What Ukraine’s cyber defence tactics can teach other nations
We’ll send you a myFT Daily Digest email rounding up the latest Cyber warfare news every morning.
One of the surprises of the Russia-Ukraine war has been that Ukraine’s cyber security has, so far, proved as resilient as its military.
Kyiv’s cyber tactics — including switching data to the cloud, partnerships with western companies, and using Elon Musk’s mobile Starlink terminals to connect to the internet via satellite — have proved highly effective. Ukraine’s defences have also been shored up by a £6mn package of IT support and help in detecting Russian cyber threats provided by the UK, according to a statement earlier this month.
And, as one of the earliest examples of a conflict with a major cyber component, this war — and these responses to it — can offer lessons to other countries, or companies.
At the start of the war in February, Ukrainians backed up as much data as they could into the cloud.
Then, when Russia invaded Ukraine, Liam Maxwell, director of government transformation at Amazon Web Services (AWS), met a Ukrainian official in London “and literally wrote down on a piece of paper” which of Ukraine’s digital assets it needed to help save, he recalls.
Priorities included registers of properties, citizens and criminals, says Maxwell. “It’s like Maslow’s ‘hierarchy of needs’.”
AWS cyber security experts and IT professionals trained Ukrainians in cyber security, too, and how to switch data from on-premise IT systems to the cloud, where it could be better protected.
Specifically, they shared intelligence on cyber threats, such as malware from “state actors” — from Russia or elsewhere — that could affect AWS customers in Ukraine.
A decentralised network of Ukrainian IT volunteers, or “hacktivists”, has further bolstered the country’s cyber defences, says Pierluigi Paganini, adviser to the European Union Agency for Cybersecurity.
In modern war, the main aim of cyber attacks is to destroy or destabilise critical national infrastructure, such as banks, telecommunication networks and energy grids.
However, the fragmented nature of Ukraine’s communications network for vital services means it cannot be knocked out or jammed as easily as a single node, such as a cell tower, experts say.
“Generally speaking, Russia’s cyber attacks haven’t had a destabilising impact on Ukrainian infrastructure,” notes Bob Kolasky, a former assistant secretary specialising in cyber security within the US Department of Homeland Security. Kolasky is now senior vice-president for critical infrastructure at Exiger, which advises companies on risk. Moscow has, however, used missiles to disrupt Ukraine’s energy infrastructure.
Although some security experts are surprised that Russia’s cyber attacks have not been more effective, they also praise Ukraine’s tactics.
The Ukrainians did a “couple of clever things” in moving data to the cloud and using Starlink to keep its own communication network operating, says James Lewis, senior vice-president and director of the strategic technologies programme at bipartisan think-tank the Center for Strategic and International Studies.
Lewis, who previously advised the UN on information security, highlights Kyiv’s swift response to Russian cyber attacks.
He says: “Ukrainians told me that you had to respond within two to three hours to a [Russian] cyber attack to minimise the damage and stop it succeeding,” — for example, by removing malware or security vulnerabilities.
Ukraine has had plenty of practice in dealing with cyber attacks.
In 2016, hackers brought down the power supply to hundreds of thousands of homes there.
And, in 2017, Russia’s military was thought to be behind the “NotPetya” ransomware attack, which targeted Ukraine but also scrambled data from the computer systems of companies in more than 60 countries.
More stories from this report
“Ukraine has built up very mature security operations and incident response,” says Ray Canzanese, director of Netskope Threat Labs, which researches cloud-based security threats.
Since February, most of the attacks have been through malicious software known as a “wiper”, says Robert Lipovsky, principal threat intelligence researcher at ESET, a cyber security company.
A wiper is similar to ransomware except that, in war, the aim is to destroy files rather than to encrypt them and demand that the victim pay a ransom for their return.
Yurii Shchyhol, head of Ukraine’s cyber security agency, says that, approximately one month after Russia’s invasion of Ukraine, his agency registered almost three times more cyber attacks on Ukrainian resources and infrastructure compared with the same period last year.
He says: “The key elements of [Ukraine’s] cyber [defence] are: sufficient funding at the national level [and] at private companies managing critical infrastructure; cyber hygiene at all levels; and extensive international co-operation.”
In March, Ukraine joined the Cooperative Cyber Defence Centre of Excellence, a Nato-accredited institution focused on cyber defence research.
Sharing “threat indicators” and joint training exercises for cyber defence specialists are crucial, Shchyhol says. “Those are the two primary aspects of the collective cyber security system.”
Russia has denied carrying out any cyber attacks against Ukrainian infrastructure, but the EU, UK, US and other allies have claimed that it has been responsible for a series of them since the start of the invasion.
According to the UK government, citing UK and US intelligence, one such attack, in February, caused outages for several thousand Ukrainian internet customers, and affected wind farms and internet users in central Europe.
Russia has faced a barrage of cyber attacks itself since invading Ukraine, according to cyber security experts.
In future, as the technology improves, cyber attacks and defences powered by artificial intelligence could feature, the experts add.
In the meantime, though, governments and companies are being advised to study Ukraine’s successful cyber security tactics and update their own security policies accordingly.
“There is no peace in cyber space,” warns CSIS’s Lewis.