Ukraine – Cyber Speculation Run Rampant (Updated)

7 March 2014, 0448 EST

*I was a bit too quick to post last week and had to add quite a few recent events. Nothing changed my original analysis (BV 3/10/2014)

With my most of research right now heavily focused on cyber conflict, it might be useful to review all the news on the cyber situation between Ukraine and Russia.  There have been many posts on the Duck and elsewhere (Monkey Cage macro post) covering the conflict (here, here, here, here, here), so I will refrain from summarizing the basics.  The cyber situation on the other hand has shown a remarkable amount of restraint, defying conventional wisdom but also following directly in line with my soon to be completed book on Cyber Conflict and forthcoming Journal of Peace Research article (both with Ryan Maness).  The restraint point was made early by Mark Clayton at the Christian Science Monitor.

bbc urkaine

The CSM summary by Clayton comes in conflict with the upswing in news reporting cyber conflicts in Ukraine.  A few days ago Reuters ran a headline stating that “Ukraine hit by cyberattacks.”  Problem is the article reported no such instances of cyber conflict.  In fact, if you read the article they only note telecom operations have been upset.  This follows the tenuous logic that almost anything connected to a computer is a cyber attack.  The Ukrainian minister was careful to not charge cyber attacks but the media is no so careful.  The BBC goes a bit farther noting “a cyber standoff” between Ukraine and Russia has developed, but they also report Ukrtelecom was raided by armed men who tampered with the cables.  So how is this a cyber attack?  Where is the cyber standoff?

The New York Times jumped into the fry with Sanger’s coverage of what has become to be known as Snake in the west.   Sanger notes “According to a report published by the British-based defense and security company BAE Systems, dozens of computer networks in Ukraine have been infected for years by a cyberespionage “tool kit” called Snake, which seems similar to a system that several years ago plagued the Pentagon, where it attacked classified systems.”  Yet, as the report notes, these infiltration have been happening for at least four years prior to the recent events in Crimea suggesting there is no direct connection between recent events and Snake.  Even if we accept that Snake is a cyber incident directed at Ukraine, which it likely is, it is unclear how this is a step-change in the situation.  In fact, this is a cyber action like any other, espionage.  The original point that Russia has been remarkably restrained in its use of cyber power stands.

Of course on top of these reports of cyber incidents, internet signals have been shaky in the area, but not because of reported cyber attacks, but because these cables have physical locations that can easily be disrupted.  There is no reason to associate the disruption in internet signals with cyber tactics; in fact we must first rule out the simplest explanation, is the cable still “plugged in”?  As this analysis points out, the chances of an internet outage in Ukraine are remote given the dispersal and strength of the networks.

We have also seen simple hacks suggested as cyber attacks.  This is why I do not really use the term cyber attack in my own research.  I sometimes use it to describe what others are saying, but there is an increasing tendency to associate anything from a Twitter password hack to altering a webpage as a cyber attack.  To be clear, these actions would only be cyber incidents (our preferred term) if one actor uses espionage methods such as malware or phishing to obtain passwords and access.  Just because a webpage starts to associate Ukraine’s government with Nazi’s does not mean it was cyber attacked, given what we know about RT.com now, it is not even likely it was done as a hack.  In relation to this point, to connect Russia blocking pro-Ukrainian websites within Russia is not evidence of cyber operations, but only standard operating procedures within Russia.

Jason Healey makes an interesting argument in the Atlantic Council’s blog, suggesting that Western governments prepare to help Ukraine in the event of a cyber action.  A point Heather Roff on HuffPo challenges as violating the laws of neutrality and likely dragging the West into war.  We have to remember that cyber actions are not so simple and restricted in domain; perceived violations in one domain could lead to violations in another domain – conventional conflict.  At least we do know this process of spillover has been rare to this point.

The clear evidence so far points to fact that there is no cyber war so far.  In fact, what we have mostly seen is fantasy what-if projections of what a cyber war would look like between the two countries.  This is a common tactic in the cyber community, they speak of what-ifs and possibilities as likely scenarios, covering the situation as if it’s a wargame.  There is little connection between reality, and the actual foreign policy developments among those who speak of cyber war.

Why have there been so few evident tactics used so far, especially given Russia has used them before in Georgia and Estonia? One idea is that this tactic would be limited because Ukraine’s own hackers are just as good, a recent post here is evidence for this point.  The fear of retaliation is alive and well in the cyber realm (I would refrain from calling it deterrence since the term is so contested).  I personally would suggest there have been limited uses of cyber by Russia because they are restrained by the fear of collateral damage and the high probability that a serious cyber violation would be seen as an act of war by the West.  Given statements the US and others have made in the past, this is not a remote consideration.

There is always the possibility we don’t know the true nature of cyber conflict since much of it might be secret.  I find this line of logic deficient.  For one, there are many stakeholders in the military, in Ukraine, and in the computer security industry who would be very interested in promoting the need for more cyber security and protection in the face of such active cyber incidents.  There are too many interested parties to keep these sorts of activities secret, as we have found out with Stuxnet.  Besides, lets say there was a cyber action that went unreported, would that really have an impact on the conflict?  Does something really matter if no one knows it happened?  Tree falling in the cyber woods…

Ps. I should note all this can be spectacularly wrong in an instant, this is what makes this cyber research so “fun”.  I call it political science without a net.