This is the year of cyberwarfare. Activities during the Russian war in Ukraine show it very clearly. But this post is about reports, cyber threat intelligence, and communication of the kind. Crucial at high-tension times, they should be crisp. We should consider/expect high level of quality/competencies when composing such communication about cyber conflict or cyber policies.
So this post is not only about cybersecurity threat intelligence, and cybersecurity policies. It is also about careful communication, but even cybersecurity PR.
The recently released ENISA Threat Landscape 2022 is an excellent resource.
It is - I repeat - an excellent resource.
Yet, due to the ongoing cyberwarfare activities, and the further cross-sections between cybersecurity and policy aspects (also coinciding with the war, but having its roots in the previous decade), as well as warfare activities, one should expect special competency or prudence. Especially at a time of high-tensions (i.e. 2022). After all, the European Union borders with the country involved in a full-intensity armed conflict not seen in decades. We have all the right to expect quality and responsibility. This is why I let myself compose this critique of some of the points raised in the ENISA report. Rather than viewing this as a “damning critique” (which it is not), I prefer to structure it as constructive commentary. First, I’ll note that at times it might be unclear whether ENISA holds the necessary competencies/mandate to speak on some of the covered issues in particular. Prudence is what we need.
You can also find this post interesting in the context of how to compose cyber threat intelligence reports. Or how not to do this. Anyway, such insight will be important in 202X.
Returning to the main story. The format is: I quote parts of the report and add a commentary.
“It is our assessment that destructive or disruptive operations by state-backed actors will certainly continue as the conflict goes on. Within Ukraine, the prime targets include the government and military networks and the energy and communications sectors from the perspective of critical infrastructure. Further disruptive operations could potentionally spill-over to other countries.
Furthermore, it is our assessment that Western or NATO allies (especially critical infrastructure entities) will likely be targeted as part of retaliatory actions in response to the sanctions imposed on Russia and the support provided to Ukraine”
While this is a notable observation, no arguments are put forward to issue such an assessment. It is also unclear if it’s in the ENISA competencies or mandate to consider armed conflict operations. That said - I don’t disagree. It is even apparently happening (by the way: this event seems to be largely ignored by the public opinion).
Are cyber operations a priority?
“In our view, as cyber operations have become a priority for governments”
In my view, that is correct. This will remain so for the foreseeable future.
Are indictments for cyberattacks working?
"examples indicate that sometimes the indictments of the operators of a threat group may not have a significant impact on the (cyber) operations of that threat group”
This is a strange statement. The report apparently wants to criticise the way deterrence/response decisions via sanctions/indictments are made. It says that “sometimes … may not have a significant impact”. That would suggest that in ENISA’s view at least sometimes it did or does have an impact? However, this is not backed up with any data that I am aware of, and certainly no reference in the report. I would therefore use less definitive wording, or just use a different phrasing. Or just remove this sentence, since in this case ENISA is apparently criticising another branch of the EU that is making those sanctions/etc., and the intended effects of such mechanisms may be different to those expected by ENISA (by its mandate).
IT Army of Ukraine case
The part about Ukraine’s IT Army deserves a separate analysis.
“The armed conflict in Ukraine mobilised many hacktivists, cybercrime, and nation-state groups. The case of the IT Army of Ukraine is a unique case that is difficult to categorise; it could be considered a hacktivist group of volunteers, or a state-backed group or a hybrid one. As of the time of writing, the cyber security community has not reached a consensus. The IT Army of Ukraine will definitely feed future scholars in cyber warfare studies, and it might highlight a trend in future conflicts.”
IT Army case is a significant issue, that is true. It will definitely have a profound impact on future thinking about cybersecurity, both in terms of technology, policy, norms, and laws. It is however unclear why the report speaks of „not reaching a consensus”. There’s apparently only one significant publication on the topic, a paper that is suggesting that it is a State group. There’s no significant analysis stating anything to the contrary. So why speak of a consensus? I mean, the issue is clear even to ENISA.
Specifically, even ENISA report is adding openly, as the next sentence has:
“On 26 February 2022, Ukraine’s deputy prime minister and minister for digital transformation announced the creation of Ukraine’s IT Army”.
Deputy PM and a government minister pretty much sounds like a State, doesn’t it? That said, while I do not have a degree in political science, I know a few things.
There’s more in ENISA report:
“The announcement was a call for volunteers whose actions on the cyber front were coordinated”
So, where are those doubts that ENISA mentioned?
