The Ukrainian government is drafting new legislation to bring its volunteer hacker brigade, Army IT, into the armed forces, aiming to end uncertainty about its status in a legal gray area that has drawn sharp warnings from the Red Cross.
The Ukrainian IT Army has claimed responsibility to cyber attacks such as shutting down Russian state media websites during President Vladimir Putin’s recent State of the Union address. But the hacker group, which has recruited foreign volunteers who only need a computer or smartphone to join the fight, has also drawn criticism for attacking Russian hospitals and other civilian targets.
The TI army has been held up as an example for other countries. If the law is passed, Ukraine will join a handful of other Western countries, led by Finland and Estonia, that have full-scale reserve cyber forces to supplement their regular militaries, though several more countries have reserve military units with cyber capabilities.
“The law on the creation and functioning of cyber forces within the Ministry of Defense of Ukraine should be adopted as soon as possible,” Nataliya Tkachuk, Secretary of the National Coordinating Center for Cyber Security, told news week in written responses to detailed questions. The center is part of President Volodymyr Zelenskiy’s National Security and Defense Council.
Tkachuk added the new law would “lay the foundation for building the country’s cyber defense capabilities, engaging cyber volunteers in these activities, and creating a cyber reserve”—a force of civilian cyber experts, trained by the military, who can be mobilized into defense. countries during times of escalation of cyber threats or conflicts.
Tkachuk didn’t answer follow-up questions, but based on his description of the law, it appears that Ukraine’s cyber reserve will effectively replace or absorb loosely organized IT Army volunteers with a much more formal force, the core of which are ex-conscripts, who are identified as technically proficient during their post-secondary military service and given specialized training. with technical skills.
The IT Army itself agreed to the proposed disbandment. In a statement emailed in response news week questions, the group said its interests would be represented in the drafting process by the Digital Transformation Ministry. “We fully trust the working group’s efforts to legalize massive fights in the cyber sector and welcome the moment when it will cease to be a gray zone. We believe that Army IT’s integration into cyber reserves will assist in building a more effective defense against cyber threats.”
The exact contours of the legal framework that Kyiv adopts will echo far beyond the current battlefield. The war that Ukraine is fighting has become a laboratory for 21st century conflict. The country’s success in fending off vaunted Russian hackers has seen it embrace voluntary hacker activists and close partnerships with Western tech giants, a model other democracies look to. Even in the US, some argue that the US Cyber Command will benefit from the additional surge capacity that a cyber reserve force will represent.
Tkachuk declined to give a deadline for finalizing the draft new law, but the process was complicated by bureaucratic squabbles, said a foreign aid contractor working in Ukraine, who requested anonymity because the person was not authorized to speak to the press. “There is friction between agencies,” the contractor told Newsweek, “It’s not a secret.”
Contractors say the new law will build on the public-private partnerships Ukraine has developed with the domestic technology sector and foreign companies including giant US providers such as Microsoft, Amazon and Google. “We have an amazing experience, we have knowledge that no one else has because no one else has experienced this,” said the contractor.
Adopt the Estonian model
One decision that appears to have emerged at this early stage was for Ukraine to adopt the Estonian model for its cyber reserves – creating a cadre whose technical talent is identified during post-secondary military service, and who then receive additional training. The skills they learn will equip them to defend their country during their service and provide value to employers once they are done.
Estonia is a NATO member state that had a dynamic technology sector long before it was at the forefront of Russia’s new hybrid war in Europe. In 2007, the country was hit by a series of massive cyber attacks and information operations as part of a dispute with Russia over the relocation of a Soviet-era war memorial. Since then, the country has sought to establish itself as a model for smaller Western democracies leveraging advanced technology and skills to enhance its online defense and national economy.
Estonian volunteer hackers are organized into Cyber Defense Units, part of the century-old Estonian Defense League. “This is exactly the model we wanted to see in Ukraine,” says Tkachuk. “We want to see conscripts not only defend the country using their IT skills, but also acquire the latest and necessary knowledge in the field of cybersecurity and defense during their service.”
