By land, sea and air – and cyberspace

Alongside the air raids, the bombing of infrastructure and the approach of armoured vehicles to the capital, the invasion of Ukraine is underway in cyberspace. Silent and invisible, this fight may not arouse fear or passion, the two emotions that move history, but it could be decisive for all the protagonists of this war – including NATO.

In fact, the cyberspace invasion preceded the ongoing takeover, as Ukraine has become, over the past decade, the preferred laboratory for Russian hackers.

On the day of the 2014 presidential elections, for example, malicious software was introduced into the National Elections Commission, with the aim of declaring the winner of the far-right candidate rather than Mr. Petro Poroshenko. Back in 2017, one of the most devastating cyberattacks ever left citizens unable to withdraw money from banks, canceled medical appointments and disrupted transport, energy and communications. NotPetya, as it became known, was compared to an act of war and caused global damage estimated at 10 billion dollars.

In this virtual front of the conflict, it is important to consider that the most important allies may not even be the States. In the last few weeks alone, Ukraine has recruited an army of programmers through Telegram, which will now have around 400,000 personnel that carry out specific missions such as protecting critical infrastructure, sabotaging Russian navigation systems and denouncing enemy propaganda on social media. The country’s self-defence also counts on the support of companies, which assumed to be a non-neutral part in the conflict. The case of Microsoft, whose operating system is a leader in the region, and which has already announced a “close collaboration” with Kiev, NATO and the European Union.

In any case, and at least so far, experts agree, with some astonishment, that Russian cyber aggression has been relatively moderate. There is no consensus however on the possible reasons why we have not yet seen a “digital Pearl Harbor”: Kremlin programmers may be focused not on assault, but on spying, to try to anticipate the West’s response; Moscow may have dispensed with massive cyberattacks because it was confident of conquering Kiev within days; or else, since cyberspace does not have well-defined borders, Putin could be avoiding the risk of a major digital offensive slipping into NATO space, as happened with NotPetya. In a recent Washington Post event, the chairman of the US Senate Intelligence Committee even stated that: “if US troops and a truck collided in Poland, because the power grid had been disconnected, we could be very close to Article 5. ”

Ukraine has become, over the past decade, the preferred laboratory for Russian hackers.

A sign that cyberspace will play a more prominent role in the war is the entry of Kiev into the NATO Cyber ​​Defense Center. On the Ukrainian side, an authentic “digital intifada” on the part of the exiled resistance is also anticipated. Once inside the Russian border, circumventing economic sanctions is now an imperative and one of the few lifelines available floats in the deregulated underworld of cryptocurrencies.

And speaking of regulation, it is not surprising that the main effort of the United Nations to draft its first convention against cybercrime was also shaken by the Russian invasion. “How do you want us to negotiate with a country that lies and violates international law in this way?”, asked the European Union right at the start of the work, in which our Center is participating. During the first round of negotiations, which ends today in New York, it was still possible to approve the structure and scope of action of the future treaty. But always on the basis that “nothing is awake until everything is awake”.


Cybercrime: War by other means

“Could something like this really happen?” Ronald Reagan couldn’t get the scenes from War Games out of his mind. In this movie from 1983, a teenager infiltrated a US defense supercomputer and nearly convinced the military that a Soviet nuclear attack was about to be launched. The president decided then to convene his advisers in the White House and asked them how plausible that plot was. It took the chairman of the Joint Chief of Staff a few days to answer: “Mr President, the problem is much more serious than you think”.

If the film were to go into production now, it would not be mere science fiction, but rather a documentary, as cyber-attacks pose a real threat to national and international security. However, despite the fact that 60% of the world’s population is online, that cybercrime costs at least a trillion dollars annually and that the pandemic has accelerated the digitization of our economies, there is still no legally binding and globally accepted regulation in this field. Well, that void will begin to be filled in the coming days in New York, with the works of the committee mandated to draft the first United Nations Convention against Cybercrime. Six out of the fourteen members states of the committee are African and Latin American countries.

WarGames (1993)

The UN’s task is extremely difficult, given the differences between the superpowers. The very existence of this committee, proposed by Russia and supported by China, was subject of disagreement. The US and the EU voted against it, arguing that their rivals are trying to police the Internet and that cybercrime is already covered by the Convention of the Council of Europe, the so-called Budapest Convention.

In addition to political challenges, there are also formal obstacles: there is no international definition of cybercrime, nor an understanding on whether the future Convention should only cover cyber-dependent crimes, such as ransomware, or also cyber-enabled crimes, such as theft. Another divisive issue: agreeing on which infrastructures should be considered critical for national security and deserve special protection in a scenario of digital warfare.

Despite the fact that 60% of the world’s population is online, that cybercrime costs at least a trillion dollars annually and that the pandemic has accelerated the digitization of our economies, there is still no legally binding and globally accepted regulation in this field.

Since the decisions of this committee could require a two-thirds majority, diplomacy will have to accommodate all regional interests. For the US and the EU, disinformation and industrial property protection will be high on the agenda. China, on the other hand, has insisted on limiting the circumstances in which a state can publicly attribute cyberattacks to another sovereign. For Africa and part of Latin America, the focus will be on capacity-building and the funding that will be needed to bridge the North-South Digital Divide.

Despite the constraints, the UN committee will count on a tremendous positive force: the participation of civil society. Companies such as Microsoft, universities from around the world and NGOs such as the Center for Cooperation in Cyberspace, of which we are part, will assist and intervene in the work. After all, in most states it is the private sector who owns most critical infrastructures and employ the best experts in technology. They are the driving force behind the revolutions that will transform our daily lives, such as 5G networks, artificial intelligence, the Internet of Things and even cryptocurrencies.

Let us also not forget, however, that the Committee will not start from scratch. Previous UN working groups have produced substantive outcomes, such as the recognition that the Charter applies to cyberspace and that “the same rights that people have offline must also be protected online, in particular freedom of expression”.