- Mar 29, 2018
Note: You may see the related links included at the end of this piece by visiting the source.It’s no secret that top security and technology firms — many based in the U.S. — have played a significant role in helping Ukraine defend its networks and data against Russian cyberattacks during the war.
Microsoft, Amazon and others have been vocal about providing data storage and hosting services to Ukraine to counteract Russian efforts to erase critical data on Ukrainian networks and help keep government agencies and businesses operating.
Ukraine’s Deputy Prime Minister and Minister of Digital Education Mykhailo Fedorov said last week that cloud services from these companies were “a life-saver.” Officials with the State Service of Special Communications and Information Protection of Ukraine have also said that the work of cybersecurity companies has been vital.
Microsoft and companies like Mandiant, Cisco, ESET and Recorded Future have all provided services, tools and threat intelligence — some free of charge, some funded by government-related entities — to help secure and monitor Ukrainian networks and actively hunt for Russian threat actors inside them, disarming malware before it can cause damage. One example of this is the Industroyer2 malware that was discovered on the networks of regional Ukrainian electricity suppliers hours before it was set to cause damage and, likely, blackouts.
It’s the kind of work tech and security firms do for customers as part of standard contracts and doesn’t usually generate controversy or legal issues. But experts say the same activities conducted in the midst of war introduces legal complications and raises the risk that security workers, infrastructure and customer data could become targets of Russia, who might view them as legitimate military targets.
Microsoft itself noted in a report last week that Russia is increasingly targeting foreign-based entities providing support services to Ukraine, citing an October ransomware attack that struck unspecified targets in transportation and logistics industries in Poland.
“We should … be prepared for the possibility that [the attack] in Poland may be a harbinger of Russia further extending cyberattacks [on] countries and companies that are providing Ukraine with vital supply chains of aid and weaponry,” wrote Clint Watts, general manager of Microsoft’s Digital Threat Analysis Center.
The same could apply to companies providing cybersecurity aid.
Experts differ in opinion about whether Russia would have a legal basis to target security firms for helping Ukraine, but since Russia has already shown a disregard for international law through its invasion of Ukraine, this likely wouldn’t deter it.
Mauro Vignati, adviser on warfare technologies to the International Committee of the Red Cross, said during a presentation at Labscon in September that tech and cyber security companies “jumping into the digital battlefield” is a “worrisome trend.”
“The majority of the networks are owned or managed by private companies, [who are] also managing assets that are military assets, not only civilian assets,” he said. “When war starts, those companies … are inside the battlefield.”
Depending on the assistance they provide, companies and security professionals engaged in defending Ukraine could be viewed as participants in the hostilities, he warned.
Defense vs. OffenseWhile the U.S. and other countries have been adamant about not sending military troops to Ukraine to avoid being drawn into the conflict, the digital realm has been a different story.
Earlier this year, General Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, said the U.S. had engaged in offensive cyber operations against Russia in support of Ukraine and had sent government cyber warriors to hunt Russian threat actors in Ukraine's networks. Nakasone didn’t elaborate on what he meant by offensive operations, but they likely don't involve launching cyberattacks on Russian systems or directly engaging in battle with Russian hackers. Such activity could make the U.S. a participant to the war and violate laws of neutrality.
Security firms have also provided extensive aid, and in some cases sent workers.
Microsoft said it has provided $239 million in “financial and technology assistance” to Ukraine, which included help to move government data from servers in Ukraine to Microsoft’s cloud infrastructure, in order to protect it from missile attacks. The company has also helped detect threats in Ukrainian networks. Microsoft says it was among the first to spot a cyberattack launched against Ukraine on the day of the invasion, and it and other companies have helped Ukraine defend against more than 800 other cyber campaigns since then.
The seamlessness with which they have been able to provide help has been aided by the fact that many security firms already had existing relationships and contracts with Ukraine before the war, some going back years.
Microsoft President Brad Smith said in June that his company has been closely involved in Ukraine “in a way that I, frankly, would have never imagined when I started at Microsoft,” and he said that the company was on “the front lines” of the cyberwar there. The company hasn’t provided much detail about its activities, however, but told Zero Day that it has only engaged in defensive work.
“Microsoft does not and has not participated in any offensive cyber action, something that would be a violation of the pledge made as a part of the Cybersecurity Tech Accord," a spokesperson wrote in an email. The company therefore “feels strongly that there is no meaningful risk of blurring of the lines between government and civilian combatants.”