After their military service is completed, he added, cyber reservists with their advanced skills “will become the pool of personnel for all security and defense sector entities in the field of cyber security.”
In the US, a number of top cyber executives have expressed interest in the possibility of cyber backup.
“There are many cybersecurity leaders who want to volunteer and serve. They want to do something for the country without leaving their current career and role full-time,” Marcus Fowler, CEO of cybersecurity vendor Darktrace Federal, told news week.
Fowler, a former senior CIA officer who served in the Marine Corps, said a “great place to start” is with cyber leaders who, like him, have served in the military, law enforcement, or intelligence services. “Most [them] will still have an active security clearance,” he said. “There are practical issues, obviously, but the passion and expertise is there.”
For Ukraine, adopting the Estonian cyber backup model would also address questions about the legal status of the Ukrainian IT Army, according to a NATO legal analysis.
The Cyber Defense Unit is an integral part of the Estonian Defense League, an NGO that is effectively the country’s military reserve. Its members are volunteers who take an oath of service, who are bound to obey orders while on duty, and who, in wartime, are integrated with regular defense forces, according to a legal analysis from the NATO Cooperative Cyber Defense Excellence Center (CCDCOE) in Tallinn.
Thus, the analysis states, they clearly qualify as combatants in a declared war, because they are a “volunteer corps forming part of the armed forces.”
Dangerous blurred lines
Conversely, one of the main concerns about voluntary hacker groups like the IT Army and its Russian counterparts is that they blur the lines between combatants and civilians by encouraging civilians to take part in attacks.
The International Committee of the Red Cross is concerned about the growing tendency in recent armed conflicts to recruit civilian volunteers to take part in military cyber operations, ICRC legal adviser Kubo Mačák told news week.
The distinction between combatants and civilians “is a fundamental principle of international humanitarian law (IHL),” civilians may not be targeted, and combatants enjoy legal protection — they generally cannot be prosecuted for killing enemy troops, for example — as long as they respect the laws of war.
But if civilians take part in an offensive cyber operation—a hacking attack, for example—that activity might change the legal calculations, he said.
Civilians joining the war effort may be “exposed to harm because they may be temporarily deprived of the protection they have as civilians under IHL,” Mačák said.
Under international humanitarian law, civilians are protected from attack, as long as they do not participate directly in hostilities. If they join the fight, they can be targeted while they are participating. The problem is, it’s not very clear what counts as “direct participation in hostilities” in cyberspace.
“While not every form of civilian engagement on the digital battlefield qualifies as direct participation,” says Mačák, “the danger is that it can be seen by the enemy, exposing large numbers of civilians to great harm.”
The use of civilian volunteers in war, even just online, also undermines another important legal principle, namely accountability, said Mačák. “Civilians are like that [volunteer] units don’t belong in military hierarchies, they don’t belong in military disciplinary processes,” he said.
To ensure accountability in wartime, there must be a clear chain of command so that responsibility for military actions can be assigned and violations of IHL can be punished, he said.
Unanswered questions linger
Tkachuk, of the National Coordinating Center for Cybersecurity, notes that, although there is a wide consensus among legal experts that international law applies to cyberspace and military cyberspace operations, there are no case law precedents, and in fact there are almost no historical records. of what countries do in practice.
“There is no (International Court of Justice) decision on this issue, there is no practice of implementing existing norms by the state,” he said.
“At the same time, each expert has his own point of view,” he said, adding to the long list of unanswered questions about what the application of international law to military cyber operations means in practice.
With the experience it has gained on the digital battlefield, “Ukraine should become a leader or at least a mandatory participant in shaping the answers to these questions in the international arena,” said Tkachuk.
Shaun Waterman can be reached at [email protected] Follow him on Twitter @WatermanReports.