over the last now, 100 plus, 150 plus years are going to get eroded. To ensure that we try to go as high as possible as others may choose to go low, I think will be critically important.
Raluca Csernatoni
In other words, responsible state behavior both in international relations but also in cyberspace, and looking towards the future, translating some of these insights into other fields, like AI and critical infrastructure, for that matter.
Thank you so much, Tim. It was a pleasure. And thank you for joining this month’s episode of Europe Inside Out. And thank you for sharing your insights.
Tim Maurer
Thank you so much for having me.
Raluca Csernatoni
For those who are interested in learning more about cybersecurity technology and international affairs, I encourage you to follow Carnegie Europe’s work. Our X (formerly Twitter) account is @Carnegie_Europe.
You can find me @RCsernatoni. That is @ R-C-S-E-R-N-A-T-O-N-I. And also you can find Tim @MaurerTim, that is, @ M-A-U-R-E-R-T-I-M.
Raluca Csernatoni
Thank you for listening to Europe Inside Out, a podcast by Carnegie Europe. If you like the show, leave us a rating and subscribe wherever you get your podcast.
This episode of Europe Inside Out was produced with support from the US mission to the European Union. Our producers are Francesco Siccardi and Indre Krivaite. Our editor is Alexander Damiano Ricci of Bulle Media. Sound engineering and original music by Jeremy Bocquet.