Tom Burt, corporate VP for customer security and trust, said in a statement provided by the spokesperson that its work with Ukraine is no different than the work it does for other customers.
"We are working in close coordination with the Ukrainian government to help secure its data, identify and close vulnerabilities and exposures in their systems, and protect against cyberattacks to government and enterprises, including critical infrastructure that provides important services to civilians,” he said.
Cisco and Mandiant didn’t respond before publication, but ESET said that its products and services are defensive in nature and designed to address any malicious cyberattacks “regardless of the source or motivation” behind it.
Recorded Future CEO Christopher Ahlberg told Zero Day that Ukraine’s CERT was a client prior to the war, and that he has been very vocal about his company’s support of Ukraine during the war, tweeting on the morning of the Russian invasion: “We stand with Ukraine and will apply our full resources and capabilities to support them in their fight against Russia.”
His company has donated the equivalent of $10 million worth of software that is being used by more than nine government agencies in Ukraine, but he says the product license agreement specifies that it can only be used defensively.
“And also I built the product; it’s just not a very good offensive tool,” he says.
But Recorded Future has also given Ukraine access to its intelligence portal about threats. Legal experts say there are risks around information that companies provide Ukraine that could potentially be used in its offensive digital operations against Russia.
Michael Schmitt, an international law scholar at the West Point military academy and project director of the Tallinn Manual — a primary resource for assessing cyber operations against international law — says the assistance that U.S. companies give Ukraine while it’s embroiled in war could invite attack from Russia.
“Would the employees be targetable? It depends…. You have to look at everything individually to see what it is that they’re doing to determine whether or not they are directly participating in the hostilities,” he says.
But he notes that the activity of U.S. companies could also violate U.S. neutrality and impartiality with regard to the war.
Qualified NeutralityAt issue are the principles of “distinction” and “qualified neutrality.”
Under the laws of neutrality, a neutral state cannot provide military assistance or materials to parties involved in armed conflict. But some states have taken the position that if one nation is the victim of outright aggression, neutral states can provide military assistance and equipment to the victim nation as long as they don’t directly participate in hostilities.
Terry Gill, professor emeritus of military law at the University of Amsterdam, says this principle of qualified neutrality traces back to at least World War II, when the U.S. took the position that providing military supplies to the UK, more than a year before the U.S. entered the war and rendered Germany an aggressor, did not violate its neutral state.
Under qualified neutrality as it’s understood today, the United Nations Security Council generally needs to formally identify one nation to a conflict as the aggressor and also call for action against that aggressor. In the case of the Russia-Ukraine war, however, because Russia is a member of the Security Council, it would veto this. So six days after Russia invaded Ukraine, the U.N. General Assembly passed a resolution effectively recognizing Russia as the aggressor and demanding it cease all hostility against Ukraine and withdraw from the country. Although not binding, this opened the way for neutral nations to provide weapons to Ukraine, without becoming a party to the conflict.
A state compromises its neutrality, however, if it participates in joint planning of combat operations, provides assistance essential to such operations, or engages in such operations on its own. This is why the U.S. was adamant when the Russian ship Moskva sank in April, that it didn’t help Ukraine sink it. Although the U.S. reportedly provided Ukraine with information about the ship’s location, government sources have claimed to reporters that the U.S. did not know Ukraine would use the information to attack the ship.
The laws of neutrality, however, apply only to governments, not to individuals or private companies. The latter can provide assistance to parties of a conflict regardless of their nation’s neutrality status, as long as they don’t become a direct participant by assisting in the conduct of military operations. If they veer into assisting military operations, companies risk making themselves and their workers a military target.
Under the principle of distinction, parties involved in a conflict have to distinguish between military combatants and civilians, and the latter are expected to have protection from being directly attacked. But civilian individuals and companies risk pulling themselves and the country where they reside into a war if they engage in activity that could be interpreted as participation in hostilities — and the state where they reside doesn’t act to halt this activity.
“If [the U.S.] allows Microsoft to engage in activities that are assisting the Ukrainians, Microsoft doesn’t violate neutrality, it’s a violation of the United States by permitting its territory to be used in an un-neutral manner,” says Schmitt. “The Russians have a legal right under international law…to prevent that from occurring.”
But what constitutes assistance for military operations, or participation in hostilities, has not been clearly defined and is open to interpretation.