However, ENISA apparently chose to express further difficulties:
“Ukraine managed to create a hybrid entity that is quite difficult to categorise as it is comprised of Ukrainian and international civilians, private companies, as well as Ukrainian defence and military personnel. It is not a civilian, military, public, private, local or international entity”
Again, where’s this mentioned difficulty of categorising? The report should be more expressive. As currently stands, ENISA answered it themselves — by including the one sentence above. Either say it or do not — but then do not consider such a point because what’s the point? In case of doubt, consult the previous two paragraphs ENISA themselves wrote? This despite the fact that there’s no logical flow between those paragraph, nor a conclusion? It’s not a matter of cyber policy credibility here, only logical analysis and structuring of the text. Unless of course ENISA is fully aware of the categorisation, and this is meant to be a suggestion (as in: not saying something in a way to actually say this something). That would change this assessment.
State/etc cyber structures in the future
Furthermore, there’s something more general of interest:
„It is our assessment that state actors will likely adopt the structure and setup of the IT Army of Ukraine as a blueprint for non-state participation in future conflicts”
That is a very interesting assessment!
To perform it, ENISA had to consider (1) the possibility of future (armed) conflicts, and (2) the possible responses in terms of creating bottom-up cyber-activity structures.
The first is undoubtedly outside ENISA’s remit as it is about the prediction of future armed conflict activity, and we cannot expect ENISA doing this, they know this, too. It definitely was not their intention.
The second point (about “blueprint”) is unclear, because cyberdefence capabilities are constantly developing. So it is unclear when exactly those “future conflicts” may evolve, and how. In general, we had some offensive ICT activity even in 1999 (in the Balkan wars, targeting of NATO websites), and similarly in other conflicts after 1999 and before 2022.
That is to say: we should be more humble about assessing this space.
Specifically, if such a future conflict happens in, say, 2030, would the environment in 2030 still look like today? (ENISA mentions countries without cyber military command today). Maybe there would be no need for forming such groups? Unless of course that the ultimate strength of such groups is not capabilities, but morale? Then the goal is different, but ENISA is not analysing this point (and rightly so).
External private businesses in help for a country in armed conflict
ENISA also considered a point of involvement of private companies that are providing services to Ukraine:
“Microsoft and AWS have been awarded the 'Peace Prize' by the President of Ukraine, Volodymyr Zelenskyy. We would like to emphasise that this trend is interesting but also challenging to assess. Currently, the long-term consequences of such a strong alignment with one side of the conflict are not well understood. Moreover, discussions are being raised about the role and responsibilities of private companies in future cyber operations during conflicts ”
That is a good question. Often, entities involved in military activities could be regarded as legitimate military objectives, at least those operating inside such a zone of activity. However, in this case, we have entities operating outside the conflict zone. On the other hand, cyberspace is determined to be a possible theatre of activity, with various intensities. What will be the consequence of this will be fascinating to observe.
That is to say: I do not find Microsoft or Amazon serving Ukraine as something undesirable. That’s their business, and their country of origin supports Ukraine.
There’s nothing controversial here.
Lastly, the mentioned “consequences of such a strong alignment with one side of the conflict are not well understood”: while that is not in the remit of ENISA, for sure. But it is not so difficult to understand. I mean, look at the examples of the previous 200 years. It’s not a precedent, or was it something else you wanted to say?
Hacktivist group involvement
“Some of the major Hacktivist groups [involved in the conflict] were: [list goes here - I skip it]”
Now, the interesting point is — how to know if these are in fact hacktivists? It is already reported that some activities of some of the groups may coincide with Russian military intelligence cyber operations timelines, or be coordinated. So, how does the ENISA know which of the mentiones groups are pure hacktivists, and what are, maybe, cyber operations? Because logically reasoning, ENISA authoritatively stated that the named entities are hacktivists, not anything else. This is not an accusation from me. Far from it. It could, however, be annotated with a disclaimer sentences. Otherwise you risk a TV5-Monde style issue, when you take for granted the statements of self-proclaimed culprits.
It’s a year of cyberwarfare. Suddenly, strong competencies on the cross-sections of technology matters,policy understanding (that is, all in one, not having competencies separately), cyberwarfare — become relevant. Actually even for State defence, security, and policies.
As a bonus point, this note considered also some important points from cybersecurity PR and communication.
Did you like the assessment and analysis? Any questions, comments, complaints, or offers of engagement ? Feel free to reach out: firstname.lastname@example.org