A recent news article revealed that Ukraine intends to draft a law that would officially bring its volunteer hacker brigade, dubbed “the IT Army”, into its armed forces. Created by Ukraine’s Vice Prime Minister Mykhailo Fedorov, the IT Army has claimed responsibility for myriad cyber attacks, promoting their victories on social media platforms like Twitter and Telegram. Once established after Russia’s invasion, the group initially identified 31 Russian banks, businesses, and government websites on an attack target list posted on its Telegram channel, though that number steadily increased to as many as 662. Indeed, notable operations conducted by the IT Army include disrupting Russian media channels when Russian president Putin gave his speech on Russia’s State of the Union, defacing Russian online sites, targeting Russian infrastructures, and conducting more subtle information manipulation attacks against Russian public-facing websites.
There are indications that this draft law is gaining traction in Ukraine, with at least one senior official advocating the absorption of these professionals as part of its civilian cyber reserve defense, which would ostensibly strengthen the country’s regular military capabilities. The idea is not revolutionary, as Finland and Estonia both have similar cyber reserves, with the latter being a model by which Ukraine’s efforts could mirror. Ever since it suffered an onslaught of distributed denial-of-service (DDoS) attacks in 2007, the Estonian Defence League’s Cyber Unit has functioned as a voluntary entity charged with the mission of protecting Estonia’s information infrastructure and broader areas of its national defense. Cybersecurity specialists, skilled practitioners of critical infrastructure protection, and university-educated youth make up the Cyber Unit demonstrating the possibilities of robust public-private cybersecurity cooperation. Members take an oath of service and would integrate with military forces during periods of conflict.
Since the current makeup of the IT Army consists of other nationalities, any future inclusion of the group would obviously be limited to Ukrainians. It’s not certain how many nationals are part of the IT Army. In an August 2022 interview, a leader of the IT Army did not reveal how many people were part of the larger collective (some open source reports put the figure at approximately between 300,000–400,000, though the extent of how many of these members actually engage in operations is debatable), but he did acknowledge that the group’s 25 decision makers were all Ukrainian. Suffice to say, membership likely includes a substantial number of Ukrainian volunteers available for recruitment, a move that even the IT Army expressed interest in once the group dissolved, according to a statement released to an online periodical.
The Gray Zone
Use of cyber proxies can be potentially potent depending on the capabilities of the actors, and the Ukraine war demonstrates how states can leverage these assets for their benefit during periods of armed conflict. Since the start of the invasion, hacker, hacktivist, and cybercriminal proxies have entered the fight; some operate independently, while others coordinate their activities with their government benefactor. These entities have been operating in the “gray zone,” a term characterizing the ambiguous space between peace and war where combatants have generally enjoyed anonymity, or at least plausible deniability of official state affiliation. Many consider what has been transpiring in cyberspace around the Ukraine war as a blueprint for potential future conflicts that arise from geopolitical flash points that escalate to an international level. If true, these proxies are a state benefit that could be leveraged to conduct cyber attacks against targets like civilian critical infrastructure that would normally draw criticism if done by a state.
However, if proxy cyber warfare during periods of armed conflict gains traction, states may seek to go after those surrogates as viable targets for reprisal. There is the general belief that cyber attacks during armed conflict falls under International Humanitarian Law (IHL). Therefore, civilians participating directly for either side could conceivably be denied the protections under current IHL parameters. This could expose more civilians and civilian assets connected to those operations to state-directed attacks, a steep consequence that potentially impacts more than just the proxy. So far in the Ukraine war, there has been no game-changing attack conducted by proxy elements for either Russia or Ukraine warranting such retaliation, though this may have more to do about attacker capability and operational impact, rather than the victim’s desire for reprisal. But as nonstate actors’ capabilities advance in sophistication and become more refined, this may very well change further altering the evolution of how cyber war is conducted.
The timing of this draft law is advantageous for both sides. For the IT Army, the transformation from hacktivists to cyber reservists gives the IT Army government protection as well as legitimacy. Prior to the war, Ukraine was not known as a very cyber secure country and ranked poorly in key areas as cyber-attack response, lack of public-private partnership, and poor cyber hygiene, according to a 2018 study conducted by a British tech research firm. These reservists address many of these shortcomings, and especially improve the fusion between the public and private sectors, where many will still work during their regular hours. What’s more, for those IT Army members supporting more offensive operations, there will be oversight to their activities, ensuring that attacks or “defense-forward” activities are against sanctioned targets, reducing the risk of escalating tensions and inflicting collateral damage to systems that impact civilians.
For Ukraine, these experienced IT security professionals immediately augment current cybersecurity capabilities. Prior to the war, Ukraine was a “testbed” for Russia’s cyber weaponry, suffering daily attacks as early as 2019 and victimized by some notable power disruptions in 2015 and 2017 from malware that impacted thousands of Ukrainians. Incorporation of IT Army personnel who have already demonstrated the very types of cybersecurity capabilities needed by Ukraine provides an immediate jolt to Ukraine’s cybersecurity posture. They require less training than university or IT trade school graduates and can hit the ground running. In many cases, these individuals can provide mentorship and lessons learned to other less experienced individuals in both the military and in the reserves. Furthermore, during periods of conflict, they are an immediate resource that likely has dealt with similar attacks in their everyday civilian positions, and able to operate at a crisis tempo, well versed in attack, defend, mitigation, remediation, and if necessary, recovery responses.
There is still much for cyber watchers see unfold from the Ukraine conflict. Converting cyber proxy elements into more official state-run assets is one of them. And while the Ukraine may seek to bolster its defenses with these assets, there is the other side of the coin that seeks to weaponize them even more. Cybercriminals have played a small role in supporting Russia’s interests, and that is a testament to how these groups like the IT Army are composed of many different nationalities, sometimes to the detriment of their existence (e.g., Conti Ransomware).
Moving forward, it will be interesting to see how much more or less Russia is involved in organizing, developing, resourcing, and directing the criminal gangs loyal to its government. They represent a substantial untapped potential that really has yet to show the full extent of its disruptive and destructive capabilities, two things that eluded Russia when it failed to deliver cyber “shock and awe.” While many have hypothesized the reasons, it would be foolish to consider a “near-peer” cyber power to the United States down for the cyber count. With Russia preparing to launch a Spring offensive, more aggressive Russian cyber-attacks are likely to follow. And whether then or sometime in the near future, the next evolution of cyber proxy war may reveal these proxies in a different light.