War, of cruel necessity, can generate imaginative thinking. Ukraine is a case in point. The Ukrainian government, while locked in a deadly war with Russia, has not shied away from advancing big ideas about the conduct of international relations. It has re-energized the concept of diplomacy and attempted to mobilize global public opinion by taking its case to the world at every opportunity. It has proposed the creation of a special judicial tribunal to prosecute crimes of aggression — resurrecting for the twenty-first century the tribunals that sat in judgment on the leadership of Nazi Germany and Japan after 1945, but this time aimed at Russian President Vladimir Putin and his inner circle.
Now we have from Ukraine an ambitious set of ideas about how the international system should respond to cyberattacks.
Ukraine’s appeal for this new approach is embedded in a recent report from the State Service of Special Communications and Information Protection of Ukraine (its cybersecurity agency). The report details major instances of Russian cyberattacks on Ukraine and its allies from February to November 2022.
It all began with a Russian cyberattack on a satellite-based communications system (Viasat) on the morning of February 24, 2022, an attack the Russians hoped would degrade Ukraine’s military and government command-and-control networks and disrupt and cause panic to civilians. The impact extended well beyond Ukraine’s borders, interrupting internet service for customers across Europe. It also knocked thousands of German wind turbines offline. This early wartime experience underlines the fact that cyberattacks can bring with them significant damage and disruption, far beyond the immediate target.
The Ukrainian report notes a trend in which Russia has aligned its cyberattacks with its missile strikes, combined most notably in the relentless bombardment of Ukrainian civilian energy infrastructure. While Russian cyberattacks initially appeared to fall short of any sustained strategic outcome, that began to change in the fall of 2022 alongside a change in tactics.
The Russian targeting of civilian infrastructure began in earnest in October and has continued in waves since then. A report compiled by Human Rights Watch noted 22 separate attacks in October that damaged thermal power plants and hydro power stations serving Kyiv, Kharkiv and other regions of the country. The Ukrainian security service, SUB, noted that Russia carried out more than 10 cyberattacks on critical infrastructure per day in November. On November 24, a combination of missile strikes and cyberattacks caused an almost nationwide blackout and took all the country’s nuclear facilities offline. Ukrainian television, other media and internet service providers have been hit, as have Ukrainian banks, embassies and even the Red Cross in Ukraine. Some of the Russian cyberattacks are deemed to have been revenge assaults in the face of Ukrainian battlefield successes.
Ukraine’s cybersecurity leaders want the rest of the world to learn from Ukraine’s experience, and to act. Notably, the report calls for revising the definition of aggression in international law to include cyberattacks. It further calls for cyberattacks on civilian targets to be treated as war crimes. And it proposes to extend economic sanctions to specifically undercut the cyber capabilities of an aggressor such as Russia. The head of Ukraine’s cybersecurity agency, Yurii Shchyhol, has even called for a new international body, a “Cyber United Nations” (minus Russia, of course), to be formed to share threat information and coordinate responses.
Ukraine has often promoted maximalist objectives in its wartime foreign policy. This is a smart strategy. It combines lofty goals with a fallback position for more attainable outcomes. While a cyber “United Nations” is, in present circumstances, a pipe dream, other aspects of Ukraine’s appeal — including enhanced sanctions targeting Russia’s tech sector and more sharing of cyberthreat information — are likely to receive a warm welcome from democratic allies. Many Western countries, led by the United States, have already provided support to Ukraine’s cyber defence. Some “front-line” states with extended experience of Russian cyber aggression have been notable supporters, in particular, Estonia. In May 2022, three Canadian Cabinet ministers issued a condemnation of Russian cyberattacks and promised to share cyberthreat intelligence and provide ongoing cyber assistance to Ukraine.
The real spearhead of the Ukraine cyber appeal is the call to define cyberattacks on civilian infrastructure as war crimes. Already Ukrainian officials are reported to be sharing evidence on such attacks with the International Criminal Court (ICC) in The Hague.
Whether cyberattacks constitute a war crime under the Rome Statute of the ICC remains contested. But there have been long-standing efforts at the United Nations to define norms for responsible state behaviour in peacetime in cyberspace. In 2015 the UN General Assembly adopted a Group of Governmental Experts’ report asserting that states should not knowingly conduct or support cyber activities that intentionally target critical infrastructure. A growing number of states — including Canada — support the idea that similar humanitarian limits should apply in wartime.
As cyberspace is extended into outer space, and as critical global infrastructure for services such as communications and navigation increasingly depends on digital links with satellites and their data, there is an urgent need for stronger security and deterrence in this domain. Ukrainian officials know this through painful experience. The rest of the world needs to wake up to this threat.
How should Canada respond to these Ukrainian proposals for a united cyber front? The boldest action Canada could take would be to lend public and diplomatic support to the push to define cyberattacks on essential civilian infrastructure as a prosecutable war crime. It won’t halt a ruthless Russian campaign, but it might make for a safer global order in the future.