Ukraine innovates on cyber defence
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
In an unassuming office building in a quiet suburb of Kyiv, young Ukrainians in military uniform employ a shockingly effective shield against Russian cyber attacks: a combination of training, vigilance and the chutzpah of a digital Sparta to thwart a powerful enemy.
In one room sits an Israeli replica of the industrial system behind Ukraine’s hydroelectricity grid, which they use to identify, and then fix, any hacking vulnerabilities. In another, a mass of screens use US software to track Russian cyber attacks in real time. But there is also a break room, where couches and beanbags mimic a tech start-up’s culture of work and play — in the hope that the unit avoids burnout under the relentless 24/7 cyber attacks.
But as Ukrainian networks, from telecoms to critical infrastructure like the power grid, continue to withstand the most sophisticated cyber attacks ever seen, a false notion has taken hold: that the Russian cyber offence is as under-resourced as its army, bogged down in inch-by-inch trench warfare with its weaker, poorer neighbour.
In fact, Ukraine’s cyber defence offers an innovative template for other countries’ security efforts against a dangerous enemy. Constant vigilance has been paired with unprecedented partnerships with US and European private sector groups — from Microsoft and Cisco’s Talos to smaller firms like Dragos — which take on contracts to protect Ukraine in order to gain a close-up view of Russian cyber tradecraft.
Amazon Web Services has sent in suitcase-sized back-up drives. Cloudfare has provided its protective service, Project Galileo. Google Project Shield has helped fend off cyber intrusions. “Moscow [has found] itself up against not just Ukraine but a global network of public and private cyber security professionals — limiting the extent to which it [can] exploit cyber space,” says US think-tank the Center for Strategic and International Studies (CSIS), which has studied dozens of Russian attacks and the Ukrainian response to them.
These companies have become de facto military contractors. And the successful, layered and collaborative defence has yielded a model that Ukraine’s allies, wary of Chinese assaults, have now fully embraced.
“This is a new scale of collaboration — not a procurement of vendors that help government; instead, this time, it is a voluntary involvement with geopolitical flavour,” says Yuval Wollman, a former director-general of the Israeli intelligence ministry and now president of US-based security firm CyberProof. “They are taking a political stand, to some extent, with the company’s leadership making a strategic decision in a certain geopolitical context.”
That geopolitical context now has a sprawling canvas, says Robert M Lee, a US military and National Security Agency veteran who co-founded Dragos, a cyber security company that provides defences for industrial systems, including power grids.
“We have seen the Russians pick out key targets and get access across critical sectors in Europe and the United States,” he says. “[The Europeans] are keenly aware of the position they are in, by supplying natural gas, and they are keenly aware of the threats that they are facing from Russian actors.”
These skirmishes, which do not rise to a level categorised as acts of war, are increasingly common in the European energy sector, he adds, as Russia counters sanctions on its energy exports and the still unexplained destruction of the Nord Stream pipelines.
Experiences in Ukraine show that successful defence is possible. In 2015, a Russian cyber attack knocked out parts of the country’s energy grid. Last year, a similar assault on a power generator was foiled. Microsoft technicians in the US noticed a single computer behaving oddly in an undisclosed location in Ukraine and alerted engineers in the Kyiv suburb.
The potency of Russian cyber aggression is still being parsed, but lessons have emerged. During full-scale hostilities, for instance, cyber attacks are of limited value; blowing up a power plant with a missile is cheaper and more likely to succeed than a months-long subterfuge involving malware and hacking.
Instead, cyber is particularly useful for more traditional espionage and for disinformation and causing panic. One Russian assault in the early days of the war simply sent citizens a faked text message from a bank saying their money was safe, prompting a bank run.
Russia has since pivoted to so-called wiper attacks, where phishing links download a malware that simply deletes all the data from a targeted network.
Most of the disclosed attacks have tended to be on private businesses, underlining the fact that industries are as much a target in the cyber war as governments. But, while they might have expected — reasonably — that governments would come to their defence, now they must erect perimeters against hostile state actors. CSIS researchers — noting that business tends to respond to incentives more than generalised concerns — say it is up to governments to lead the private sector into substantive investments in cyber security.
“The more incentives the US government can offer for public-private sector collaboration, the more likely cyber defence will hold against future attacks,” the CSIS researchers conclude. “The ends and ways are clear: bolster cyber defences through increased public-private collaboration.”
This article is part of special report on National Security to be published on July 19