Security Help vs. War HelpSchmitt, an absolutist in this regard, says “anything that would allow the Ukrainians to support their war-sustaining efforts, I think, would be something that Russia, if they wanted to, could use” to justify an attack.
Microsoft protecting the banking industry is not an issue, but defending military networks could be a problem, Schmitt says, because it’s “providing direct assistance to Ukraine to allow them to sustain the war effort against the Russians.”
But “then it’s incumbent on Russia to do something about it,” he notes. “Has Russia done anything about anything so far? The answer is no.” So the risks of retaliation may be slim.
Gill takes a somewhat different stance on what kinds of activity are problematic.
To designate someone a direct participant in war generally requires three things under international humanitarian law: they have to engage in activity that meets a threshold of harm (meaning “the act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack,” according to the ICRC’s interpretation of international humanitarian law); there has to be a direct causal link between the act and the harm; and the act must be “specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another,” according to the ICRC.
Detecting and disabling, or removing, Russian malware from Ukrainian networks would not constitute direct participation, Gill says. “Even though that does in fact participate in the sense of assisting Ukraine in its overall war effort, it does not rise in my view to the threshold of an attack,” as understood in international law.
Comparably, simply providing information about hacking activities conducted by the Russian government or military against Ukraine doesn’t amount to participation in hostilities.
But if a security firm were to give Ukraine the IP address or location of Russian systems being used to conduct those operations, and Ukraine then targeted those systems in an attack, the firm’s aid could be construed as participation in hostilities.
“I don’t rule out that there could be conditions where a computer giant like Microsoft could provide the kind of intelligence which would be directly relevant to conducting operations on targeting … and therefore could open up the possibility of retaliation,” Gill says. “If you provided, knowingly, coordinates which resulted in an attack of the nature that Ukraine conducted against the Moskva, then you are definitely participating in hostilities…. [T]hat could potentially open up the way for military retaliation in an extreme case.”
The real-world affects of that action would have to be something that is not temporary or passing, Gill says.
He notes that with regard to computer systems, the Tallinn Manual makes a distinction between actions that are reversible and those that are irreversible, and “whether it requires renewal and replacement of system components.”
“If it requires replacement of the system and so forth, then it’s an attack … an act of violence resulting in destruction of material or goods,” Gill says.
But there are differing views among nations. The Tallinn Manual is just a guide to help states gauge the legality of actions in cyberspace, not a binding authority, leaving states to interpret actions on their own.
“Some states take the position that if critical systems were taken out, they would consider that to be an attack,” Gill says. “Whereas other states have been reluctant to take a position of that nature. So I would say that’s rather unsettled … what the legal status would be.”
Gill also says there are conditions under which Russia could retaliate for such an attack. Attacking back would have to be the only possible remedy open to Russia.
And there is another problem, Schmitt says. The retaliation is allowed under the principle of self-defense. But “since Russia is in fact committing an act of aggression, it would be difficult for it to claim self-defense,” he says.
Recorded Future’s Ahlberg says he’s not worried about retaliation from Russia.
“I don’t know who produces HIMARs [rocket launchers gifted to Ukraine by the U.S.], … but there’s a whole set of weapons companies who I think Russia would put on lists [for attack before] Recorded Future. So I feel quite fine,” he says. “Does it mean we need to be worried? Absolutely. Though our information security people have been on double duty here since January 24.”
Education NeededRegardless of the likelihood that Russia would retaliate, ICRC adviser Vignati told Zero Day that companies need to be clear with workers about what they can and cannot do and also broadcast publicly the nature of the assistance they are providing during a conflict — to avoid the perception of direct participation and the potential for drawing the company and its workers into a conflict.
“We had discussions with several tech companies [and] cybersecurity companies on this topic,” he said during his Labscon presentation, “and they opened their eyes [wide] and said ‘Ah! We were not aware about this’.”
He also said companies that manage networks for foreign governments should be careful to segment military networks and data from civilian networks and data, because if war breaks out, the military networks and data will be targeted for attack.
Likewise, if any Ukrainian data transferred to Microsoft and Amazon cloud servers during the current war includes Ukrainian military data, that infrastructure and the data stored on it could be considered a legitimate military target and draw attack from Russia. And if cloud providers are hosting the data of other customers on the same infrastructure, they could be affected by such an attack too.
Update and correction: This piece has been updated to add clarity to the three criteria for designating a direct participant in hostilities, and to correct an error. The article originally stated that an actor must have intent to cause harm, but intent would be difficult to assess and is not required.