The National Intelligence’s 2023 Annual Threat Assessment found that Russia is, and will continue to be, an international cyber threat as it continues to use efficient cyber aggression. Russia’s militancy in the cybersphere is known to encompass the targeting of vulnerabilities within foreign state systems through the use of malicious software such as ransomware and destructive malware. These hostile operations are driven by Russia’s aspiration for political dominance which stems from a history of perceived subjugation from members of the international community. Russia’s contemporary cyber stance is largely accredited to historical context and the maintenance of a Soviet-like mentality, but what does international law do to address this?
Since the end of the Cold War, two paradoxes have shaped Russia’s cyber position and operations. Primarily, although Russia controls the largest territory in the world and possesses the second-largest military force, Russia sees itself as vulnerable. Secondly, Russia considers itself to be a victim of unjust scrutiny from the West, particularly through international laws articulated with the goal of limiting its power and hindering autonomy. This perception has intensified over the years as despite the collapse of the Soviet Union, NATO persisted. With this, Russia witnessed many Eastern European states which were once within its grasp, aligning with the West, which led to a socio-political reorganisation seen as a betrayal by the Kremlin. As the attitude in Eastern Europe shifted, NATO began expanding into the region.
Poland became a member of NATO in 1999, a rather sensitive matter in Russia given historical invasions by both Napoleon and Hitler emerging from Polish territory. The anger that this triggered in Russia was not solely due to NATO expansion, but also due to the perception of broken promises which had been made to Russia in the previous years. In 1990, Hans Dietrich Genscher, the German Foreign Minister at the time, assured the Kremlin that NATO would not expand into Eastern Europe. These events exacerbated the perception Russia holds about the West being filled with empty promises and threat, reinforcing their requirement for strong defences, which the West perceives as hostile. As a result, Russia’s position in the cyber realm is shaped by both historical losses and increasing security concerns, highlighting the intersection between international law laid by Western institutions and the Russian cyber position.
The Russian cyber position and operations are ‘enabled and shaped by broader geopolitical considerations and the institutional culture of Russia’s military, intelligence and political leadership’, as suggested by Bilyana Lilly and Joe Cheravitch. Thus, the strategy of Russia’s use of cyber force is not merely constructed by technical efforts to dominate the international system, but rather part of a broader attempt to protect Russian sovereignty - perceiving a strong cyber position to be a preventative measure for anything resembling the collapse of the USSR.
Such endeavours are formed through presumed threats from external states, which have been exacerbated by the legacies of the Cold War. During that time, extensive espionage and intelligence gathering missions were considered to be defensive rather than offensive measures by the Soviet Union. Such consideration that an attack on behalf of the Russian state is purely defence, is a Soviet-era mentality which very much remains embedded in state operations in the cybersphere.
Despite the maintenance of the old Soviet mindset, contemporary Russia has left its days of stealing paper documents behind and have embraced more invasive methods of intelligence gathering, invoking disruption in other states. Much of today’s Russian cyber power can be attributed to the cyber threat group APT28. Intrinsically linked to Russia’s military intelligence service (GRU), the group has been prone to exploit foreign networks with poor configurations, using these vulnerabilities to deploy malware. APT28’s operations are predominantly characterised by their numerous malware and phishing techniques, with their primary malware capabilities being accredited to tools such as XAgent, which has been created with the purpose of accessing and recording data. One of the most well-known cyber attacks headed by APT28 was the infiltration of governmental servers in Ukraine through the Roundcube Webmail software.
In June 2023, Roundcube Webmail; an open source webmail software, was targeted by the notorious cyber threat group in an effort to gain unauthorised access to emails being sent between Ukrainian government officials. Their main objective was to collate intelligence data and to disrupt the sharing of sensitive information within the system. In order to achieve this, members of APT28 crafted coherent phishing emails related to the ongoing Russo-Ukraine war and sent them to the government members. Once the recipients opened these emails, Roundcube vulnerabilities such as CVE-2020-35730 and exploited them which allowed for APT28 to access the servers. This cyber attack threatened not only Ukraine’s sovereignty, but also public safety.
According to international law, unsurprisingly, APT28’s actions are considered illegal. Article 2 (4) of the UN Charter holds that states must withhold from using force, or threatening to do so against the sovereignty of any state. The cyber attack on Roundcube Webmail used force to violate the sovereignty and political integrity of Ukraine. Following this contravention, the interpretation of the Article has evolved. Despite Article 2 (4) being drafted in 1945 and only addressing traditional modes of military aggression, its broad language does not define what specifically constitutes using force. Such ambiguity permits the inclusion of cyber force within the conditions of the Article. However, attributing the breach of this international law to offending individuals still remains challenging due to the anonymous nature of Russian cyber operations. This is exacerbated by the fact that although APT28 acted on behalf of the Kremlin, Russian authorities have continued to deny involvement which complicates legal retaliation.
In response to cyber attacks against Ukraine which breach international law, the UK has decided to increase funding towards private sector cybersecurity services such as BitDefender and Cisco, ensuring ‘additional or free security services for Ukrainian users’. The initiative involved an expansion of approximately £25 million, contributing to a more secure national infrastructure in Ukraine and providing crucial services through strengthened cyber defence abilities, ‘enabling them to detect, respond to, and prevent Russian cyber-attacks’. Policies like these which provide investment into Ukraine’s cybersecurity have been beneficial ‘while harnessing a diverse array of actors in a sustained high tempo of operations’. However, it would be naive to assume that the threat posed by Russian cyber attacks has been neutralised, and there is no solace in the notion that Russia is not currently increasing its cyber presence further, undetected.
Nonetheless, in addition to British investment, the EU has introduced an updated Cyber Defence Policy and the Action Plan on Military Mobility 2.0. Both initiatives were engineered to try and rectify the deterioration of security in Ukraine following the advancement of Russia’s invasion, while also attempting to strengthen the EU’s ability to protect its member’s citizens and infrastructure.
A key attribute to these policies is the increased investment into the cyber realm, with cooperation being the catalyst of success. Taking the importance of collaboration into consideration, the EU decided to build upon Article 42 (6) of the Treaty on European Union (TEU). The Article stipulates that member states with strong military capabilities which have made binding agreements with the other member states, must remain in a position of structured cooperation within the framework of the European Union. Therefore, the EU activated Cyber Rapid Response Teams (CRRTs) from the onset of the modern invasion in February 2022, although they were not deployed until later in the conflict which enabled APT28 to continue with their operations. Furthermore, CRRTs are a product of a collaborative EU defence strategy, so they do not hold the power to enforce penalties onto foreign actors.
Looking to the future, international law and its ability to address cyber attacks remains a concern, particularly with Russia’s continued cyber hostility. The landscape of cyber warfare and its progression exemplifies the need for a review and potential increase of legal frameworks to more explicitly define the ethical nature of cyber operations. While the UN Charter’s Article 2 (4) provides a foundation for condemning the employment of force, its broad wording and lack of specific consideration for cyber force presents challenges in its enforcement. With this in mind, international institutions must present more explicit definitions and stronger mechanisms for accountability in the cyber realm.
Image by Pavel Kazachkov via Wikimedia Commons