There’s a debate about whether it’s right to call what’s happening in Ukraine a “cyberwar” — or if using that term makes you guilty of hyping in the middle of a tragedy.
But if you haven’t done so already, I encourage you to read the blog post that went up yesterday from Microsoft president Brad Smith (and read it kinda carefully). Because you might come to a new basis for thinking about the question, as I have: We really have no idea about the scope or severity of the cyberattacks that have struck Ukraine so far.
And so, however you choose to define “cyberwar,” it’s probably impossible to say whether Ukraine is in one or not. We just don’t have enough information yet.
It’s true that the electricity, water and internet are still operational in Ukraine. There have been virtually no major disruptions to key infrastructure reported since Russia’s unprovoked assault began on Thursday. The worst-case scenario, or even the medium-worst, doesn’t seem to have panned out so far in terms of cyberattacks, as The Washington Post and others have pointed out.
But that doesn’t mean that some very harmful cyberattacks have not been occurring in Ukraine. Unless you think Smith is exaggerating, which doesn’t seem to be his thing, then there most certainly have been.
Geneva implications
In his post, Smith alluded to cases of cyberattacks against civilian targets — including cyberattacks targeting humanitarian aid, emergency response services, agriculture and energy — that are shocking to imagine and that Microsoft has observed in Ukraine recently.
He offered no specifics, but made it clear that some of the cyberattack incidents that Microsoft has tracked in Ukraine recently are about as bad as they come. He conveyed this when he said that the recent cyberattacks on civilian targets in Ukraine “raise serious concerns under the Geneva Convention” — referencing the international treaty that defines what are commonly referred to as “war crimes.”
And yet, none of the cyberattacks in Ukraine that have been publicly disclosed so far really fit with what Smith seems to be describing here.
Except one: The data-wiper attack on a border control station, if it was intentionally meant to slow the movement of refugees from a war zone, sounds like a contender for a Geneva Convention violation, according to several cybersecurity experts.
With this type of attack, “you’re crossing over into Geneva Convention territory pretty quickly,” said Casey Ellis, founder and CTO at Bugcrowd.
Netenrich principal threat hunter John Bambenek agreed, calling the attack — reported by The Washington Post and VentureBeat on Sunday — a “stunningly inhumane” action against Ukrainian refugees (if it was intended and not inadvertent).
But the only reason the report of this attack exists is sheer coincidence: A well-known expert on cyberattacks, Chris Kubecka, was trying to cross the border in the midst of the attack — and border guard officials on the scene were keen to speak with her once they learned who she was.
Information control
But apart from that report — which the Ukrainian government has yet to comment on — there haven’t been documented cases of cyberattacks against civilian targets in Ukraine over the past week that seem to reach Geneva violation proportions, said Stan Golubchik, CEO of cybersecurity firm ContraForce.
But that doesn’t mean they haven’t happened, Golubchik said. “I believe that information has intentionally not been released yet,” he said.
Smith’s statements would seem to support that notion. The Ukrainian government is a customer of Microsoft, and so are “many other organizations” in Ukraine, he noted in the blog. And as a provider of the full gamut of computing — applications, operating systems, cloud infrastructure and security tools — Microsoft is in a unique position to grasp the true state of cyber affairs in Ukraine, experts said.
“Microsoft would know if civilian infrastructure has been targeted,” said Stel Valavanis, founder and CEO of managed security services firm OnShore Security.
Most likely, the company has evidence of this, which it’s withholding for the time being, Valavanis said. “I believe there are a lot more attacks that we realize in Ukraine,” he said.
VentureBeat has reached out to Microsoft for comment.
Dangers of disclosure
When private companies are breached, they often fear reputational damage and blowback from the public disclosure, noted Danny Lopez, CEO of cybersecurity vendor Glasswall.
“But in [Ukraine’s] case, there are even more dangerous implications,” Lopez said. “There is a chance that disclosing these breaches and their causes in detail at this time could draw further attention from Russia’s nation-state threat actors.”
Security researchers that have disclosed recent cyberattacks against Ukraine have been sensitive to this. For instance, in ESET’s disclosure today of wiper malware that was used to attack a Ukrainian governmental organization late last week — following the Russian invasion — researchers said they are not identifying the affected agency.
“To protect the victims and not to give advantage to the attackers, we cannot disclose more specifics,” said Jean-Ian Boutin, head of threat research at ESET, in a statement to VentureBeat.
There are other potential reasons for holding back details on cyberattacks for the moment, too. Simply put, cyber incidents during war “have the potential to augment fear, uncertainty and doubt” in a populace that is already overwhelmed, said Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks.
One also can’t entirely rule out that the language barrier — and the nature of cyberwar (or whatever you call it) itself — could be at play as well. Particularly when it comes to the information that the English-speaking world is receiving on this subject.
“There’s a very definite information warfare and propaganda aspect to this conflict, that’s playing out from both sides — which confuses what kind of information you consider to be accurate or not,” Ellis said.
Cyberwarfare is different
This is one key way that cyber warfare is distinct from the physical battlefield, he noted. For example, when a bomb goes off, you can feel pretty confident in judging whether it really happened or not, Ellis said.
But that’s not always the case with cyberwarfare, he said.
“You don’t even necessarily understand what’s happening in the first place — even if it was in English,” Ellis said. “Then you’ve got the language barrier. Then you’ve got all the disinformation and propaganda on top of it.”
Ultimately, when it comes to Russia’s attack on Ukraine, it may be a while before we can truly assess the cyber aspects — and decide whether it gets to be known as a “cyberwar” for all of time, or not.
“We likely won’t know the true extent of the damage until the dust has settled and peace has been restored,” Lopez said.
One final note: In his post, Smith doesn’t explicitly mention Microsoft’s previous proposal for a “Digital Geneva Convention.”
But the implication that protocols and technology alliances need to be in place to defend against growing cyberattacks is clear, according to Andrew Rubin, cofounder and CEO of Illumio. While rules of engagement exist for land, air and sea conflicts, “today, we need rules of engagement for cyber warfare,” Rubin said.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More
